SANDBLAST TRAINING

Deployment and Best practice

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 1
 01
DEPLOYMENT SCENARIOS

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
Deployment – 1 Cloud (CP customer)

Internet SandBlast
SandBlast Cloud emulation

Check Point
Security Gateway
 SandBlast as a cloud subscription service
 Uses SandBlast Cloud emulation service

 Check Point Gateway requires NGTX license

Optional Threat Extraction
 No new hardware is needed
enabled on local gateway
Requires Check Point Security Gateway with R77 and
above
Be sure to do a correct sizing !
Corporate Network (LAN) Advise memory upgrade if needed
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 3
Deployment – 2 Local (CP customer)

Internet

SandBlast Appliance

Check Point
Security Gateway
 SandBlast Appliance on-premises
 Gateway collects file
 Sandblast emulates file
Optional Threat Extraction  Check Point Gateway requires NGTX license
enabled on local gateway  The most common solution when using Local
appliance
Requires Check Point Security
Corporate Network (LAN) Gateway with R77 and above
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 4
Deployment – 3 Bridge mode (non-CP)

Internet
 SandBlast Appliance on-premises
 Sandblast Collects & Emulates files
 Sandblast is deployed in Bridge mode (layer 2). Layer 3 is
Other possible.
Security Gateway  Enable all possible blades.

 SandBlast Appliance requires NGTX license

SandBlast
 The most common solution for non-Check Point customers
Local Appliance

Optional Threat Extraction

enabled on local appliance
(Requires MTA on non-bridge
interface)
Corporate Network (LAN)
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 5
Deployment – 4 ICAP (any customer)

Internet
 SandBlast Appliance on-premises
 Any proxy server Collects files
Any and send via ICAP to SandBlast
Appliance that will Emulates files
Security Gateway
 Sandblast can act as MTA to
emulate mail traffic at the same
SandBlast Appliance time.
 SandBlast appliance requires
NGTX license.
Any Proxy

Corporate Network (LAN)

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 6
Deployment – 5 SPAN/TAP (Any customer)
Internet
 SandBlast Appliance on-premises
 Sandblast Collects & Emulates files
 Sandblast is deployed in detect
Any mode, layer 3.
Security Gateway  SandBlast Appliance requires NGTX
license
SandBlast Appliance  The most common solution for detect
only customers, Cloud PoCs or
CheckUps.
Switch or Tap Optional Threat Extraction  Can work together with existing proxy,
enabled on local appliance make sure to enable X-forwarder.
(Requires MTA on non-bridge
interface)

Corporate Network (LAN)

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 7
Deployment – 6 Shared Appliance
 Check Point Security Gateways with R77
NGTX functions – AV, AB, IPS etc. including Threat Extraction
 SandBlast appliance only at Headquarters or per regional datacenter(s)

VPN
Branch

Branch VPN

SandBlast Appliance

Headquarters
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 8
 Deployment – 6a Shared Appliance

• Each region can have its own local SandBlast appliance(s) that is shared within that region –
see 6.
• The sum of the files for all offices should not overload the regional Sandblast appliance.
• VPN’s not shown for clarity

Branches SandBlast Branches

Appliance

Europe VPN Community

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 9
Deployment – 7 Redundant Appliances
Multiple SandBlast gateways for redundancy and load sharing
 Use tecli advanced remote command on every harvesting gateway to configure redundant Sandblast’s
 Check Point Security Gateways with R77
NGTX functions – AV, AB, IPS etc. including Threat Extraction

Branch

Branch

Headquarters
SandBlast Appliances

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 10
Deployment – 8 Hybrid
 SandBlast hybrid solution
 Check Point Security Gateways with R77
NGTX functions – AV, AB, IPS etc. including Threat Extraction
 Each gateway using cloud and/or appliance requires NGTX license.

Branch

Branch

SandBlast Headquarters
Cloud emulation OR/AND
Local emulation
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 11
Deployment – 9 SandBlast Cloud for Office 365

 SandBlast solution for cloud-based applications / Office365

 Other Microsoft cloud applications and other cloud emails like Gmail (roadmap)
 Office365 integration is done via Microsoft API so no additional MTA is required

Microsoft API
Get email when they arrive at
users inbox

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 12
Deployment – 10 (recommended) MTA redundancy
MTA on Sandblast appliances
 For solutions up to 5000 users*
Internet
 First hop should be customers
ANTISPAM (to solve Backscatter/RBL
problem)
1. Anti Spam  MTA is running on SandBlast
Server(s) appliances so we can control SMTP
Check Point connections to the MTA via the CP
Cluster (customers first MX)
cluster´s fw rules
2. MX1 = MTA  First hop uses e.g. DNS to round-robin
2. MX2 = MTA emails to Sandblast appliances
SandBlast  Perimeter cluster runs all NGTX blades
Appliance(s) and can offloads HTTP/S emulation to
SandBlast appliance(s) if needed
 After emulation, Sandblast's MTA
forwards the emails to internal mail
3. Email /SMTP server
Corporate Network (LAN) Server(s) *5000 users is a benchmark. Depending on design and traffic blend this
number might be higher or lower..
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 13
Deployment – 11 (recommended) MTA redundancy
MTA on dedicated Check Point Appliances
 For solutions above 5000 users*
Internet
 As a guideline, if using multiple
1. Anti Spam TE1000X or TE2000X appliances this
Server(s) will be the recommended solution.
(customers first MX)
 MTA is running on dedicated Check
Check Point 2. MX1 = MTA Point Appliances so we can control
Cluster 2. MX2 = MTA SMTP connections to the MTA via
Check Point the CP cluster´s fw rules. Check
Point MTA Appliances send files
Appliance(s)
that should be emulated to
SandBlast Appliances.
SandBlast
Appliance(s)  Perimeter cluster runs all NGTX
blades and can offloads HTTP/S
emulation to SandBlast appliance(s)
3. Email /SMTP if needed
Corporate Network (LAN) Server(s) *5000 users is a benchmark. Depending on design and traffic blend this
number might be higher or lower.
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 14
Deployment – 12 MTA redundancy
MTA on perimeter CP cluster

 First hop should be customers

Internet
ANTISPAM (to solve Backscatter/RBL
problem)
 The CP cluster is running the MTA (be
sure you know about the needed
1. Anti Spam configuration in the Sandblast PoC
2. Check Point
Server(s) guide)
Cluster + MTA
(customers first  Perimeter cluster runs NGTX + MTA +
MX) offloads emulation to SandBlast
appliance(s)
3. SandBlast  Sandblast have internal IP addresses.

Appliance(s)  After emulation, CP cluster MTA

forwards the emails to internal mail
server
4. Email /SMTP  This deployment is also needed if
Corporate Network (LAN) Server(s) MTA should be used with cloud
emulation
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 15
 02
MTA

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 The need for MTA
Streaming SMTP and Hold connection
• Hold connection handling is not recommended for SMTP traffic in streaming
mode
̶ Can cause the sending mail server not to send any additional emails until the
emulation of the prior email is completed
̶ Will cause high latency also for emails without attachments if the (same) sending
SMTP server sends many emails to the (same) receiving SMTP server
• MTA deployment with SMTP doesn’t cause the same issue and is therefore the
recommended configuration where requirement is to prevent the a new
malicious file first time it arrives
̶ Real first time zero-day prevention

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 17
 MTA Pros and Cons
• Pros:
̶ Adds support for SMTP TLS (encrypted SMTP)
̶ Inline Prevention (better than streaming inspection hold mode)
̶ Emulate files before the receiver gets them
̶ Note: Receiver will get the full email no matter what, but malicious
attachments are replaced with a text file telling what files were removed
• Cons:
̶ Small delay on emails, especially ones with attachment
̶ Small GW performance/latency overhead (parse emails, email queue)
̶ Modify MX record might be required (depends on upstream MTA)

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 18
 The need for MTA
Cluster vs. SandBlast appliance
1. The MTA can run on a SandBlast appliance
̶ Recommended
̶ Traffic to MTA can be easily controlled by the central firewall (e.g. if Sandblast appliance is
installed in a DMZ)
̶ No additional open port on central CP firewall
̶ Preferred way because of limitations when running MTA on a cluster
2. Running the MTA on a CP cluster
̶ Needed if CP cluster uses SandBlast Cloud emulation (with no on premise SandBlast appliance)
̶ You cannot restrict the MTA to run on only certain interfaces or run on a VIP IP (SK107093)
̶ You must edit implied rules to be able to configure firewall rules to control traffic to the MTA on
a CP cluster (see SandBlast PoC guide)
̶ Currently a hotfix is needed on the Management server to prevent double inspection (
SK109198)
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 19
 02.1
MTA ARCHITECTURE

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 MTA (Mail Transfer Agent)
• New feature in R77 that supported Threat Emulation only
̶ Threat Extraction from R77.30
̶ MTA for AV on roadmap
̶ MTA is included in the Blade license (no separate license)
• MTA implements both the client and server portions of SMTP
̶ Designed for inbound emails only !
• MTA acts as SMTP relay:
̶ Receive the email from the sender
̶ Possibly modifies the email
̶ Strip attachment, Modify content, Add content
̶ Send it to the next hop that could be:
̶ Another MTA, Mail Server
• Supports clustering but SMTP running sessions will restart and the “passive” queue will be delayed
until member is active again
• Not recommended used as Internet facing inbound MTA today
̶ VRFY and LDAP integration planned to remediate backscatter problem from faked email senders leading to possible
RBL issues
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 21
 MTA flow

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 22
 02.2
MTA
CONFIGURATION

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 Configuring MTA next hop address

• Next-hop redundancy is currently available via editing

configuration files (see sk110369)
• Two entries with same Domain name will always select last
next hop
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 24
 Configuring MTA enabling TLS support
• If senders want to send email using an encrypted connection (SMTP over
TLS) carry out these two additional steps:
• Import Certificate for SMTP/TLS (.p12)
• Enable SMTP/TLS

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 25
 Configuring MTA advanced settings

How much time

to wait for
emulation result
per email
Maximum disk
space allocated
to save emails
Fail-Open/Fail-Close
strategy (i.e. should we
strip the attachment if
time exceeded?)

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 26
 Configuring BCC with Null MTA for PoC
• Due to SMTP TLS it is recommended to use MTA
̶ MTA is much more reliable than SPAN ports (no packet loss)
̶ Use MTA on a SandBlast appliance (not CP cluster) if possible
• Create a rule on an external MTA to forward a copy of all emails to the GW MTP
(management NIC IP/DNS)
̶ Define a “nullhost” object with IP 0.0.0.0 as next hop MTA
̶ Don’t use “*” domain without nullhost (can be used for SPAM!)

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 27
 02.3
MTA TROUBLESHOOTING

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 MTA debugging log files
• Postfix writes to /var/log/maillog
• MTA writes to $FWDIR/log/emaild.mta.elg

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 29
 03
ICAP

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 ICAP considerations
• ICAP server hotfix is needed and can be downloaded from SK111306
• ICAP implementation is based on http://c-icap.sourceforge.net/
• FW on SandBlast appliance needs firewall rule to allow default ICAP
port 1344 for the proxies to connect to the ICAP server
• Further configuration instructions can be found in the SandBlast PoC
Guide 8.0 and higher
• Soon to be integrated into Jambo Hotfix

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 31
 04
PERFORMANCE

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 Performance considerations
• SandBlast appliance performance estimations
̶ TE100X – 100k files per month, approx. 1k users (4VM’s)
̶ TE250X – 250k files per month, approx. 1.7k users (8VM’s)
̶ TE1000X – 1M files per month, approx. 7k users (28VM’s)
̶ TE2000X – 1.5M files per month, approx. 20k users (40VM’s)
̶ TE2000X HPP – 2.0M files per month, approx. 20k users 56VM’s)
• Clustering of SandBlast appliances is supported but not recommended
̶ Rather configure SandBlast Private Cloud via tecli advanced remote
• Sizing considerations based on current average
̶ 2 unique files per user per day (Email)
̶ 5 unique files per user per day (Web)
• Please note that it is normal to build a queue the first 2-7 days before the emulation
happens in close to real time , this is called the learning phase
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 33
 Performance Cloud/Local emulation
• Example: Device is a security gateway which already runs Anti-Virus and
will emulate files on using Cloud emulation or Local emulation
̶ Expected degradation – 5-10 %
̶ The reason – most of the work is already done by the AV
• What about gateway which doesn’t run the AV?
̶ Like AV performance numbers…
̶ Do a proper sizing with the Appliance Sizing Tool
̶ For most accuracy get CPSIZME from the customer environment first (SK88160) – the
result can be uploaded into the AST

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 34
 04.1
EMULATION PROCESSES
AND TUNING

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 TE Resource intensive processes File Aggregation

The file aggregation includes: File Aggregation

1. The parsers (Web, Mail) which deeply (kernel, dlpu)
inspect the connections for traffic
2. The DLPK (DLP Kernel module), which Cache
transfers the file parts to the DLPU (ted)
daemon (1 per CoreXL instance)
3. DLPU process which writes it to
$FWDIR/tmp/te Static Analysis
(python)
4. Passes the reassembled file to TED

Emulation
(qemu-system-x86_64)

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 36
 TE Resource intensive processes File Aggregation
Aggregate less, less work File Aggregation
will be needed in (kernel, dlpu)
continuation of the flow

Limit the protected

scope

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 37
 TE Resource intensive processes File Aggregation
Aggregate less, less work File Aggregation
will be needed in (kernel, dlpu)
continuation of the flow

Limit emulation
settings

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 38
 TE Resource intensive processes Cache
The cache is very lightweight, but has an File Aggregation
enormous (positive) effect on the (kernel, dlpu)
performance.
Cache
Screenshot from a typical environment: (ted)
– 63% local cache hit rate
– Cache needs to build up in the first days

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 39
 TE Resource intensive processes Cache
Normally, no need for tuning – the cache File Aggregation
max size can be changed in extreme (kernel, dlpu)
conditions (Threat Prevention ->
Advanced -> Engine Settings -> Configure
Settings) Cache
(ted)

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 40
 TE Resource intensive processes Static Analysis
The static analysis is composed of python File Aggregation
processes, which is aimed on skipping (kernel, dlpu)
emulation of files that we can be sure
(with very high level of confidence) that
they don’t contain malware. Cache
(ted)

It is relatively heavy in IO (yet cheaper

than emulation) – on installations where Static Analysis
the IO is the bottleneck and emulation is (python)
on the cloud – you can consider disabling
it.

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 41
 TE Resource intensive processes Static Analysis
In this example, Static
analysis filtered 1429 files
out of the 3005(8156-5151
filtered by cache) – almost
50%

Can be disabled
per TP profile

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 42
 TE Resource intensive processes Emulation
The emulation is the most resource File Aggregation
intensive process in the system, and runs (kernel, dlpu)
the qemu based virtual machines
(qemu-system-x86_64) as well as the fake Cache
internet server (python)
(ted)

Static Analysis
(python)

Emulation
(qemu-system-x86_64)

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 43
 TE Resource intensive processes Emulation
Emulation
processes

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 44
 TE Resource intensive processes Emulation
The SandBlast appliance has verbose CLI output (under the
‘tecli show emulator’) submenu. The most useful
(performance wise) is
# tecli show emulator vm synopsis
Pending emulation requests
– files awaiting ‘slot’ in a VM
Current files and total
files shows an indication
of the multiple file
execution effectiveness

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 45
 TE Resource intensive processes Emulation
Further info with
# tecli show statistics

High average process time

for emulated files indicated
an overload emulation unit

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 46
 TE Resource intensive processes Emulation

The ‘Running virtual machines’ are

limited by License, RAM and CPU

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 47
 TE Resource intensive processes Emulation
The ‘Running virtual machines’ Unlimited
are limited by License, RAM VMs on
and CPU evaluation
license, 8 on
TE250x and
28 on
TE1000x for
example

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 48
 TE Resource intensive processes Emulation
The ‘Running virtual machines’ By default, up to
are limited by License, RAM 70% of the RAM
and CPU will be used by
VMs.
Keep on
machines
servicing as
‘emulation only’
(remote target).
Decrease if the
memory is needed
for other purposes

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 49
 TE Resource intensive processes Emulation
The ‘Running virtual machines’ are
limited by License, RAM and CPU

By default, if the
cores allocated for
emulation are
more than 90%
busy, no more
VMs will start till it
will drop below
[Restricted] ONLY for designated groups and individuals
that
[Restricted] ONLY for designated groups and individuals​

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 50
 Tuning the emulation OS’ (last resort)
• Emulate on less environments

• Emulate for less time

• Both will affect the detection

rate

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 51
 04.2
SIZING TOOL

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 Sk93598 - Threat Emulation Sizing Tool
• Knowing how many emulated files pass is crucial for
̶ Choosing the correct Cloud Quota
̶ Choosing the correct appliance
• Enable Threat Emulation in sizing mode (requires R77.X)
̶ Enable Threat Emulation and install policy (ignore lic warning)
̶ Enable sizing mode tecli control sizing enable
̶ Files will be aggregated according to the configuration this means we get the same
performance impact on the gateway as activating TE with cloud/dedicated SandBlast
appliance
̶ View statistics and logs normally, as if TE was enabled
• No license is needed
̶ No emulation is done
̶ More details at sk93598
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 53
 LAB 9
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 QUESTIONS?

Next – Troubleshooting and Debu

gging

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 55