Before diving into Check Point firewalls and creating security policies and other stuff it is essential to understand the architecture of Check Point and how it exactly works. This post will help you to get a feel of what Check Point firewalls are and how it works in a multilayer approach developed by Check Point. Below are the most common terms that should be sufficient for you to get started with Check Point firewalls.
Smart Console – It is a set of GUI applications that allows security administrators to configure and manage the global security policy for the entire organization. There are quite a few clients available in the smart console, each for a different purpose. Of all those clients the main client application used is called SmartDashboard , which is used to configure the security policy of the network. SmartDashboard connects to the Security Management Server which houses the actual security policy database of rules and objects.
Security Management Server – The Security Management Server contains the global security policy for an organization. This policy is defined using the SmartDashboard—however, the policy is actually saved on the Security Management Server. It contains the following databases: Object database, User database, Security rules and Log database. The Security Management Server interacts with the Security Gateways by uploading security rule sets specific to the Security Gateway and by receiving logging information from the Security Gateways. The Security Management Server package can be installed on the following supported platforms: Windows 2003 and 2008, IPSO (FreeBSD) and SPLAT (Linux based).
Security Gateway – They are nothing but the ‘firewalls’ you have always known. Security Gateways are installed/located where the security rules must be applied. So, the security rules are created using the SmartDashboard which is then saved on the Security Management Server and pushed on the intended Security Gateway.
Platforms – Check Point is a complete software based firewall which has to be installed on a Guest OS such as Windows 2003/2008, SPLAT (Check Point Linux distribution based on RHEL) or Nokia IPSO (based on FreeBSD) running on appropriate hardware.
When installing Check Point on Windows you have to make sure that Windows is properly hardened and the OS itself is completely secure. The other flavors SPLAT and IPSO are custom made for installing Check Point on hardware manufactured by Nokia (which is now bought by Check Point) and do not need any hardening process to make it secure as the bare essentials of what is required from the OS is made available and the rest is done away with. Once the guest OS is ready you can install Check Point firewall right away by installing the appropriate image based on your guest OS.
The installation is obviously a little different than the normal applications you install everyday, but you get the point right? And, this is what makes Check Point’s architecture different from the other vendors.
Now that you know what is what, the architecture of Check Point firewalls should be a little easier to understand. Check Point firewalls can be deployed in a standalone fashion or a distributed one. Lets look at the difference between the two:-
In a stand-alone deployment, your Security Management Server and Security Gateway is installed on the same platform and your smart console will most probably be installed on a separate platform with which you will access the Security Management server to create policies and push it to the Security Gateway (which is the same device in this case). However, this deployment defeats the whole purpose of Check Point’s three-tiered architecture and is not recommended by Check Point, except for small businesses.
A distributed deployment is more commonly known as a Three-Tired architecture, wherein each component is installed on a separate platform and this type of deployment is highly recommended by Check Point. Smart Console is usually installed on Windows for its ease of use. Security Management Server can be installed on Windows/Linux/FreeBSD platform depending on the requirement. And the Security Gateway too can be installed on a Windows/Linux/FreeBSD platform as per the requirements (but seriously, ‘Windows’ for a ‘security’ gateway?!)
P.S: The terminology defined above mainly applies to R75 but the architecture is the same for below versions as well.