By Ralph Bonnell
Service Provider Takeaway: Check Point's NGX is the primary security software platform for the company's enterprise firewall, VPN and management solutions. NGX R65 is the newest release from the company. This section of the chapter excerpt, from Check Point NGX R65 Security Administration by Ralph Bonnell, will focus on managing the integrity advanced server.
Downlaod the .pdf of the chapter here.
For Integrity 6.6 on the R65 installation CD, the embedded datastore now supports up to 2,000 concurrent users, removing the need for an external database. Logs, which are now stored on the embedded Check Point Log Server, integrate with Check Point and third-party reporting tools. (The Check Point Log Server is a high-performance log server that scales to the needs of the most intensive customers. Archiving, backup, and restore are much simpler now with the embedded datastore.) Customers with more than 2,000 concurrent users should continue to use Integrity 6.5 until Integrity 7.0 is released.
New VPN Features
NGX offers several new updates and upgrades in VPN functionality. We will discuss some of the new features for VPN support with NGX R65 in the following sections.
Understanding the New VPN Options
Rather than creating individual encryption rules to handle the traffic between VPN terminator gateways, the user need only create a VPN community and then specify the gateways and properties. With NGX R65, Check Point has preserved this useful and simple mental model and has added some additional functionality.
Allowing Directional VPN Rules
Enforcement of VPN rules by direction of connection is now possible. By going to the Policy | Global Properties | VPN | Advanced dialog box, you can check the box allowing directional specificity in the VPN element in the rulebase. Whereas in NG AI, directionality in VPN communities was an all-or-nothing proposition, the ability to now specify directionality is useful.
Allowing Backup Links and On-Demand Links
A pair of VPN gateways can now have multiple links between them (say, through multiple Internet service providers [ISPs]), allowing more than one communication path between them. This allows the configuration of back-up links and on-demand links.
Allowing Wire Mode VPN Connectivity
You can now enable VPN connections in NGX as wire mode, reflecting the fact that communications over the VPN are inherently trusted. When you label a connection as wire mode, packets traversing this connection are not inspected by stateful inspection, enabling these connections to successfully fail over. In wire mode, dynamic routing protocols are available for VPN traffic.
Allowing Route-Based VPNs
NGX now supports the Open Shortest Path First/Border Gateway Protocol (OSPF/ BGP) for VPN traffic routing. Every tunnel is represented as a virtual adapter, allowing OSPF and BGP traffic to be encapsulated.
Allowing Permanent Tunnels
Permanent tunnels are "nailed-up" connections. This permits more advanced monitoring of VPN traffic through these tunnels, and prevents latency problems for applications that are sensitive to link setup delays.
Same Local IP and Cluster IP Address for VTIs
The NGX R65 provides the capability to arrange the same local IP and cluster IP address for virtual tunnel interfaces (VTIs) on the equivalent cluster member, reducing the total number of IP addresses required in a cluster configuration.
Antispoofing for Unnumbered Interfaces on IPSO
The NGX R65 now provides support for antispoofing on unnumbered interfaces on the Nokia IPSO.
Dynamic Routing and VTIs
The R65 provides support for networks that use dynamic routing to deploy a remote IP address of VTIs in clusters.
Configurable Metrics for Dial-up Routes
The R65 provides the capability to separately configure the metric of dial-up routes.
Interoperability between SecurePlatform and IPSO
SecurePlatform gateways using VTIs can use OSPF as of R65. This provides enhanced interoperability between SecurePlatform using numbered VTIs, and the Nokia/IPSO platform using unnumbered VTIs.
Route-Based VPN Improvements
NGX R65 management gateways may be located in the encryption domain without having to filter out its IP address from the dynamic routing protocol distribution for route-based VPN configurations.
Customer-Defined Scripts for VPN Peers
Customer scripts are capable of running on the R65 in cases where a VPN peer has stopped partaking in a community that has RIM enabled.
Route-Based VPN and IP Clustering Support
The R65 supports IP address clustering with route-based VPN on IPSO.
RIM Performance Improvements on IPSO
The R65 features a performance improvement with RIM for the process of injecting routes on Nokia IPSO.
The SSL Network Extender (SNX) is now fully supported on the Microsoft
Windows Vista operating system. With NGX R65 it provides the capability to add:
■ An ICS policy per user group with the facility to characterize an integrity
Clientless Security (ICS) policy for each individual user group
■ An encryption domain per user group allowing the capacity to describe an encryption domain for each individual user group
The NGX R65 also has a considerably improved connection speed associated with the Secure Sockets Layer (SSL) extender.
SecureClient Mobile is a client for mobile devices to add VPN and firewall capabilities. It substitutes for SecureClient for PocketPCs, works on a variety of platforms, facilitates simple deployments, and features an easy upgrade path. SecureClient Mobile's VPN is based on SSL (HTTPS) tunneling and permits handheld systems to connect to resources protected by Check Point gateways in a secure manner. The client can be controlled by third-party applications via a programmable and extensible interface.
SecureClient Mobile operates in the following modes:
■ Centrally managed mode The client bonds with a gateway configured for SecureClient Mobile, and downloads a set of policies that were sent to the gateway from SCS. The client can then enforce the policies it received.
■ SNX mode This mode lets a client connect to a gateway configured only for an SNX. The client does not download policies in this mode, but will implement a set of policies that were loaded upon client installation. It can integrate with any gateway configured to provide SNX network mode.
This mode is supported by Check Point VPN-1 Pro R55 HF10 versions and later, and on Connectra 2.0 and later.
In this section, we'll discuss interface bonding and multicast routing failover support.
Interface bonding facilitates the construction of a redundant, fully meshed topology in High Availability mode configurations. A fully meshed topology requires two interfaces on a gateway that attach to two switches (one active and one passive). This bonds the interfaces, letting them operate as a unit, sharing an IP and Media Access Control (MAC) address. If a failure occurs on the active switch connection, the active interface senses the failure and will fail over to the supplementary bonded interface that is connected to the second switch.
Multicast Routing Failover Support
The Multicast group, source address, and incoming and outgoing interface indexes of Multicast traffic are synchronized among all cluster members for cluster deployments in the NGX R65. This synchronization provides the capacity to continue Multicast sessions if a failover condition occurs. The NGX R65 supports PIM-DM and PIM-SM Multicast routing protocols.
NGX R65 Operational Changes
New SmartPortal Features
New Firewall-1/VPN-1 Features
Edge Support for CLM
Integrity Advanced Server
Check Point NGX R65 FAQs
Reprinted from Chapter one of Check Point NGX R65 Security Administration by Ralph Bonnell. Printed with permission from Syngress, a division of Elsevier. Copyright 2007. For more information about this title, please visit www.syngress.com.