In addition, third-party applications can be integrated into the FireWall-1 deployment to provide additional features, such as URL filtering and antivirus protection. URL filtering allows FireWall-1 to prevent access to specific Internet sites based on their URL address. Antivirus protection moves the responsibility for performing antivirus protection from the desktop to the actual point of entry to the network. Deploying antivirus protection at the firewall ensures that virus-infected content is discarded before it enters the network. Check Point provides interoperability with third-party products that support the Open Platform for Security (OPSEC). OPSEC-compliant devices can be managed by having the FireWall-1-defined Security policy downloaded to the devices. This allows centralized and uniform management of your network’s perimeter security solution. Intrusion detection The final form of protection against attackers that is provided by FireWall-1 is intrusion detection through Check Point SMARTDefense. SMARTDefense provides protection against external attacks by tracking poten- tial attacks and providing notification of the attack attempts. SmartDEFENSE provides the following features for detecting potential attacks: ߜ Validation of stateless protocols. Protocols such as User Datagram Protocol (UDP) and Remote Procedure Calls (RPC) do not maintain an active connection. SmartDEFENSE tracks source and destination ports to validate that a session was not hijacked and/or is not attempting an attack through these protocols. ߜ Inspection of sequence numbers. Transmission Control Protocol (TCP) packets use sequence numbers to re-order packets that arrive out of sequence at a destination host. Incorrect sequence numbers can indi- cate a replay attack taking place against a protected host. SmartDEFENSE can drop these incorrect sequence number packets, or even strip the data component from the packets. ߜ Fragmentation inspection. Many attacks send malformed packets that are incorrectly fragmented in an attempt to bypass or breach the fire- wall. SmartDEFENSE identifies these packets, logging the attempt and dropping the packets. ߜ Malformed packet logs. SmartDEFENSE performs application level inspection to identify File Transfer Protocol (FTP) and Domain Name System (DNS) malformed packets. Both forms of attack are logged as events in the VPN-1/FireWall-1 log database and the malformed packets are dropped at the external interface. For both protocols, allowed actions may be defined. 336 Part IV: Deploying Solutions Using Firewall Products ߜ SYNDefender. This module prevents denial-of-service attacks known as SYN (synchronization) flooding. If a large number of TCP connection ini- tiation packets are received by the server without any further packets, SYNDefender terminates those connections. ߜ Kernel-level pattern blocking. This feature detects and blocks any and all attacks against the indexing server that attempt to take over the target server as a launch point for further attacks. Code Red is an example of this form of attack. By compromising the indexing service, the Code Red attack made the target server a drone that carried out attacks against other servers on the network and the Internet. Network Address Translation (NAT) The NAT process replaces RFC 1918 private network addresses with public network IP addresses for outgoing packets and public network IP addresses with private network addresses for incoming packets in FireWall-1. Rather than implement separate NAT and static address mapping functions, FireWall-1 uses the same NAT editor for protecting both inbound and out- bound traffic. This simplifies NAT design by using only a single tool to define all address mappings. The FireWall-1 NAT feature supports advanced protocols that require random port generation, such as Microsoft NetMeeting and other H.323 applications, For outgoing traffic, FireWall-1 uses dynamic mode to map all internal network addresses to a single external IP address. This hides the private network behind a single outbound address. You can configure this NAT option by edit- ing the properties of an internal network object within the FireWall-1 object database. Dynamic NAT can only be defined for outbound network traffic. This is, in fact, a security feature because limiting Dynamic NAT in this way protects the network from hacking attempts that attempt to spoof internal IP addresses. FireWall-1 drops any packets that have internal IP addresses as the source address that it receives on its external interface. For inbound traffic, the firewall administrator defines static mode NAT defini- tions that will perform a 1:1 mapping between the Internet-accessible IP address and port and the true IP address and port of the Internet-accessible resource. When the firewall receives a connection to the externally accessible resource, the destination information is translated to the true IP address of the network resource. 337 Chapter 17: The Champ: Check Point FireWall-1 Next Generation VPN-1 Virtual Private Networks (VPNs) allow remote users to create a “tunnel” between their remote client computer and a tunnel server at the corporate network. The advantage of using tunneling solutions is that the tunnels lever- age an existing public network, such as the Internet, instead of requiring the deployment of a network infrastructure to support high-speed remote access. Check Point provides VPN access through its VPN-1 line of products. These products include ߜ VPN-1 Gateway: Provides secure connectivity between corporate net- works, remote network partners, and mobile users. The VPN-1 Gateway supports industry standards, including Internet Protocol Security (IPSec) to encrypt the transmitted data. ߜ VPN-1 SecuRemote: Provides the client-side solution for remote users that require connectivity to the corporate network using dialup, Digital Subscriber Lines (DSL), or cable modem connections. In addition to providing external access to the network, SecuRemote can also support intranet tunneling to protect data that’s transmitted on the private network. ߜ VPN-1 SecureClient: Allows the firewall administrator to enforce security on connecting client computers. SecureClient ensures that remote clients don’t become access points to corporate resources by preventing session hijacking. SecureClient ensures that a remote client is properly configured to provide the required level of corporate security. ߜ VPN-1 Accelerator Card: Provides offloading — moving cryptographic functions from the VPN server’s processor to the VPN-1 accelerator card — to increase the performance of a VPN-1 server. Performance All network traffic that enters and exits your corporate network will pass through the FireWall-1 server. To ensure that performance is optimal, FireWall-1 includes two products: FloodGate-1 and the ClusterXL module. ߜ FloodGate-1: Provides FireWall-1 with a Quality of Service (QoS) solution. QoS prioritizes specific network traffic and provides more bandwidth to these preferred data streams. An organization can first analyze the current incoming and outgoing traffic and then use FloodGate-1 to ensure that the mission-critical applications don’t suffer performance losses due to non- critical applications overusing available bandwidth. QoS is like a reserva- tion system. A specific percentage of available bandwidth is reserved for a specific application. 338 Part IV: Deploying Solutions Using Firewall Products In Figure 17-2, two FireWall-1 servers are configured as a cluster with each node in the cluster sharing a common external IP address (repre- sented by the letter A in Figure 17-2). Incoming connections can connect to either member of the cluster. If one of the FireWall-1 servers fails, all connections are automatically redirected to the other FireWall-1 server in the defined cluster. ߜ ClusterXL module: Allows FireWall-1 and VPN-1 to be deployed in a fault- tolerant configuration for high availability, as shown in Figure 17-2. Not only must the external adapters share a common IP address, but the external adapters must also have the same MAC address so that routing is not affected if one FireWall-1 server fails and data is redirected to the other node in the cluster. The firewalls participating in the ClusterXL cluster must also have internal network interfaces that share an IP address and MAC address. This allows outbound traffic to failover to another node in the cluster by using a common default gateway address. Failover is the process of automatically connecting to the other server in a cluster, without the connecting clients having to do anything. The firewalls should have unique IP addresses to ensure that man- agement of the individual servers can take place. FireWall-1 Components FireWall-1 can be deployed in either a standalone or enterprise environment because it is composed of three separate components, which can be loaded on one server ( a standalone environment) or on many servers (an enterprise environment): Router Private Network Computer Laptop A A Internet Computer Computer Server Figure 17-2: Configuring FireWall-1 high availability with ClusterXL. 339 Chapter 17: The Champ: Check Point FireWall-1 Next Generation ߜ SMART client ߜ SmartCenter server ߜ VPN/FireWall module The SMART client graphical user interface (GUI) enables the FireWall-1 administrator to define the Security policy that will be implemented by an organization. The SMART client can execute at the actual firewall or at a standalone administrative console. The SMART client can be installed on a non-server class computer. The SMART client has been successfully deployed on Windows 2000 Professional or Windows XP Professional desktop computers to manage Check Point FireWall-1 deployments. The SmartCenter server functions as the storage location for all defined Security policies. When a firewall administrator defines Security policy using the SMART client, the Security policies are saved to the defined SmartCenter server. The SmartCenter server also serves as the storage location for net- work object definitions, user object definitions, log files, and FireWall-1 data- base files. Finally, the VPN/FireWall module can be deployed on numerous devices that are FireWall-1-aware. This includes UNIX servers, Windows 2000 Server, switches, routers, and network appliances. The Security policies defined at the SmartCenter server by the SMART client are downloaded to the network device hosting the FireWall module. Standalone deployments Smaller organizations or organizations with a single connection to the Internet may prefer to implement FireWall-1 in a standalone deployment. In a stand- alone environment, the SMART client, the SmartCenter server and the FireWall module all reside on the same physical device, as shown in Figure 17-3, rather than on separate computers in the network. The advantage of using this configuration is that the cost of the firewall solution is minimized because only a single FireWall-1 license is required. The disadvantage is that if the firewall is compromised, an attacker will also have access to the SmartCenter server component. With the information stored on the SmartCenter server, especially the definition of network objects, an attacker will be able to fully determine the interior structure of the network protected by the firewall. 340 Part IV: Deploying Solutions Using Firewall Products Client/Server deployment A more secure deployment of FireWall-1 is to deploy FireWall-1 in a client/server configuration, as shown in Figure 17-4. In this figure, the SMART client connects to the SmartCenter server (Action 1) to define Security policy and network objects. The SmartCenter server can then download the Security policy to the VPN/FireWall module installed on the perimeter server (Action 2). The advantage of this configuration is that the SmartCenter server can store Security policy for multiple FireWall modules. Likewise, the SMART client can be used to connect to multiple SmartCenter servers for configuration of Security policies. SMART client VPN/FireWall Module Laptop Internet Computer Computer SmartCenter Server Private Network 1 2 Figure 17-4: Deploying FireWall-1 in a client/ server environment. Private Network Computer FireWall-1 Laptop Internet Computer Computer Server SMART Client SmartCenter Server VPN/FireWall Module Figure 17-3: Deploying FireWall-1 in a standalone environment. 341 Chapter 17: The Champ: Check Point FireWall-1 Next Generation FireWall-1 Next Generation Installation The installation of FireWall-1 involves both the installation of the FireWall-1 software and the configuration of the FireWall-1 software after the necessary files are copied to the local computer’s hard drive. Installing and Configuring FireWall-1 NG To install the FireWall-1 NG files, do the following: 1. Determine whether your systems meet the minimum hardware requirements for the FireWall-1 SMART client, as shown in Table 17-1, and for the FireWall-1 SmartCenter server and FireWall module, as shown in Table 17-2. Table 17-1 Minimum Hardware for FireWall-1 SMART Client Component Minimum Requirement Operating system Windows 9x, Windows Me, Windows NT 4., Windows 2000, Sun Solaris SPARC Required disk space 40MB Memory 32MB Network interface Must be on Operating Systems Hardware Compatibility List (HCL) Table 17-2 Minimum Hardware for FireWall-1 SmartCenter Server and FireWall Module Component Minimum Requirement Operating system Windows 2000 (SP1 and SP2), Windows NT 4.0 SP6a, Sun Solaris 7 (32-bit mode only), Sun Solaris 8 (32- or 64-bit mode), Redhat Linux 6.2, 7.0, and 7.2 Required disk space 40MB Memory 128MB or higher Network interface An ATM, Ethernet, Fast Ethernet, Gigabit Ethernet, FDDI, or Token Ring adapter on the Operating System’s Hardware Compatibility List (HCL) 342 Part IV: Deploying Solutions Using Firewall Products 2. Insert the Check Point Enterprise Suite CD-ROM in the CD-ROM drive of the computer. 3. On the Welcome to NG Feature Pack 3 screen, click Next. 4. On the License Agreement page, click Yes. 5. On the Product Menu page, click Server/Gateway Components, and then click Next. 6. On the Server/Gateway Components page (see Figure 17-5), check theVPN-1 & FireWall-1, SMART Clients, and Policy Server boxes on the left and then click Next. 7. On the Information page, ensure that you have selected the VPN-1& FireWall-1, SMART Clients, and Policy Server boxes, and then click Next. 8. On the VPN-1 & FireWall-1 Enterprise Product page, check the Enforcement Module and SmartCenter Server (including Log Server) boxes, and then click Next. 9. On the VPN-1 & FireWall-1 Enterprise Management page, click Enterprise Primary Management, and then click Next. 10. On the Backward Compatibility page, click Install Without Backward Compatibility and then click Next. Figure 17-5: Selecting the setup type. 343 Chapter 17: The Champ: Check Point FireWall-1 Next Generation Backward compatibility allows management of older versions of Firewall-1. If you plan to manage any VPN-1/Firewall 4.1 enforcement modules, make sure that you do install with backward compatibility; otherwise, who knows what security will be implemented on those stations? 11. On the Choose Destination Location page, accept the default destination directory and then click Next. Selecting a directory other than the default directory will require you to modify the FWDIR environment variable. Failure to do so will reduce the ability to debug firewall issues with the FWInfo debugging tool included with FireWall-1 NG. This starts the actual copying of the software to your computer’s hard drive. 12. In the Information dialog box, click OK. You now have a nicely installed FireWall-1. At this point, the installation of the feature pack is complete. The firewall is not ready for use, however, until you install the necessary SMART clients, as described in the following step list: 1. On the Choose Destination Location, accept the default destination folder, and then click Next. 2. On the Select Clients page, enable all options, and then click Next. 3. In the Information dialog box, click OK to confirm the completion of Setup. 4. On the Licenses page, click Fetch from File. You must obtain a license key from the User Center at the Check Point Web site ( www.checkpoint.com/usercenter). You obtain the license key after you input the certificate key included with your FireWall-1 NG software. Failure to input a valid license key will result in your installa- tion of FireWall-1 being unusable. 5. In the Open dialog box, select the CPLicenseFile.lic file provided from Check Point, and then click Open. 6. In the cpconfig dialog box, click OK to confirm the installation of the license file. 7. On the Licenses page, click Next. 8. On the Administrators page, click Add. 9. In the Add Administrator dialog box (see Figure 17-6), enter an Administrator name and password, designate the permissions assigned to the Administrator, and then click OK. 344 Part IV: Deploying Solutions Using Firewall Products You can designate any number of administrators for FireWall-1, and even delegate specific customized permissions. But always make sure that your account can manage the other Administrators. It shows them who’s the boss! 10. On the Administrators page, click Next. 11. On the Management Clients page (see Figure 17-7), add any remote workstation names where remote management is approved for the firewall, and then click Next. 12. On the Key Hit Session page, type random characters until you hear a beep, and then click Next. These random characters are used as the source for generating a private and public key pair for the firewall’s digital certificate. If your child aspires to be a computer hacker, this is his or her opportu- nity to aid in the installation of your firewall! 13. On the Certificate Authority page, click Initialize and Start Certificate Authority. 14. In the cpconfig dialog box, click OK to confirm the initialization. Figure 17-6: Adding Admini- strators. 345 Chapter 17: The Champ: Check Point FireWall-1 Next Generation [...]... What to Compare? Several features must be included in your criteria for choosing among different firewalls When drafting your criteria, consider the following: ߜ ICSA Labs certification status: ICSA Labs, a division of TruSecure Corporation, performs standards testing for commercially available security products Testing is provided for firewalls, antivirus solutions, Internet Protocol Security (IPSec)... mapping to map a public network IP address to an RFC 191 8 address For more information about NAT, see Chapter 3 For more information about private IP addressing, see Chapter 2 361 362 Part IV: Deploying Solutions Using Firewall Products ߜ Available licensing options: Networks grow in size over time Be sure to research what licensing options are available for your firewall, and how easy (and more importantly... provides a certification service for firewalls In its latest Firewall Product Certification Criteria, version 4.0, ICSA evaluates firewalls based on the type of network that the firewall protects The evaluation includes separate criteria for residential, small/medium businesses, and corporate firewalls In addition, baseline requirements must be met by all submitted firewalls You can view a listing... Topology page, click Add 6 In the Interface Properties dialog box, enter the following information on the General tab: Name: A logical name for the interface IP Address: The IP address for the network interface Net Mask: The subnet mask for the network interface 7 In the Interface Properties dialog box, enter the following information on the Topology tab: External or Internal: Defines whether the network interface... security for a specific hardware and software configuration To find out more details on CCITSE, visit www commoncriteria.org/ and csrc.ncsl nist.gov/cc/ 3 59 360 Part IV: Deploying Solutions Using Firewall Products ߜ Logging options: The only place to find the details of an attack is in the firewall’s logs When researching firewalls, determine what log formats are supported by the firewall For example,... IP address Then you can query the registration records for this IP address and find out the Internet Service Provider (ISP) who owns the IP address, including the contact information This is just one Chapter 19: Ten Tools You Can’t Do Without example of the many tools included with Sam Spade that you can use to track down information Check it out for yourself by using the online tool at www samspade.org... command to check entries on DNS servers for troubleshooting ߜ Use the ipconfig command to confirm the TCP/IP configuration of your computer Some versions of Microsoft Windows include a graphical version of ipconfig called winipcfg You can find more information about these commands in your operating system’s help system or in a TCP/IP book, such as TCP/IP For Dummies, 5th Edition, by Candace Leiden and Marshall... vendor for technical support Be sure that you research what methods of support are available to you Does the vendor provide e-mail support, telephone support, or only Web support? Even more importantly, how long will it take to respond to your queries? An excellent Web site for researching software is groups.google.com This Web site (formerly www.dejanews.com) enables you to search multiple newsgroups for. .. html/communities /firewalls/ newsite/cert.shtml Also, make sure that you look at previous versions of the criteria Some vendors may have been certified under a previous version of the criteria but don’t want to spend the effort and money that is required to get certified for the latest version, especially if their firewall is about to be replaced with a newer version When reviewing the list of certified firewalls, ... for certification Many times, a firewall that is certified for the UNIX platform is not certified initially when the firewall is modified to run on Windows Verifying the tested underlying operating system ensures that you are truly selecting a certified firewall You can download full descriptions of the ICSA 4.0 certification criteria from the following location: www.icsalabs.com/html/communities /firewalls/ . enter the following information on the General tab: Name: A logical name for the interface IP Address: The IP address for the network interface Net Mask: The subnet mask for the network interface 7 Malformed packet logs. SmartDEFENSE performs application level inspection to identify File Transfer Protocol (FTP) and Domain Name System (DNS) malformed packets. Both forms of attack are logged as events. process replaces RFC 191 8 private network addresses with public network IP addresses for outgoing packets and public network IP addresses with private network addresses for incoming packets in