By Ralph Bonnell
Service Provider Takeaway: Check Point introduces several new FireWall-1/VPN-1 Features. This section of the chapter excerpt from Check Point NGX R65 Security Administration will explain how to best utilize these features.
Downlaod the .pdf of the chapter here.
VPN technology has been an integral part of firewalls since the late 1990s. With the rise of the Internet in the early 1990s, most firms' first concerns were for a firewall that allowed them safe connectivity between their internal networks and the Internet. Once organizations began to use the Internet to connect separate offices, it became obvious that providing VPN functionality was a natural fit for firewall manufacturers. The fact that network address translator (NAT), IPSec, and antispoof checking have complex interactions has further driven the consolidation of these functionalities into a single perimeter device.
Although VPN technology was initially a separate add-on to FireWall-1, it soon became part of the standard package, and now, with version NGX, the firewall product itself has been renamed VPN-1 Pro, for reasons that aren't entirely obvious, given the large mindshare and recognition of the name FireWall-1. NGX offers several new updates and upgrades in VPN functionality.
SmartDefense/Web Intelligence is Check Point's way of providing an intelligent defense against attacks directed at open ports as well as a defense against other, more sophisticated types of attacks. Though previous versions of FireWall-1/VPN-1 included early versions of SmartDefense/Web Intelligence, these defenses have been upgraded and improved in NGX.
Because your site may have separate networks that each need a special level of protection, SmartDefense Protection Profiles have been updated and you now can tailor the SmartDefense protection configuration using the precise defenses required for each gateway. You can view the SmartDefense Protection Profiles using SmartPortal.
The NGX R65 now supports Intel Active Management Technology (AMT) for Linux and SecurePlatform to isolate endpoint computers that violate the network security policy. In addition, AMT Quarantine installs a special security policy that restricts inbound and outbound traffic on suspect endpoint hosts that protects the larger network from malicious activity.
Aggressive Aging helps to manage the connections table capacity and memory consumption of the firewall to increase durability and stability. This feature introduces a set of short timeouts called aggressive timeouts. When a connection is idle for more than its aggressive timeout it is marked as eligible for deletion. When the connections table or memory consumption reaches the set user-defined threshold (or high-water mark), Aggressive Aging begins to delete eligible for deletion connections, until memory consumption or connections capacity decreases back to the desired level.
Aggressive Aging allows the gateway machine to handle large amounts of unanticipated traffic such as during a denial of service (DoS) attack.
Administrators can ensure that users traversing the firewall are protected by the Integrity endpoint shield. When configuring a Check Point gateway, the administrator identifies whether hosts accessing the network from the internal interface have to be authorized by the Integrity Server. A user not authorized by the Integrity Server receives notification (through the Hypertext Transfer Protocol [HTTP] or e-mail) to this effect.
An administrator can define several additional parameters, such as:
- Check authorization of all clients
- A white list of machines that do not have the Integrity Server installed but can still traverse the firewall
- Tracking options for authorized or unauthorized clients
- Activating cooperative enforcement in monitor-only mode
Monitor-Only Deployment Mode
In the monitor-only deployment mode, the firewall requests authorization statuses from the Integrity Server but, regardless of the received statuses, connections are not dropped. In addition (if configured by the administrator), the Cooperative Enforcement feature generates logs regardless of deployment mode.
Handling an Unauthorized Host
Unauthorized hosts can be added to the host's exception list, or the administrator can take appropriate action to make these hosts compliant.
Internal URL Web Filtering
In the NGX R65, VPN-1 gateways with content inspection capabilities are able to inspect and control HTTP traffic. The Web Filtering function screens incoming URL requests against a database to determine whether the URL request should be blocked or allowed. Web filtering takes place according to predefined categories made up of URLs. The Web filter checks the URL of a Web page against a list of approved sites.
In this way, complete sites or pages within sites that contain objectionable material (e.g., pornography, illegal software, or spyware) can be blocked.
Web (URL) filtering is based on the SurfControl engine which is now built into Check Point software. This provides for filtering rules based on the organization's needs, predefined categories made up of URLs and patterns of URLs, and a Web filtering database provided by Check Point.
Internal Antivirus Scanning
Since R61, antivirus scanning has been included in the NGX. Enabling antivirus scanning using the CA eSafe engine will allow you to scan an assortment of network protocols, trap them in the kernel, and forward them to the security server, which then transmits the captured files or data to the antivirus engine. The antivirus engine will allow or block data, depending on the reply from the antivirus engine. Antivirus scanning will apply to all traffic that has been permitted using the Security Policy.
SmartView Monitor can now provide statuses and counters for gateways with antivirus and Web filtering. The statuses are divided into the following two categories:
- Current status
- Update status (such as when the signature update was last verified)
Antivirus statuses are associated with signature checks and Web filtering statuses are associated with URLs and categories. SmartView Monitor can also run antivirus and Web filtering counters. For instance, the following reports are available:
- Top five attacks in the past hour
- Top 10 attacks since the last reset
- Top 10 HTTP attacks in the past hour
- General information regarding HTTP attacks
You can schedule virus signatures to automatically update at any preferred period, or you can start manual updates of virus signatures at any time. Check Point provides antivirus and Web filtering updates. Check Point User Center credentials are necessary for the updates.
The antivirus engine acts as a proxy, and will cache the scanned file prior to sending it to the client. Continuous Download will trickle data while the antivirus scan is taking place. If a virus is found during the scan, the file transfer is concluded. File types for which Continuous Download will not be used are configurable.
You can scan files "by direction" or by IP address. In either instance, antivirus scanning will be performed only against traffic that has been permitted through the security rulebase.
Layer 2 Firewalling
Layer 2 firewall deployment enables a VPN-1 gateway to be inserted into an internal network without affecting the existing IP address routing scheme. Traffic authorized by the firewall is passed between bridged interfaces, which forward the traffic over Layer 2. This feature is supported only on stand-alone gateways.
New Session Initiation Protocol (SIP) features to enhance Voice over IP (VoIP) include:
- Media Gateway Control Protocol (MGCP) NAT support
- MGCP on dynamic ports
- SIP NAT support in a Back-to-Back User Agent (B2BUA) configuration
- Static NAT for SIP proxies in the internal network
- Extended SIP state machines
- Blocked/allowed SIP commands
- Interoperability with Nortel, Broadsoft, Cisco, NEC, Polycom, Sylantro, Avaya, and others
A SYN-cookies mode has been added to SYNDefender to prevent a DoS SYN flood attack. In a SYN flood, external hosts overwhelm a server machine by sending a constant stream of Transmission Control Protocol (TCP) connection requests. The server machine continues to allocate resources until all its resources are exhausted.With SYN cookies, the server machine does not allocate resources until the server's
SYN/ACK packets receive an ACK in return, meaning that the original request for a connection was legitimate. Using SYN cookies, the TCP three-way handshake is performed without saving state information. The connection is not registered in the connection table until the connection proves itself legitimate.
For a host, not saving any state information on an incoming SYN means the server is no longer vulnerable to backlog DoS SYN flood attacks. For a gateway, this means that processing time spent on spoofed SYN packets is reduced, and memory consumption is eliminated.
SYNDefender now has two active modes: relay mode and SYN cookie mode.
In relay mode, when a SYN arrives, the connection table registers the connection in the usual way. In cookie mode, the firewall is not informed of the handshake with the external host or client until the client has shown itself to be legitimate. The SYN packet from the client is dropped and a SYN-ACK with a cookie set is sent directly to the client interface.
After receiving the ACK from the client, which completes the client handshake, SYNDefender transforms the ACK into a SYN and registers it in the connection table. Processing the connection then proceeds in the same way as relay mode.
NGX R65 Operational Changes
New Smart Portal Features
New FireWall-1/VPN-1 Features
Edge Support for CLM
Integrity Advanced Server
Check Point NGX R65 FAQs
Reprinted from Chapter one of Check Point NGX R65 Security Administration by Ralph Bonnell. Printed with permission from Syngress, a division of Elsevier. Copyright 2007. For more information about this title, please visit www.syngress.com.
This was first published in June 2008