Screening URLs for content can also be accomplished without CVP.There are two other options Firewall-1 provides in this case: wild card and file-based matching.
To configuring your firewall for non-CVP-based URL screening, follow the same procedure used for CVP-based screening (see the earlier section “CVP
Configuration”).The only difference comes when setting up the resource. In this case, we go through the available options in the case of wild card and file matching.
To create a resource with wild card matching, from the SmartDashboard choose Manage | Resources, choose New, and then URI.The options for the General tab should be filled in as you did back in Figure 9.13, but choose Wild Cardsunder URI Match Specification Type. Choose the Matchtab, which is shown in Figure 9.18.
The Match tab specifies the properties of the user’s URL request that must be pre- sent in order for the firewall to conclude a match and take the action specified in the Action tab. Choose from a variety of Schemes, which dictate the general type of request (http, ftp, gopher, and so on), or even specify a custom scheme under Other.
Next, select the Methodsthat must be matched, from GET, POST, HEAD, or PUT, and again you have the option of specifying a custom method under Other.
Finally, you can specify Host,Path, and Querytext to match from the user’s requests.
All of these fields accept wild card characters, which means you can enter a host such as
“www.sports*” to match all hosts that begin with “www.sports”.
The Action tab behaves just as in the UFP section.
To create a resource with file matching, from the SmartDashboard choose Manage
| Resources, choose New, and then URI. Again, the options for the General tab behave as shown earlier, but choose Fileunder URI Match Specification Type.
Choose the Match tab, which is shown in Figure 9.19.
Figure 9.18 URI Resource Match Properties
Notice that the Match tab contains only two options:Importand Export.The Import option allows you to specify a file on your local computer that contains data about what constitutes a match of the user’s request.This file is subsequently stored on the management module of the firewall.The Export option allows you to save a copy of that data on the management module back to your local workstation.
The file that you import must be in ASCII format (plain text), and contain three fields per line, each line representing a record. Field one specifies an IP address, field two the URI path, and field three is not used, but must not be blank, so enter any “1”.
Again, the Action tab behaves as with a UFP configuration.
Figure 9.19 URI Resource Match Properties
Summary
A security policy that works on a variety of levels is most likely to be effective. One such level is content screening, and this level of security provides for a great deal of control over network access.
Check Point’s Content Vectoring Protocol is a powerful tool that, among other things, allows you to scan e-mail for viruses to prevent malicious code from ever arriving in a user’s mailbox.The URI Filtering Protocol allows you to control what Web sites users may visit, thereby enforcing corporate policies on appropriate Web access.
Due to the flexible nature of CVP, OPSEC vendors are free to develop applications to solve any number of problems related to content.There are currently more than 300 OPSEC partners, and although the purpose of many of the OPSEC applications are the same, the variety of choice allows you to pick the application with the feature set that best suits your needs.
Combine content filtering with a solid overall security policy, and the risk of secu- rity issues is greatly reduced.
Solutions Fast Track
Using CVP for Virus Scanning E-Mail
; Add a network object that references the IP address of the CVP server.
; Add and configure the CVP server OSPEC application, setting the desired options.
; Configure a resource that makes use of the CVP server, to be referenced in the rule.
; Add a rule to the rule base that will match SMTP to the mail server and set it to use the CVP resource.
URL Filtering for HTTP Content Screening
; Add a network object that references the IP address of the UFP server.
; Add and configure the UFP server OPSEC application, setting the desired options.
; Configure a resource that makes use of the CVP server, to be referenced in the rule.
; Add a rule to the rule base that will match HTTP traffic and set it to use the UFP resource.
Using Screening without CVP
; Add a network object that references the IP address of the CVP server.
; Add and configure the CVP server OPSEC application, and choose the wild card method to manually enter URLs to match or choose the file method to import a file with a list of URLs to match.
; Use the file method when the list of URLs is too long to enter manually, so that the list can be maintained in an external file.
Q: Can I use CVP to screen both incoming and outgoing e-mail?
A: Yes.The firewall knows when to use CVP to screen e-mail based on the rule base.
So to add CVP-based screening for outgoing e-mail, add a rule with a resource that will be matched for outgoing SMTP requests.
Q: Once I set up UFP to prevent users from accessing certain URLs, can I make a user exempt?
A: Yes, as long as you know the user’s IP address—you should ensure that it is static. In this case, add a rule in the rule base above the UFP rule that does not contain a resource.The user’s HTTP requests will match this rule and bypass the UFP check.
Q: Can I use the same server for both CVP and UFP?
A: Yes. In this case, when defining the OPSEC application object, check both UFP and CVP and configure both tabs.Then, reference the same OPSEC application object when defining resources.
Q: When should I use CVP as opposed to wild card or file-based matching?
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutionsand click on the “Ask the Author”form.
A: This depends mostly on your security policy for filtering. CVP allows for more dynamic and versatile filtering; the other two methods are more static, and they change only when you choose to manually update your configuration. If your policy is only to block an unchanging number of URLs, a CVP server is probably not necessary.
Q: What caching control method should I use for UFP?
A: The level of caching to use is a balance between speed and accuracy. If you disable caching, you are guaranteed accurate results, but performance may become unac- ceptably slow.You may also opt to have the server perform the caching, if your UFP server supports that option. Overall, you may have to adjust your caching level based on observing performance and accuracy over time.
SecureClient