Learn from Indeni Experts about Stealth Rules with the chance to ask any questions that might come up.
Hello!
A normal way to organize a firewall rule base in Check Point, is to start with all the rules that allows traffic to your gateway. For example allowing SSH from specific sources to the gateway for management.
Beneath these rules, you put a firewall rule like this:
Source: Any
Destination: Gateway object
Service: Any
Action: Drop
The reason for this is to prevent the administrator from accidentally allowing connections to the gateway further down in the rule base.
Now you might be thinking "I will not make that misstake!". But if you have worked with other firewall vendors in the past, you might have noticed that Check Point is different in many areas.
One difference is that you do not have a dedicated management interface for management. This means that you could connecto to your gateway on any IP it has, for any subnet it has an interface on.
Lets say that you have a client subnet, 192.168.1.0/24, where the gateway has IP 192.168.1.1.
You also have a server subhet, 192.168.2.0/24, and the gateway has the IP 192.168.2.1.
You want to create a rule to allow clients to manage the linux servers:
Source: 192.168.1.0/24 (Client subnet)
Destination: 192.168.2.0/24 (Server subnet)
Port: 22 (SSH)
This rule would also allow clients to connect to the gateway on 192.168.2.1 using SSH.
If you have created the stealth rule this will be prevented.
Checkpoint has 4 types rule.
- Stealth Rule - Prevent any users from connecting directly to the Security Gateway.
- Cleanup Rule - Determines how to handle unmatched connections.
- Explicit Rules - Created by the administrator.
- Implicit Rules - Defined by the Security Gateway and are not visible in the Rule Base.
Rule Base - Collection of individual rules which builds the Security Policy.
1 Like
Thanks, Gomboragchaa! That’s really helpful.