Hi,
Check Point SmartDefense integrates with the SANS DShield.org Storm Center in two ways:
• The DShield.org Storm Center produces a Block List report, which is a list of address ranges that are worth blocking. This Block List is frequently updated. The
SmartDefense Storm Center Module retrieves and adds this list to the Security Policy in a way that makes every update immediately effective.
• You can decide to send logs to the Storm Center in order to help other organizations combat the threats that were directed at your own network. You can decide which logs to send by selecting the rules for which you want to send logs.
How the Block List is Received
The Security Administrator defines a Dynamic Object called CPDShield (the name is fixed) in the SmartDashboard, and places it in a Rule that defines what to do with the
communication from the addresses in the Dynamic Object (typically, the traffic will be dropped), and installs the Policy on the FireWall-1 Gateways. An agent (daemon) on each FireWall-1 Gateway on which the Storm Center Module is
installed receives the Block List of malicious IP addresses from
via HTTPS. Every refresh interval (the default is three hours), the agent takes the Block List, and “populates” the Dynamic
Object with the IP address ranges in the Block List. This process is logged in the SmartView Tracker.
How to send log files
A log submitting agent (daemon) on the SmartCenter Server generates two kinds of logs. As well as regular logs, a compact log digest is created. The digest includes only
the number of Drops and Rejects per port. The Storm Center tells the log submitting agent to send either regular logs, or digests, or both kinds of log. The log submitting agent sends to the Storm Center the logs chosen by the Security
Administrator, of the type requested by the Storm Center. Log submission is done via HTTPS POST. The log submitting agent is an OPSEC compliant LEA client. The logs are compressed into a database.
What a Submitted Log Contains
The logs that are submitted to the Storm Center contain the following information:
• Connection parameters: Source IP Address, Destination IP Address, Source Port,
Destination Port (that is, the Service), IP protocol (such as UDP, TCP or ICMP).
• Rule Base Parameters: Time, action
A detailed description of the log.
For HTTP Worm patterns, the log contains the same connection parameters, the same
Rule Base parameters, and also the name of attack and the detected URL pattern.
Removing Identifying Information from the Submitted Log
It is possible to delete identifying information from the destination IP address in the
submitted log, by specifying a designated number of bits to mask. The destination IP
addresses identify your organizations IP addresses because the logs are typically collected
from attacks that come from outside the organization and are directed towards internal
IP addresses.
The mask can be used to delete as many bits as desired from the internal IP addresses.
A zero bit mask obscures the whole of the IP address. A 32 bit mask reveals the whole
of the internal IP address. An 8 bit mask reveals 8 valid bits, and converts an IP address
such as 192.168.46.88 to 0.0.0.88
The Block List and the Submitted logs are securely transferred and authenticated via
SSL. The Certificate of the Storm Center Certificate Authority comes with the Storm
Center Module, and is stored locally. The locally stored certificate is used for two
purposes:
1 To check the authenticity of the origin of the received Block List, by verifying the
validity of the certificate received with the Block List.
2 To establish an SSL connection with the Storm Center when submitting logs, while
assuring that the logs are indeed sent to the Storm Center and to no one else.
The Certificate Authority of SANS DShield.org is Equifax. The file name of the locally
stored certificate is equifax.cer, and it is stored in the conf directory of the Storm
Center Module installation.
To send logs to DShield.org, you must register with them. DShield.org authenticate the
submitters of logs with a username and password that submitters obtain when
registering.
Size of Logs and Effect on FireWall-1 Performance
Receiving the Block List has no effect on FireWall-1 performance because only a very
small amount of data is received.
The submitted log is only a small subset of the full SmartDefense log, and is
compressed. The size of the log depends on the log interval, and the maximum size of
the log database. As a rough guide, 10,000 lines of logs take up 200 KB.
Planning Considerations
Where to Place the Block List Rule
Correct placement of the Block List Rule is crucial for effective operation of the Storm
Center Module. Place the Block List rule as high as possible in the Security Rule Base,
but below all authentication rules, and any other rules you are absolutely certain have a
reputable Source. If the Rule is placed too low it will have limited effect. If it is placed
too high, valid users may be blocked.
Which Logs to send to the Storm Center
Storm Centers have a special interest in receiving logging information about:
1 Unwanted port 80 traffic reaching the organization.
2 The Drop All rule (the last Rule in the Rule Base, that drops any traffic not
explicitly allowed in previous rules).
3 The Rule containing the Dynamic Object, which drops all traffic from any location
in the Block List.
4 HTTP Worms, caught by the SmartDefense General HTTP Worm Catcher.
Which Logs NOT to send to the Storm Center
Do not send logs from rules that log internal traffic.
Which Identifying Information to Remove from Submitted Logs
Decide on what part of your organizations IP addresses to block from the submitted
logs. If all your internal addresses are private, non-routable addresses, you may not feel
it is necessary to mask the addresses. On the other hand, even non-routable addresses
can reveal information about your internal network topology.
