Tài liệu Endpoint Security Implementation Guide Version docx

37 Default Policy ...37 Distributing the Endpoint Security Client ...37 Chapter 6 Creating a Basic Policy Configuring Zones ...40 Setting Program Observation ...42 Configuring Program Ad

Endpoint Security

Implementation Guide

Version NGX 7.0 GA

© 2008 Check Point Software Technologies Ltd.

All rights reserved This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice.

©2003–2008 Check Point Software Technologies Ltd All rights reserved Check Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge,

SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security

Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1

Preface

About this Guide 9

Available Formats .9

Obtaining the Correct Version .9

Obtaining New Issues of this Guide .9

About the Endpoint Security Documentation Set 10

Documentation for Administrators .10

Documentation for Endpoint Users .10

Feedback 12

Chapter 1 Introduction Using this Guide 13

Assumptions 14

Basic Setup .14

Sample Configuration .14

Chapter 2 Endpoint Security Overview Endpoint Security System Overview 15

System Architecture .15

Endpoint Security Server .16

Endpoint Security Clients .17

Client Packages 17

Gateways 17

Endpoint Security Communications 18

Endpoint Security Ports .18

Endpoint Security Modes 18

Endpoint Security Views 18

Endpoint Security Feature Overview 19

Policies 19

Firewall Rules, Zone Rules, and Program Control .22

Firewall Rules .23

Zones 23

Program Control .25

Enforcement 26

Chapter 3 Planning Using a Pilot Installation 27

Prerequisites 27

Choosing Your Client Type 28

Gathering Topology Information 29

Planning User Support 30

Chapter 4 Installation Running the Installer 32

Logging In 35

Chapter 5 Configuring Policies Policy Stages 36

Distributing Your First Policy 37

Default Policy .37

Distributing the Endpoint Security Client .37

Chapter 6 Creating a Basic Policy Configuring Zones 40

Setting Program Observation 42

Configuring Program Advisor 43

Deploying the Policy .44

Testing the Policy .44

Chapter 7 Creating a More Advanced Policy Setting Firewall Rules 47

Program Control 48

Setting Program Permissions .48

Configuring Enforcement Settings 51

Setting Enforcement Rules .51

Deploying the Policy 54

Testing the Policy 55

Checking the Program Rule .55

Checking the Enforcement rule .55

Chapter 8 Assigning Policies Workflow 56

Switching Views 58

Creating Catalogs 59

Choosing a Catalog Type .59

Creating an LDAP Catalog .59

Creating an IP Catalog .59

Creating a Custom Policy 60

Deploying the Custom Policy 61

Assigning the Custom Policy 62

Testing the Custom Policy 63

Checking the Custom Policy .63

Checking the Default Policy 63

Chapter 9 Understanding Policy Lifecyles

Understanding Policy Lifecycles 65

Suggested Policy Settings 66

Sample Policy Lifecycles 67

Low Threat Lifecycle .67

High Threat Lifecycle 69

Policy Lifecycles for VPN 71

Chapter 10 Supporting the User Educating the Endpoint User 73

Inform Endpoint Users in Advance .74

Provide Information About Your Security Policy .74

Describe the Distribution Process 75

Providing Remediation Resources 75

Using Alerts for User Self-help 75

Using the Sandbox for User Self-Help 75

Preparing your Helpdesk Staff 77

Documentation 77

Training 77

In This Preface

About this Guide page 9

About the Endpoint Security Documentation Set page 10

About this Guide

The Endpoint Security Implementation Guide provides an overview of Endpoint Security features and concepts Follow the steps in this guide to install and configure a basic Endpoint Security system as part of a pilot program This pilot installation will help you understand the basic features and functionality of the Endpoint Security system

This guide also explains how to plan your security policies, and provide support to endpoint users Please use the version appropriate to your installation

Once you have mastered these features, you will be able to use the Endpoint Security Administrator guide to use other features and to set up an installation that is more specific to your actual network needs

Available Formats

This guide is available as a PDF This document is available from the Check Point CD Updated editions of the document may be available on the Check Point Website after the release of Endpoint Security The version of this document on the Check Point Website may be more up-to-date than the version on the CD

Obtaining the Correct Version

Make sure that this document has the Version Number that corresponds to the version

of your Endpoint Security The Version Number is printed on the cover page of this document

Obtaining New Issues of this Guide

New issues of this guide are occasionally available in PDF format from the Check Point Website When using the PDF version of this document, make sure you have the most up-to-date issue available The issue date is on the cover page of this document

When obtaining updated PDF editions from the Check Point Website, make sure they are for the same server version as your Endpoint Security Do not attempt to administer Endpoint Security using documentation that is for another version

When obtaining the most up-to-date issue of the documentation, make sure that you are obtaining the issue that is for the appropriate server

About the Endpoint Security Documentation Set

A comprehensive set of documentation is available for Endpoint Security, including the documentation for the Endpoint Security clients This includes:

„ “Documentation for Administrators,” on page 10

„ “Documentation for Endpoint Users,” on page 10

Documentation for Administrators

The following documentation is intended for use by Endpoint Security administrators

Documentation for Endpoint Users

Although this documentation is written for endpoint users, Administrators should be familiar with it to help them to understand the Endpoint Security clients and how the policies they create impact the user experience

Table 4-1: Server Documentation for Administrators

Endpoint Security Administrator Guide

Provides background and task-oriented information about using Endpoint Security It is available in both a Multi and Single Domain version

Endpoint Security Administrator Online Help

Contains descriptions of user interface elements for each Endpoint Security Administrator Console page, with cross-references to the associated tasks in the Endpoint Security Administrator Guide

Endpoint Security System Requirements

Contains information on client and server requirements and supported third party devices and applications

Endpoint Security Gateway Integration Guide

Contains information on integrating your gateway device with Endpoint Security

Endpoint Security Client Management Guide

Contains detailed information on the use of third party distribution methods and command line parameters

Endpoint Security Agent for Linux Installation and Configuration Guide

Contains information on how to install and configure Endpoint Security Agent for Linux

Table 4-2: Client documentation for endpoint users

Flex

Provides basic information to familiarize new users with Endpoint Security Flex This document is intended to be customized by an Administrator before distribution See the Endpoint Security Implementation Guide for more information

Introduction to Endpoint Security Agent

Provides basic information to familiarize new users with Endpoint Security Agent This document is intended to be customized by an Administrator before distribution See the Endpoint Security Implementation Guide for more information

Check Point is engaged in a continuous effort to improve its documentation Please help us by sending your comments to:

cp_techpub_feedback@checkpoint.com

„ A description of basic Endpoint Security architecture

„ Information to help you plan your installation

„ Introductions to the most important Endpoint Security features

„ Instructions on how to perform a basic installation in a pilot environment

„ Instructions on how to create and deploy basic policies in a pilot environment

„ Information about planning policy lifecycles to enhance your security

„ Information about supporting endpoint users

Follow the steps in this guide to install and configure a basic Endpoint Security system as part of a pilot program This pilot installation will help you understand the basic features and functionality of the Endpoint Security system Once you have mastered these features, you will be able to use the Endpoint Security Administrator guide to use other features and to set

up an installation that is more specific to your actual network needs

Using this Guide

The instructions in this guide generally assume that you have performed all the previous tasks It is recommended that you perform all of the tasks in this guide in the exact order and

Using this Guide page 13

This guide does not cover all possible Endpoint Security setups and configuration options This guide will focus on a basic setup and a sample pilot configuration described below Even if you do not plan to use these specific setup and configuration parameters in your production environment, you will find this pilot setup provides useful information that is common to all setups For specific installation and configuration information, see the Endpoint Security Installation Guide

„ Single Domain setup

„ LDAP with Microsoft Active Directory

„ No gateway device

Sample Configuration

Endpoint Security is extremely flexible, and will allow you to create many different types of security policies This guide will focus on setting up some sample policies for your pilot system that contain common, recommended settings These settings are only meant to be representative samples of the types of options you may want to implement

in your system The exact settings you will create for your production environment will differ according to your security needs Where appropriate, this guide will mention some of the other configuration options that are available, but you should perform the basic configuration steps described in this guide before attempting them

For more information about additional configuration options and features, see the following documents:

„ Endpoint Security System Requirements

„ Endpoint Security Installation Guide

„ Endpoint Security Administrator Guide

„ Endpoint Security Gateway Integration Guide

„ Endpoint Security Client Management Guide

Endpoint Security System Overview

The Endpoint Security system allows you to centrally manage all of your endpoint security functions

System Architecture

The Endpoint Security system consists of two basic components: Endpoint Security Server, and the Endpoint Security clients installed on your endpoint computers You can also optionally include other items in your system, such as gateways, RADIUS servers and LDAP servers

All Endpoint Security Installations include SmartPortal, which provides some of Endpoint Security’s reporting functionality Endpoint Security installations also include some other Check Point components that function in the background For more detailed information about Endpoint Security system architecture, including integration with other Check Point

products, see the Endpoint Security Administrator Guide.

Endpoint Security System Overview page 15

Endpoint Security Communications page 18

Endpoint Security Modes page 18

Endpoint Security Views page 18

Endpoint Security Feature Overview page 19

Endpoint Security Server

The Endpoint Security server allows you to centrally configure your Endpoint Security enterprise policies Endpoint Security uses its own embedded datastore to store administrator, configuration, and security policy information

This guide will show you how to perform a typical Endpoint Security installation without clustering and using the embedded datastore For more information about the

Endpoint Security server and how to install it, see the Endpoint Security Installation

Guide

Administrator Console

The Endpoint Security Administrator Console is the graphical user interface you will use to create your security policies and deploy them to your users You can also use the Administrator Console to pre-package Endpoint Security client executables with configuration settings and policies before you deliver them to your users

This document will show you how to use the Administrator Console to create, assign, and deploy clients to users It will also show you how to use the Administrator Console

to create policy packages

Figure 2-1: Basic Endpoint Security Architecture

Endpoint Security Clients

As part of the Endpoint Security system you will be installing Endpoint Security clients

on your endpoint computers These clients monitor your endpoints and enforce your security policies The Endpoint Security system includes Endpoint Security Agent and Endpoint Security Flex It also includes versions of Endpoint Security Agent and Endpoint Security Flex that contain VPN capabilities

Endpoint Security Agent

Use Endpoint Security Agent when you want to centrally manage security at all times

It has a limited interface and does not allow the user to control security settings If you use the version of Agent that also has VPN capability, the users are provided with an interface to configure their VPN It also provides an interface to manage some antivirus and anti-spyware functions Generally, use Agent for your less advanced users and for computers that belong to your organization Since Agent provides a simpler user interface and fewer messages to the user, it is less confusing for endpoint users.There is a Windows version of Agent and a Linux version of Agent This pilot will assume you are using the Windows version

Endpoint SecurityFlex

Use Flex when you want the endpoint user to control his or her security settings some

of the time Flex has a full user interface that allows the user to control security settings under certain conditions Generally, use Flex for expert users who are familiar with security issues Flex is also useful when you want to provide endpoint security for computers you do not own, but are restricted by law from exercising too much control over

Client Packages

You can use client packages to pre-configure your Endpoint Security clients (Agent or Flex) and pre-populate them with security policies Client packages not only let your endpoint users get policies and connect to Endpoint Security as soon as possible, but also let you configure the client installation Create client packages in the

Administrator Console, then use a distribution method to deliver client packages to your endpoint computers

Gateways

You can integrate Endpoint Security with supported gateways to enhance your security

Gateway integration will not be covered in this guide The Endpoint Security Systems

Requirements Document lists all the supported gateways See the Endpoint Security Gateway Integration Guide for information about configuring your gateway to work with

Endpoint Security

Endpoint Security Communications

Endpoint Security operations are implemented by separate Endpoint Security services

An Apache httpd server proxies requests to these services from entities external to Endpoint Security, such as Endpoint Security clients or administrators logging on to Endpoint Security from remote computers The Apache httpd server acts as a single point of entry, managing requests using SSL, file caching, UDP, and/or TCP socket off-loading functionality (see page 18)

For more information about Endpoint Security communications, see the Endpoint

Security Administrator Guide.

Endpoint Security Ports

By default, Endpoint Security uses the ports listed below to communicate with Endpoint Security Clients Make sure these ports are all available on the Endpoint Security Server:

ƒ TCP/80 HTTP

ƒ TCP/443 HTTPS (for clients with versions less than 7.0)

ƒ TCP/2100 HTTPS (for 7.0 and later clients)

ƒ UDP/6054 (If used)

Endpoint Security Modes

There are two modes for Endpoint Security:

„ Single Domain

„ Multi DomainYou choose the domain mode when you install Endpoint Security Having multiple domains is useful for Internet Service Providers and large companies that want local administration for locations and business units This book assumes you are using the Single domain mode

Endpoint Security Views

Single Domain has two views:

„ Simple view

„ Advanced viewWhen you first log into a single domain Endpoint Security server, the system is in simple view Simple view offers a simplified User Interface and feature set This allows

you to become familiar with the core features of Endpoint Security more easily When following the processes in this book, you will begin administering Endpoint Security in simple view Later, when you have created your first policies and become familiar with the basic features, you will switch Endpoint Security to advanced view and use some of the more advanced features.

Endpoint Security Feature Overview

Endpoint Security is a flexible system with many powerful features to help secure your network This document will explain the basic functionality of some of the most important features You can find out more about these features and about other features in the Endpoint Security Administrator Guide

This section describes the following features:

Connected Policies

The connected enterprise policy is the policy that is enforced when the endpoint computer is connected to your network Generally, this is a fairly restrictive policy This policy is used not only to protect the endpoint computer from threats, but also to protect other computers on your network and to enforce your corporate policies For example, a connected policy might have very restrictive firewall rules, require a particular antivirus program, or block programs that violate your company’s ethics policies, such as Kazaa

Disconnected Policies

policy is usually to protect the endpoint computer from the worst threats while allowing the user more freedom For example, a disconnected policy might require that the endpoint have antivirus protection, but not be as strict about which brand or version It might also allow users to run entertainment programs that they are not allowed to run while connected to your network.

If you do not want to control an endpoint computer’s security when it is disconnected, you can omit the disconnected policy In the absence of a disconnected policy, Flex enforces the personal policy and Agent enforces the connected policy

If you use disconnected policies, it is highly recommended that you use the Office Awareness feature If you do not configure Office Awareness, your Endpoint Security clients will use the disconnected policy whenever they lose contact with the Endpoint Security server For more information about Office Awareness, see the Endpoint Security Administrator Guide

Personal Policies

Flex users can create their own security policies How these policies are arbitrated with conflicting enterprise policies depends on what settings you choose in the enterprise policy Generally, the more restrictive policy rule is the one that is enforced

organization’s needs Generally, it is recommended that you assign policies according

to a user’s domain or entity, rather than individual users If a user is not a member of a domain or catalog and is also not assigned a policy as an individual, he or she receives the default policy

In some cases, you may want to have the disconnected policies be more restrictive than the connected policies This is useful if you want to prohibit recreational use of computers outside of work If you have restrictive

disconnected policies, it is essential that you configure Office Awareness

One way of assigning policies is to assign them to domains If you have the Multiple Domain version of Endpoint Security, you can divide your organization into functional units known as domains This is particularly useful for companies such as Internet Service Providers, who want to have a domain for each customer Domains can have their own administrators and can be assigned a policy or policy package That policy then applies to all the members of the domain unless it is overridden by a more specific policy, such as one assigned to a catalog, gateway, or user

In Single Domain mode, which is what you will use in this pilot, there is only one domain

Catalogs

Domains (and organizations using the Single Domain version of Endpoint Security) can

be divided into catalogs Catalogs are user catalogs or IP ranges Users can be grouped according to their function in the company, their department, their rank, their location, etc Catalogs can be assigned a security policy This policy applies to all the members

of the catalog, unless overridden by a user-specific policy

Gateways

Users can be grouped according to the VPN gateway they use This allows you to assign

a different policy This policy only applies to users when they are using VPN to connect

to your network

Users

You can also assign policies directly to specific users As this is not scalable, it is recommended that you use this only to make a temporary exception to your usual policy assignment practices

Assignment Priority

You can assign policies directly to a particular user or to an entire entity or domain The assignment priority you select determines which policy assignment takes priority when a user belongs to more than one entity

For example, a user may be assigned one policy because he connected via a particular VPN gateway, but he may also be assigned another policy because he belongs to a RADIUS catalog The security policy tells Endpoint Security which of these policies to enforce in these situations

Note that Endpoint Security Domains are not equivalent to NT Domains or network domains

Policy Inheritance

Users inherit policies through the hierarchy of domains and entities and according to the security model you choose The diagram, “Policy Inheritance,” on page 22, shows

an example of policy assignment and inheritance Policies are assigned as follows:

„ User 1 receives Policy A, which it inherits from Domain 1

„ User 2 receives either Policy A from Domain 1 or Policy B from the Custom catalog, depending on the assignment priority

„ User 3 is assigned policy C directly, which overrides any other policy assignment

„ User 4 receives Policy D, which it inherits from the Radius catalog it belongs to

„ User 5 receives the Default Policy from the System Domain because policies assigned to or inherited by a gateway always have priority

„ User 6 receives the Default Policy, which it inherits from the System domain

Firewall Rules, Zone Rules, and Program Control

Endpoint Security uses three major features to provide security: Firewall Rules, Zone Rules, and Program Control This section provides and overview of these features It is important to note that while some aspects of these features may seem similar, they provide security in three different ways

Firewall Rules control traffic using packet data Zone Rules allow or deny traffic based

on security locations you define Program Control protects your network by controlling program access

Figure 2-2: Policy Inheritance

Firewall Rules

Implementing Firewall Rules achieves the same level of security as standard perimeter firewalls by restricting or allowing network activity based on connection information, such as IP addresses, ports, and protocols, regardless of which program sends or receives the packet

You can also specify Firewall Rules within Program Rules to restrict access to and from programs or, within Enforcement Rules, to restrict a non-compliant user to a particular area of your network

Firewall Rules block or allow network traffic based on the attributes of communication packets You can use Firewall rules to block or allow traffic based on the following three attributes:

„ Source and/or destination locations

„ Protocol and/or port

Zones

In addition to Firewall Rules, you can also control network traffic through the use of Access Zones and Zone Rules Access Zones are groups of locations to which you assign the same network permissions

Figure 2-3: Features and how they control network traffic

„ Allow access to or from

„ Restrict access to or fromYou can use locations as sources and destinations for creating Access Zones and Firewall Rules You can either define locations as you need to use them in your policies, or you can define them before you create you policies Once you have defined

a location you can use it in any policy

Access Zones

Access Zones are groups of locations Access Zones make it easy to apply the same rule to a group of locations There are three types of Access Zones: Trusted, Blocked, and Internet

Trusted

Your Trusted Zone should only include those locations you believe are safe and to which you want to provide more permissive network access Usually the Trusted Zone contain your Domain Name Server, Mail Server, Domain Controller, file sharing servers, print servers, your VPN gateway range, etc

Figure 2-4: Locations, Zones, and Zone Rules

Your Blocked Zone should include those locations that you want to restrict access to or from For example, you may wish to block access from certain external sites or even sites within your organization, such as sensitive human resources servers for non human-resources employees

Internet

The Internet Zone consists of all the areas on both your internal network and on the Internet that you have not explicitly added to the Trusted or Blocked Zones You do not need to define the contents of this Zone

Security Rules

Security Rules control network activity to and from your Zones Generally, you will want

to set permissive rules for your Trusted Zone and moderate rules for your Internet Zone Security Rules allow you to set rules for an entire Zone of locations, instead of having

to set rules for each location individually

Program Control

Program rules restrict network access on a per-program basis Whereas Classic Firewall Rules restrict access according to package content, and Zone Rules according to location, Program Control allows you to restrict network access between a particular program and either your Trusted or Internet Zone You can also further refine program access by adding firewall rules to your program rules

When planning your program control, consider both your security goals and your endpoint users’ needs By configuring program control to block all programs except those you explicitly allow you achieve a high level of security, at the expense of endpoint user productivity By configuring program control to allow all programs except those you explicitly forbid, you achieve a lower level of security, but cause less

disruption to your endpoint users

Program Observation

Program Observation allows you to record which programs are used by your endpoint computers Once programs are observed, you can choose how to control them It is highly recommended that you use Program Observation in your initial policies to gather program information

Program Permissions

Use program permissions to control whether a program can act as a server or a client to your Trusted and Internet Zones

Restriction Firewall Rules

Restriction Firewall Rules control what parts of your network a user can access when they are out of compliance with Enforcement Rules that are set to restrict You may wish to allow your users limited access when they are not compliant

Note that Program Control determines what a program on an endpoint computer can

do Enforcement Rules determine what software an endpoint computer must and must not have when connecting to your network

Using a Pilot Installation

It is highly recommended that you perform the steps in this guide in a pilot, or test,

environment before attempting to set up the Endpoint Security system in your production environment This helps to assure high availability for your users

Prerequisites

Before beginning your installation, make sure that your system, including pilot endpoints, meets the following prerequisites:

Hardware, software, and Operating System — See the Endpoint Security System

Using a Pilot Installation page 27

Prerequisites page 27

Choosing Your Client Type page 28

Choosing Your Enterprise Policy Types page 28

Choosing Your Security Model page 29

Gathering Topology Information page 29

Planning User Support page 30

providers, such as Check Point Antivirus You should have the executable for the anti-virus provider available.

„ Network connectivity — You must be sure your network is configured and operating

normally before you implement your Endpoint Security system You will need to have at least two endpoint computers that are connected to your network You will install Endpoint Security clients on these computers and they will serve as your pilot endpoint computers

Choosing Your Client Type

Endpoint Security includes the following types of client applications for managing endpoint computers:

„ Flex — Allows your users to create their own ‘personal’ security policies for use

while they are not connected to your network Users with Flex have access to the Flex Control Center and may be prompted to make security choices

„ Agent — Enforces your security policies on endpoint computers silently Users are

not prompted to make security choices, and have no user interface Agent users

do, however, receive Alerts, unless you choose to suppress them

Decide which client type you will want Generally, you will want to use Agent, unless your users are very experienced with security issues and will want to create their own personal security policies When performing your pilot deployment, you may want to use Flex, so you can more easily view the results of your deployment

Choosing Your Enterprise Policy Types

Endpoint Security enforces your security rules by means of enterprise policies By using different types of enterprise policies you can provide different levels of security

to your endpoint users depending on their situation

„ Connected Enterprise Policies — These policies are enforced when the endpoint

computer is connected to your Endpoint Security Generally, you will want your connected polices to be your strictest policies

„ Disconnected Enterprise Policies — These policies are enforced when the endpoint

user is not connected to your Endpoint Security You will usually make these policies more permissive than your connected policies

Since Agent does not solicit users to make security choices, it adds new networks to the Trusted Zone and allows newly detected programs by default This makes it less secure than Flex when the personal policy is active You may want to avoid using Agent for remote users or users with laptops, or you can increase the security by specifying a disconnected policy

You can assign connected and disconnected policies to the same users by means of a policy package You can also choose to specify only a connected policy Decide whether you will want to create a disconnected policy.

If your endpoint user has also created a personal policy using Flex, Endpoint Security will forbid any traffic that violates either policy You can also configure the enterprise policy to override the personal policy

If you use VPN, you can also create a connected enterprise policy and assign it to the VPN This is the policy that will apply when the users of that VPN gateway use it to connect to your network For more information about creating policies for networks with VPN, see “Policy Lifecycles for VPN,” on page 71

Choosing Your Security Model

You can assign policies or policy packages to groups of users according to their security needs These methods of assigning policies are called a security model Choose from the following models:

„ IP — You assign policies to IP ranges.

„ User — You assign policies to groups created through catalogs.

While you can configure Endpoint Security to arbitrate between security models, it is easier to begin with only one security model Choose the security model that best fits the way your company network is organized and gather either the IP or catalog information for your system

There are several options for catalog types, but this document will assume that you are using either an IP-based system or LDAP using Microsoft Active Directory If you choose the LDAP option for this sample configuration, you will need the following information:

„ Domain Name Servers

Planning User Support

If your pilot will not have any genuine users, only test endpoint computers, you do not need to plan user support However, if you are doing a pilot deployment to users or a production deployment you should plan your user support strategy This should include how to notify your users of your new security measures and coordinate with your helpdesk support This will reduce the inconvenience to your users and reduce the burden on your support team For detailed information on planning user support, see

“Supporting the User,” on page 73

options, see the Endpoint Security Installation Guide.

Use the installer included in your CD to install the Endpoint Security server

Although you are installing the Endpoint Security server in standalone mode, you must still use the Check Point Configuration Tool to perform licensing functions and basic

configuration of the Check Point SmartCenter components that work in the background

Running the Installer page 32

Running the Installer

Endpoint Security installers use wizards to help you to install and configure your Endpoint Security server There is a wizard for Windows installations and a wizard for Linux installations In this guide, we will be using the Windows installer, but the steps for Linux are very similar

Endpoint Security can be installed in conjunction with several other Check Point products In this pilot installation, we will just be installing the Endpoint Security

Server See the Endpoint Security Installation Guide for more information about

installing Endpoint Security with other Check Point products Never install the Endpoint Security server on the same machine as an Endpoint Security client

The Endpoint Security installer is contained in a master installer that includes options for installing other Check Point products with which you can integrate Endpoint Security When installing Endpoint Security without any other Check Point products, ignore the options for installing other products Note, however, that Endpoint Security installations always include Check Point SmartPortal, which provides some of Endpoint Security’s reporting functionality The installer also silently installs some necessary Check Point SmartCenter components, which remain invisible After installation you will need to perform some minimal configuration for these components

To install Endpoint Security on Windows:

1 On the intended host server, double-click the setup.exe file.

The Check Point master installer begins

2 Click Next.

3 Accept the license agreement and click Next.

4 Choose Check Point UTM and click Next.

5 Choose New Installation and click Next.

6 Choose Integrity and click Next.

7 Choose Integrity Standalone and click Next.

8 Click Next to start the installation.

An Installation Status bar appears, displaying the chosen installation package The master installer then starts the Endpoint Security installer It may take a couple minutes

9 Proceed through the Endpoint Security installation wizard.

The following steps apply to this simple, pilot installation of Endpoint Security For

all other installation options, see the Endpoint Security Installation Guide.

a Accept the terms of the license agreement and click Next.

b Specify your install location and click Next.

You can accept the default location or choose one of your own

c Choose Endpoint Security Server and click Next.

d Enter the properties for your local server.

ƒ Host IP Address—Enter the IP address used by the Endpoint Security Clients

and SmartCenter to connect to the server If you are installing Endpoint Security with VPN-1, use the IP of the internal-facing card

ƒ Host Name—Enter the host name that maps to the external IP address This

field is used in browser URLs and to create the certificate This field can be the IP address

e Choose Single Domain and click Next.

Single domain Endpoint Security installations can only have one domain segment for all administrators, user directories, and policies

f Set your Master Administrator Password and click Next.

g Review your settings and click Install.

10 Perform basic configuration steps with the Check Point configuration program Use

the configuration tool to configure:

a Local Licenses — For this installation, do not enter a license This activates a

15-day trial license

For further license management (including creating centralized licenses or licenses for other computers), use SmartUpdate For more information about

licenses, see the Endpoint Security Installation Guide.

b The SmartCenter Administrator (required) — You must create a SmartCenter

administrator role that is used for single sign-on to all Check Point products

c GUI clients—GUI clients are remote SmartConsole installations from which

administrators can connect to the SmartCenter Server For this installation, you

do not need to configure a GUI client

For more information about configuring GUI clients, see the Endpoint Security

Installation Guide.

d Certificate Authority (required)—You must initialize a certificate authority to

enable communication between Check Point components To do so, specify a host name in the format <hostname>.<domain_name> (for example,

alice.checkpoint.com)

e Secure Internal Communication—When you use the master installer to install

Endpoint Security on a dedicated host, you must create an activation key that will be used to secure communication between Endpoint Security and

SmartCenter You do not need to configure this for this installation

f Fingerprint —The configuration tool creates a fingerprint (a text string derived

For security reasons, there is no password retrieval option It is recommended that you create a second Master Administrator account in case you forget the password to the other account

11 Click Finish to close the master installer Then restart the computer.

Logging In

You can launch the Endpoint Security Administrator Console through the SmartConsole interface You can also launch the Endpoint Security Administrator Console at any time

by entering the Administrator Console URL in a supported browser:

http://<Endpoint Security IP Address>/signon.doThe Endpoint Security will launch in Simple view to help you get started Later, after learning about the basic features, you will switch to Advanced view Simple view is only available in Single Domain installations

Policy Stages

This guide will give you the steps to secure your system using the following stages:

1 Distributing Your First Policy — In this stage you will achieve a basic level of security

immediately by distributing a pre-configured policy See “Distributing Your First Policy,”

on page 37

2 Creating a Basic Policy — In this stage you will modify the default policy using some basic

features See “Creating a Basic Policy,” on page 39

3 Creating a More Advanced Policy — In this stage you will add some more features to your

basic policy See “Creating a More Advanced Policy,” on page 46

4 Creating Custom Policies — In this stage you will create catalogs and assign specialized

policies to the users in those catalogs See “Assigning Policies,” on page 56

Performing your configuration in stages allows you to test your system at the end of each stage This makes it easier to see the results of your configuration and to troubleshoot any errors It also allows you to achieve basic security quickly while you plan and execute the next stages It is recommended that you use a staged approach to your security configuration, even in your production environment, incrementally tightening your security policy and making it more specific You will learn more about iterative policy deployment in

“Understanding Policy Lifecycles,” on page 65

Policy Stages page 36

Distributing Your First Policy page 37

Distributing Your First Policy

Check Point provides you with a pre-configured, default policy that you can use as your first policy This policy includes some basic security features, and has program observation enabled Use the default policy as your first policy, without making any changes to it

Once you have completed the steps in this section, you will have accomplished the following:

„ A preconfigured Endpoint Security client will be available to all endpoint computers

„ All endpoints that have an Endpoint Security client will have the default security policy

„ The Endpoint Security server will be recording programs used on all the endpoint computers

Default Policy

The default policy is assigned to any endpoint user who is not assigned a specific policy Since you have not yet created any policies or assigned them to users, all your endpoint users will have this policy Endpoint Security comes with a pre-configured default policy that you can use as your first policy This policy is already deployed, activated and ready for your endpoint users

Distributing the Endpoint Security Client

In simple view, the Home page provides you with links to the Endpoint Security client packages There are several packages provided by default Use these links to distribute the Endpoint Security client to your pilot endpoint users The distribution method in this section

is one of the simplest methods to distribute your Endpoint Security clients Other distribution methods are described in the Endpoint Security Administrator Guide and the Endpoint Security Client Management Guide

To distribute the Endpoint Security Client:

1 Go to the Home page of the Endpoint Security Administrator Console.

There are links available for both Agent and Flex client packages If your license includes VPN capabilities, there are also links for the VPN-enabled versions of these client packages as well

2 In the row for the client package you want, click Email.

You will be prompted to enter your name, e-mail address and e-mail server information

3 Enter your endpoint user’s email address into the email template.

This is the email that will be sent to your endpoint users

This method requires the endpoint user’s cooperation Once clients are installed, upgrades can be handled seamlessly by way of policy enforcement and auto-update This is one of the

Once your endpoint users run the executable, the Endpoint Security clients will contact the Endpoint Security server and receive the default policy Your endpoint computers are now protected by the Endpoint Security system.

Perform the tasks in the following order to create your basic policy:

1 “Configuring Zones,” on page 40

2 “Setting Program Observation,” on page 42

3 “Configuring Program Advisor,” on page 43

4 “Deploying the Policy,” on page 44

5 “Testing the Policy,” on page 44

Once you have completed these sections, you will know how to create and deploy basic

Configuring Zones page 40

Setting Program Observation page 42

Configuring Program Advisor page 43

Deploying the Policy page 44

Testing the Policy page 44

You may wish to make and save a copy of the default policy before changing its settings, in case you want to use the default settings later in your deployment

Whenever you save a policy, it is recommended that you add a version number to the description and increment it every time you make a change You may also want

to add your initials and the date

„ You will be using Zones to control network activity.

„ Program Advisor will be protecting your endpoint computers using professional program recommendations

Configuring Zones

Endpoint Security uses Zones to control network activity This section will help you to divide your network into Access Zones and then set security levels for those Zones

In this section, you will configure the following Zone settings in your default policy:

„ “New Network Handling Parameters,” on page 40

„ “Access Zones,” on page 40

„ “Zone Rules,” on page 41

New Network Handling Parameters

You should also set how you want to handle new networks as they are detected

To set new network handling parameters:

1 Click Policies.

2 In the Default Policy row, click Edit.

You are now redefining security settings for your default policy The security settings you define in this policy will apply to all users who are not assigned a custom policy

3 Click Access Zones.

4 In the New Network Handling area of the Access Zones tab, choose Leave Network

in the Internet Zone

Access Zones

Define the zones for your network There are three types of zones:

„ Trusted — Include in this Zone all the locations that you trust that your users need

access to For example: DNS, Mail Server, Domain Controller, File and Print servers Do not place your entire network in the Trusted Zone

„ Blocked — Include in this zone all the locations that you do not want your endpoint

users communicating with You may choose to include dangerous, or undesirable locations, or internal locations that you want to restrict access to, such as Human Resources servers

„ Internet — All locations not included in either the Trusted or the Blocked Zones are

considered to be in the Internet Zone You do not need to define this Zone, as it is the default Zone

To define Zones:

1 In the Define Zones area, of the Access Zones tab, click Add.

The Add Locations to Zones page appears In this page you select locations and choose the Zone you want for them You must define the locations for your network:

a Click New Location and choose the location type.

b Enter the information for the location.

For help completing the information for the location, see the online help

c Click Save.

d Repeat steps a-c for all your Trusted Zone locations.

2 Add locations to your Trusted Zone.

a. Select the locations that you want to add to the Trusted Zone

Use the recommendations in “Access Zones,” on page 40 as a guideline

b In the Add to Zone pulldown, select Trusted Zone.

To set Zone rules:

1 In the Define Zones area, of the Access Zones tab:

a Set the Internet Zone Security Level to High.

b Set the Trusted Zone Security Level to Medium.

You can view the details of these Zone security level settings by clicking

Advanced.

2 In the Advanced Security Settings area, click Advanced.

3 Make sure Block fragments at all security levels is deselected.

4 Click Save.

You have now configured your Access Zones in your default policy