Xem mẫu
- Endpoint Security
Implementation Guide
Version NGX 7.0 GA
January 9, 2008
- © 2008 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their
use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by
any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book,
Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check
Point Endpoint Security, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing,
ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa,
DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX,
FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity
Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC,
OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, PureAdvantage,
PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge,
SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security
Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter
UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand,
SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1,
UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1
Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1
SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm
Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs,
and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm
is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered
trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668,
5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign
patents, or pending applications.43, and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pending
applications.
- Contents
Preface
About this Guide ...................................................................... 9
Available Formats ........................................................................9
Obtaining the Correct Version .......................................................9
Obtaining New Issues of this Guide ...............................................9
About the Endpoint Security Documentation Set ....................... 10
Documentation for Administrators ...............................................10
Documentation for Endpoint Users ..............................................10
Feedback ............................................................................... 12
Chapter 1 Introduction
Using this Guide .................................................................... 13
Assumptions .......................................................................... 14
Basic Setup ..............................................................................14
Sample Configuration ................................................................14
Chapter 2 Endpoint Security Overview
Endpoint Security System Overview .......................................... 15
System Architecture ..................................................................15
Endpoint Security Server ............................................................16
Endpoint Security Clients ...........................................................17
Client Packages .........................................................................17
Gateways ..................................................................................17
Endpoint Security Communications .......................................... 18
Endpoint Security Ports .............................................................18
Endpoint Security Modes ........................................................ 18
Endpoint Security Views .......................................................... 18
Endpoint Security Feature Overview ......................................... 19
Policies ....................................................................................19
Firewall Rules, Zone Rules, and Program Control ..........................22
Firewall Rules ...........................................................................23
Zones .......................................................................................23
Program Control ........................................................................25
Enforcement .............................................................................26
Chapter 3 Planning
Using a Pilot Installation ......................................................... 27
Prerequisites .......................................................................... 27
Choosing Your Client Type ....................................................... 28
Choosing Your Enterprise Policy Types ...................................... 28
Choosing Your Security Model .................................................. 29
Endpoint Security Implementation Guide 5
- Gathering Topology Information ............................................... 29
Planning User Support ............................................................ 30
Chapter 4 Installation
Running the Installer .............................................................. 32
Logging In ............................................................................. 35
Chapter 5 Configuring Policies
Policy Stages ......................................................................... 36
Distributing Your First Policy ................................................... 37
Default Policy ...........................................................................37
Distributing the Endpoint Security Client .....................................37
Chapter 6 Creating a Basic Policy
Configuring Zones ......................................................................40
Setting Program Observation .......................................................42
Configuring Program Advisor .......................................................43
Deploying the Policy ..................................................................44
Testing the Policy ......................................................................44
Chapter 7 Creating a More Advanced Policy
Setting Firewall Rules ............................................................. 47
Program Control ..................................................................... 48
Setting Program Permissions ......................................................48
Configuring Enforcement Settings ............................................ 51
Setting Enforcement Rules .........................................................51
Deploying the Policy ............................................................... 54
Testing the Policy ................................................................... 55
Checking the Program Rule ........................................................55
Checking the Enforcement rule ...................................................55
Chapter 8 Assigning Policies
Workflow ............................................................................... 56
Switching Views ..................................................................... 58
Creating Catalogs ................................................................... 59
Choosing a Catalog Type ............................................................59
Creating an LDAP Catalog ..........................................................59
Creating an IP Catalog ...............................................................59
Creating a Custom Policy ............................................................60
Deploying the Custom Policy ................................................... 61
Assigning the Custom Policy .................................................... 62
Testing the Custom Policy ....................................................... 63
Checking the Custom Policy .......................................................63
Checking the Default Policy ........................................................63
Endpoint Security Implementation Guide 6
- Chapter 9 Understanding Policy Lifecyles
Understanding Policy Lifecycles ............................................... 65
Suggested Policy Settings ....................................................... 66
Sample Policy Lifecycles ......................................................... 67
Low Threat Lifecycle ..................................................................67
High Threat Lifecycle .................................................................69
Policy Lifecycles for VPN ............................................................71
Chapter 10 Supporting the User
Educating the Endpoint User ................................................... 73
Inform Endpoint Users in Advance ..............................................74
Provide Information About Your Security Policy ............................74
Describe the Distribution Process ................................................75
Providing Remediation Resources ............................................ 75
Using Alerts for User Self-help ....................................................75
Using the Sandbox for User Self-Help ..........................................75
Preparing your Helpdesk Staff ................................................. 77
Documentation ..........................................................................77
Training ....................................................................................77
Endpoint Security Implementation Guide 7
- Preface
In This Preface
About this Guide page 9
About the Endpoint Security Documentation Set page 10
Feedback page 12
Endpoint Security Implementation Guide 8
- About this Guide
The Endpoint Security Implementation Guide provides an overview of Endpoint
Security features and concepts. Follow the steps in this guide to install and configure a
basic Endpoint Security system as part of a pilot program. This pilot installation will
help you understand the basic features and functionality of the Endpoint Security
system.
This guide also explains how to plan your security policies, and provide support to
endpoint users. Please use the version appropriate to your installation.
Once you have mastered these features, you will be able to use the Endpoint Security
Administrator guide to use other features and to set up an installation that is more
specific to your actual network needs.
Available Formats
This guide is available as a PDF. This document is available from the Check Point CD.
Updated editions of the document may be available on the Check Point Website after
the release of Endpoint Security. The version of this document on the Check Point
Website may be more up-to-date than the version on the CD.
When obtaining updated PDF editions from the Check Point Website, make sure
they are for the same server version as your Endpoint Security. Do not attempt to
administer Endpoint Security using documentation that is for another version.
Obtaining the Correct Version
Make sure that this document has the Version Number that corresponds to the version
of your Endpoint Security. The Version Number is printed on the cover page of this
document.
Obtaining New Issues of this Guide
New issues of this guide are occasionally available in PDF format from the Check Point
Website. When using the PDF version of this document, make sure you have the most
up-to-date issue available. The issue date is on the cover page of this document.
When obtaining the most up-to-date issue of the documentation, make sure that you
are obtaining the issue that is for the appropriate server.
Endpoint Security Implementation Guide 9
- About the Endpoint Security Documentation Set
A comprehensive set of documentation is available for Endpoint Security, including the
documentation for the Endpoint Security clients. This includes:
“Documentation for Administrators,” on page 10
“Documentation for Endpoint Users,” on page 10
Documentation for Administrators
The following documentation is intended for use by Endpoint Security administrators.
Table 4-1: Server Documentation for Administrators
Title Description
Endpoint Security Installation Contains detailed instructions for installing,
Guide configuring, and maintaining Endpoint
Security. This document is intended for global
administrators.
Endpoint Security Administrator Provides background and task-oriented
Guide information about using Endpoint Security. It is
available in both a Multi and Single Domain
version.
Endpoint Security Administrator Contains descriptions of user interface
Online Help elements for each Endpoint Security
Administrator Console page, with cross-
references to the associated tasks in the
Endpoint Security Administrator Guide.
Endpoint Security System Contains information on client and server
Requirements requirements and supported third party devices
and applications.
Endpoint Security Gateway Contains information on integrating your
Integration Guide gateway device with Endpoint Security.
Endpoint Security Client Contains detailed information on the use of
Management Guide third party distribution methods and command
line parameters.
Endpoint Security Agent for Linux Contains information on how to install and
Installation and Configuration configure Endpoint Security Agent for Linux.
Guide
Documentation for Endpoint Users
Although this documentation is written for endpoint users, Administrators should be
familiar with it to help them to understand the Endpoint Security clients and how the
policies they create impact the user experience.
Endpoint Security Implementation Guide 10
- Table 4-2: Client documentation for endpoint users
Title Description
User Guide for Endpoint Security Provides task-oriented information about the
Client Software Endpoint Security clients (Agent and Flex) as
well as information about the user interface.
Introduction to Endpoint Security Provides basic information to familiarize new
Flex users with Endpoint Security Flex. This
document is intended to be customized by an
Administrator before distribution. See the
Endpoint Security Implementation Guide for
more information.
Introduction to Endpoint Security Provides basic information to familiarize new
Agent users with Endpoint Security Agent. This
document is intended to be customized by an
Administrator before distribution. See the
Endpoint Security Implementation Guide for
more information.
Endpoint Security Implementation Guide 11
- Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please
help us by sending your comments to:
cp_techpub_feedback@checkpoint.com
Endpoint Security Implementation Guide 12
- Chapter 1
Introduction
In This Chapter
Using this Guide page 13
Assumptions page 14
The Endpoint Security Implementation Guide is intended to help you understand basic
Endpoint Security functionality and plan your implementation.
It includes:
A description of basic Endpoint Security architecture
Information to help you plan your installation
Introductions to the most important Endpoint Security features
Instructions on how to perform a basic installation in a pilot environment
Instructions on how to create and deploy basic policies in a pilot environment
Information about planning policy lifecycles to enhance your security
Information about supporting endpoint users
Follow the steps in this guide to install and configure a basic Endpoint Security system as
part of a pilot program. This pilot installation will help you understand the basic features and
functionality of the Endpoint Security system. Once you have mastered these features, you
will be able to use the Endpoint Security Administrator guide to use other features and to set
up an installation that is more specific to your actual network needs.
Using this Guide
The instructions in this guide generally assume that you have performed all the previous
tasks. It is recommended that you perform all of the tasks in this guide in the exact order and
manner specified, unless a task is explicitly marked as only applying to certain
circumstances.
Endpoint Security Implementation Guide 13
- Assumptions
This guide does not cover all possible Endpoint Security setups and configuration
options. This guide will focus on a basic setup and a sample pilot configuration
described below. Even if you do not plan to use these specific setup and configuration
parameters in your production environment, you will find this pilot setup provides
useful information that is common to all setups. For specific installation and
configuration information, see the Endpoint Security Installation Guide.
Basic Setup
This guide assumes that you are creating a pilot Endpoint Security system with the
following parameters:
Windows environment
Non-clustered environment
Single Domain setup
LDAP with Microsoft Active Directory
No gateway device
Sample Configuration
Endpoint Security is extremely flexible, and will allow you to create many different
types of security policies. This guide will focus on setting up some sample policies for
your pilot system that contain common, recommended settings. These settings are only
meant to be representative samples of the types of options you may want to implement
in your system. The exact settings you will create for your production environment will
differ according to your security needs. Where appropriate, this guide will mention
some of the other configuration options that are available, but you should perform the
basic configuration steps described in this guide before attempting them.
For more information about additional configuration options and features, see the
following documents:
Endpoint Security System Requirements
Endpoint Security Installation Guide
Endpoint Security Administrator Guide
Endpoint Security Gateway Integration Guide
Endpoint Security Client Management Guide
Endpoint Security Implementation Guide 14
- Chapter 2
Endpoint Security Overview
In This Chapter
Endpoint Security System Overview page 15
Endpoint Security Communications page 18
Endpoint Security Modes page 18
Endpoint Security Views page 18
Endpoint Security Feature Overview page 19
Use this chapter to familiarize yourself with the Endpoint Security system and its basic
features. Later in this guide you will be performing a pilot installation and configuration using
many of these features.
Endpoint Security System Overview
The Endpoint Security system allows you to centrally manage all of your endpoint security
functions.
System Architecture
The Endpoint Security system consists of two basic components: Endpoint Security Server,
and the Endpoint Security clients installed on your endpoint computers. You can also
optionally include other items in your system, such as gateways, RADIUS servers and LDAP
servers.
All Endpoint Security Installations include SmartPortal, which provides some of Endpoint
Security’s reporting functionality. Endpoint Security installations also include some other
Check Point components that function in the background. For more detailed information
about Endpoint Security system architecture, including integration with other Check Point
products, see the Endpoint Security Administrator Guide.
Endpoint Security Implementation Guide 15
- Figure 2-1: Basic Endpoint Security Architecture
Endpoint Security Server
The Endpoint Security server allows you to centrally configure your Endpoint Security
enterprise policies. Endpoint Security uses its own embedded datastore to store
administrator, configuration, and security policy information.
This guide will show you how to perform a typical Endpoint Security installation
without clustering and using the embedded datastore. For more information about the
Endpoint Security server and how to install it, see the Endpoint Security Installation
Guide.
Administrator Console
The Endpoint Security Administrator Console is the graphical user interface you will
use to create your security policies and deploy them to your users. You can also use the
Administrator Console to pre-package Endpoint Security client executables with
configuration settings and policies before you deliver them to your users.
This document will show you how to use the Administrator Console to create, assign,
and deploy clients to users. It will also show you how to use the Administrator Console
to create policy packages.
Endpoint Security Implementation Guide 16
- Endpoint Security Clients
As part of the Endpoint Security system you will be installing Endpoint Security clients
on your endpoint computers. These clients monitor your endpoints and enforce your
security policies. The Endpoint Security system includes Endpoint Security Agent and
Endpoint Security Flex. It also includes versions of Endpoint Security Agent and
Endpoint Security Flex that contain VPN capabilities.
Endpoint Security Agent
Use Endpoint Security Agent when you want to centrally manage security at all times.
It has a limited interface and does not allow the user to control security settings. If you
use the version of Agent that also has VPN capability, the users are provided with an
interface to configure their VPN. It also provides an interface to manage some antivirus
and anti-spyware functions. Generally, use Agent for your less advanced users and for
computers that belong to your organization. Since Agent provides a simpler user
interface and fewer messages to the user, it is less confusing for endpoint users.
There is a Windows version of Agent and a Linux version of Agent. This pilot will
assume you are using the Windows version.
Endpoint SecurityFlex
Use Flex when you want the endpoint user to control his or her security settings some
of the time. Flex has a full user interface that allows the user to control security
settings under certain conditions. Generally, use Flex for expert users who are familiar
with security issues. Flex is also useful when you want to provide endpoint security for
computers you do not own, but are restricted by law from exercising too much control
over.
Client Packages
You can use client packages to pre-configure your Endpoint Security clients (Agent or
Flex) and pre-populate them with security policies. Client packages not only let your
endpoint users get policies and connect to Endpoint Security as soon as possible, but
also let you configure the client installation. Create client packages in the
Administrator Console, then use a distribution method to deliver client packages to
your endpoint computers.
Gateways
You can integrate Endpoint Security with supported gateways to enhance your security.
Gateway integration will not be covered in this guide. The Endpoint Security Systems
Requirements Document lists all the supported gateways. See the Endpoint Security
Gateway Integration Guide for information about configuring your gateway to work with
Endpoint Security.
Endpoint Security Implementation Guide 17
- Endpoint Security Communications
Endpoint Security operations are implemented by separate Endpoint Security services.
An Apache httpd server proxies requests to these services from entities external to
Endpoint Security, such as Endpoint Security clients or administrators logging on to
Endpoint Security from remote computers. The Apache httpd server acts as a single
point of entry, managing requests using SSL, file caching, UDP, and/or TCP socket off-
loading functionality (see page 18).
For more information about Endpoint Security communications, see the Endpoint
Security Administrator Guide.
Endpoint Security Ports
By default, Endpoint Security uses the ports listed below to communicate with
Endpoint Security Clients. Make sure these ports are all available on the Endpoint
Security Server:
TCP/80 HTTP
TCP/443 HTTPS (for clients with versions less than 7.0)
TCP/2100 HTTPS (for 7.0 and later clients)
UDP/6054 (If used)
Endpoint Security Modes
There are two modes for Endpoint Security:
Single Domain
Multi Domain
You choose the domain mode when you install Endpoint Security. Having multiple
domains is useful for Internet Service Providers and large companies that want local
administration for locations and business units. This book assumes you are using the
Single domain mode.
Endpoint Security Views
Single Domain has two views:
Simple view
Advanced view
When you first log into a single domain Endpoint Security server, the system is in
simple view. Simple view offers a simplified User Interface and feature set. This allows
Endpoint Security Implementation Guide 18
- you to become familiar with the core features of Endpoint Security more easily. When
following the processes in this book, you will begin administering Endpoint Security in
simple view. Later, when you have created your first policies and become familiar with
the basic features, you will switch Endpoint Security to advanced view and use some of
the more advanced features.
Endpoint Security Feature Overview
Endpoint Security is a flexible system with many powerful features to help secure your
network. This document will explain the basic functionality of some of the most
important features. You can find out more about these features and about other
features in the Endpoint Security Administrator Guide.
This section describes the following features:
“Policies,” on page 19
“Firewall Rules,” on page 23
“Zones,” on page 23
“Program Control,” on page 25
“Enforcement,” on page 26
Policies
Policies are how you deliver security rules to your endpoint users. Administrators create
enterprise policies using the Endpoint Security Administrator Console and assign them
to endpoint users or groups of endpoint users. Endpoint Security deploys these
enterprise policies to endpoint computers, where the Endpoint Security clients receive
and enforce them. You can create connected and disconnected enterprise policies for
your users. If your users have Flex, they may also configure a personal policy for
themselves.
Connected Policies
The connected enterprise policy is the policy that is enforced when the endpoint
computer is connected to your network. Generally, this is a fairly restrictive policy. This
policy is used not only to protect the endpoint computer from threats, but also to
protect other computers on your network and to enforce your corporate policies. For
example, a connected policy might have very restrictive firewall rules, require a
particular antivirus program, or block programs that violate your company’s ethics
policies, such as Kazaa.
Disconnected Policies
The disconnected enterprise policy is enforced when the endpoint computer is not
connected to your network. Usually this policy is less restrictive, but provides a
minimum level of security that you can then depend upon at all times. The goal of this
Endpoint Security Implementation Guide 19
- policy is usually to protect the endpoint computer from the worst threats while allowing
the user more freedom. For example, a disconnected policy might require that the
endpoint have antivirus protection, but not be as strict about which brand or version. It
might also allow users to run entertainment programs that they are not allowed to run
while connected to your network.
If you do not want to control an endpoint computer’s security when it is disconnected,
you can omit the disconnected policy. In the absence of a disconnected policy, Flex
enforces the personal policy and Agent enforces the connected policy.
If you use disconnected policies, it is highly recommended that you use the Office
Awareness feature. If you do not configure Office Awareness, your Endpoint Security
clients will use the disconnected policy whenever they lose contact with the Endpoint
Security server. For more information about Office Awareness, see the Endpoint
Security Administrator Guide.
In some cases, you may want to have the disconnected policies be more
restrictive than the connected policies. This is useful if you want to prohibit
recreational use of computers outside of work. If you have restrictive
disconnected policies, it is essential that you configure Office Awareness.
Personal Policies
Flex users can create their own security policies. How these policies are arbitrated with
conflicting enterprise policies depends on what settings you choose in the enterprise
policy. Generally, the more restrictive policy rule is the one that is enforced.
VPN Policies
If you use gateways, you can specify a VPN policy for your users. This policy is
enforced when users connect via a gateway, no matter what other policies the user may
be assigned.
Policy Packages
Policy packages are bundles of policies that can be assigned together. Using packages,
you can specify which policy to enforce as the connected policy and which to enforce
as the disconnected policy.
Policy Assignment
For Endpoint Security to apply your security policy to an endpoint computer, you must
indicate which users it applies to. This is called ‘policy assignment.’ Policy assignment
determines which policy is enforced for a given user under what circumstances. Use
policy assignment to give different policies to your users according to your
organization’s needs. Generally, it is recommended that you assign policies according
to a user’s domain or entity, rather than individual users. If a user is not a member of a
domain or catalog and is also not assigned a policy as an individual, he or she receives
the default policy.
Endpoint Security Implementation Guide 20
- Domains
One way of assigning policies is to assign them to domains. If you have the Multiple
Domain version of Endpoint Security, you can divide your organization into functional
units known as domains. This is particularly useful for companies such as Internet
Service Providers, who want to have a domain for each customer. Domains can have
their own administrators and can be assigned a policy or policy package. That policy
then applies to all the members of the domain unless it is overridden by a more
specific policy, such as one assigned to a catalog, gateway, or user.
In Single Domain mode, which is what you will use in this pilot, there is only one
domain.
Note that Endpoint Security Domains are not equivalent to NT Domains or network
domains.
Catalogs
Domains (and organizations using the Single Domain version of Endpoint Security) can
be divided into catalogs. Catalogs are user catalogs or IP ranges. Users can be grouped
according to their function in the company, their department, their rank, their location,
etc. Catalogs can be assigned a security policy. This policy applies to all the members
of the catalog, unless overridden by a user-specific policy.
Gateways
Users can be grouped according to the VPN gateway they use. This allows you to assign
a different policy. This policy only applies to users when they are using VPN to connect
to your network.
Users
You can also assign policies directly to specific users. As this is not scalable, it is
recommended that you use this only to make a temporary exception to your usual
policy assignment practices.
Assignment Priority
You can assign policies directly to a particular user or to an entire entity or domain.
The assignment priority you select determines which policy assignment takes priority
when a user belongs to more than one entity.
For example, a user may be assigned one policy because he connected via a particular
VPN gateway, but he may also be assigned another policy because he belongs to a
RADIUS catalog. The security policy tells Endpoint Security which of these policies to
enforce in these situations.
Endpoint Security Implementation Guide 21
nguon tai.lieu . vn
