Although any thorough security policy should include virus protection at the desktop level, it makes sense to consider scanning incoming e-mail for viruses to prevent mali- cious code from even reaching the PC.The combination of these two levels of virus scanning further reduces the chances of a virus infecting your network.
We first cover a generic CVP solution that will provide you with a good basis for developing a CVP configuration for any environment.Then we describe a practical, real-world environment and the steps required to fit CVP into this environment to alleviate the risk of virus infection via e-mail.The combination of a generic configura- tion and a specific, practical application will give you the perspective to adapt CVP to your network.
Configuring CVP
To configure CVP, you must first define a CVP server, which is an OPSEC service running on a server; that server may be dedicated to the OPSEC application or shared with other applications.
Next, you must add a resource for virus inspection.The type of resource to add depends on what type of service you are implementing. In this case, we are imple- menting virus scanning for e-mail, so the appropriate resource type is SMTP (Simple
Mail Transport Protocol), which is the protocol used to deliver mail.There are a number of additional options available in the resource CVP and Action tabs to fine tune how the firewall will handle e-mail filtering and checking, which we cover in the
“CVP Configuration” section.
The third and final step required to configure CVP for virus scanning e-mail is to add a rule to your security rule base that has a service type that includes the resource you defined above. When traffic passing through the firewall matches the source, desti- nation, and service specified in the rule, it will redirect this traffic to the resource you defined and use the information gathered by this resource to determine whether to permit or deny the traffic.
Figure 9.1 outlines the steps required to configure CVP.
A Generic CVP Solution
Although in this case we describe how to configure CVP for e-mail virus scanning, note that CVP is useful for a number of other applications. For example, some OPSEC applications can filter URLs based on content, inspect the content of Java and Active X applets, and even perform filtering based on SQL database contents.
Although functionality of the OPSEC applications varies, the process of config- uring your firewall to utilize any application is quite similar.
Network Layout
As a general CVP configuration, we consider the case of a network with one firewall, one mail server, and a number of user workstations.The users send and receive mail through the mail server, and are protected from the Internet by the firewall by sitting on one of its internal interfaces, and by residing on nonroutable IP addresses.The mail server is also protected by the firewall, but on a different interface, and is also assigned an unroutable IP address. Since the firewall will be communicating with external mail servers, it is not necessary for the actual mail server to reside on a routable IP address;
this adds an additional level of security to the network.
The rule base used in this configuration is shown in Figure 9.2. Rule 2 permits internal users to reach external Web servers on the Internet. Rule 3 permits internal Figure 9.1 CVP Configuration
Define CVP Server Create Resource Add Rule
users to send mail to the mail server. Rules 4 and 5 permit the mail server to reach and be reached by external mail servers, respectively. Finally, Rule 1 is a standard hide rule, and Rule 6 is a standard cleanup rule, to drop all other traffic.
CVP Configuration
Now that you have a good idea of the network configuration, you can begin config- uring CVP to protect the internal users from viruses in their e-mail.The first step is to add a CVP server. Before you can add a CVP server to your Check Point configura- tion, the CVP server itself must already be configured and operational. Setting up a CVP server involves installing an OPSEC-compatible application and configuring it to perform the content check you desire. CVP server configuration is outside the scope of this chapter.
To add a CVP server, first you need to define a host that points to this server. Open the Check Point SmartDashboard and choose Manage | Network Objects. Click on New, then Node, then Host(see Figure 9.3).
Here, enter a descriptive Name for the CVP server—in this case use “SMTP- CVP”. Specify the IP Address of the server, and optionally enter a Comment to help you identify this object in the future.
The next step is to define the OPSEC application on the CVP server. Choose Manage | OPSEC Applications. Click on New and then OPSEC Application (see Figure 9.4).
Figure 9.2 Sample Rule Base
These are the general options for the OPSEC application. Enter a descriptive Name—in this case use “Email-virus-CVP”. Optionally enter a Comment, and choose a Color to easily identify this object. For the Host, choose SMTP-CVP, which is the name of the host object you just defined. For Vendor, you may choose the name of the vendor of your particular CVP application, or you may choose User Definedif that vendor is not listed. Under Server Entities, choose CVPand leave all the other check boxes unchecked. Next, click on CVP Options(see Figure 9.5).
Figure 9.3 New Node Properties
Figure 9.4 New OPSEC Application General Properties
In most cases, you should leave the Service set to FW1_cvp, which is the TCP port that the CVP application will run on (in this case port 18181).The only case in which you would change this port is if the OPSEC application you are using does not use the standard CVP port, either by design or by your custom configuration.
Enable Use early versions compatibility mode if the OPSEC application is written for Firewall-1 4.1 or earlier. In this case, you should consult the OPSEC appli- cation’s documentation to determine which early version compatibility mode option (Clear, OPSEC Authentication, OPSEC SSL, or OPSEC SSL Clear) to select.
Next, you need to configure an SMTP resource that has CVP enabled. Choose Manage | Resourcesand click on Newand then SMTP (see Figure 9.6).
Figure 9.5 OPSEC Application CVP Options
Figure 9.6 SMTP Resource General Properties
Enter a descriptive Name—in this case use “SMTP-Server”. Optionally enter a descriptive Comment, and choose a Color to easily identify this object. Under Mail Delivery, set the Server to the IP address of your SMTP server. Check Deliver mes- sages using DNS/MX recordsif you would like mail to be delivered based on the MX records for the destination domain. In this case, the mail will not be delivered to the server specified earlier; instead, the firewall will retrieve the MX record for the des- tination domain and deliver the mail to the first available server found.
Selecting Check Rule Base with new error destination instructs the firewall to check the address found from the MX record against the rule base to determine
whether traffic should be allowed to this address, and if so, the rule will also determine whether a resource should be used.
The following section deals with what action should be taken if there is an error in mail delivery, such as when mail is sent to an invalid domain or when the destination mailbox does not exist. Selecting Notify sender on errorinstructs the firewall to send a bounce message to the sender with details about why the message was undeliverable.
The server specified determines what mail server the bounce message should be sent to. Just as in the Mail Delivery section, here you also have the option to leave the server field empty and check Deliver messages using DNS/MX records, as well as setting the option for the firewall to check the rule base before forwarding mail to the server found via the MX record.
The final general option for an SMTP resource is for exception tracking.The choices here are None, Log, or Alert, which specify the method of tracking for actions that are matched from the Action tabs for this resource.
The Match and Action tabs allow for manipulation and control over e-mail outside of CVP functionality. Since the focus of this chapter is CVP configuration, we do not cover these tabs here.
Next, enable and configure CVP for this resource. Go to the CVP tab shown in Figure 9.7.
Enable Use CVPand then select the CVP server you defined earlier:Email- Virus-CVP. If you enable CVP server is allowed to modify content, the firewall is given the leeway to actually make changes to various properties of e-mail that passes through.You must decide whether or not to enable this option depending on how intrusive you want your SMTP filtering to be.
Check the next option,Send SMTP Headers to CVP server, if you would like the CVP server to check e-mail header content, in addition to the content of the body of the e-mail. Enable this option if your CVP application has the ability to screen mes- sages based on variables in the message header.
The Reply Order settings specify when the CVP server returns the data it inspects to the security server (in this case, SMTP server). If you select Return data
after content is approved, the CVP server waits until it has received and approved all the data for a particular e-mail before returning it to the SMTP server. On the other hand, selecting Return data before content is approvedinstructs the CVP server to return each approved packet as it arrives. Which setting you choose here will largely depend on the nature of the CVP application you are using—consult its documentation for guidance.
The final step to enabling virus scanning for e-mails is to add the appropriate rules to your rule base (see Figure 9.8).
Figure 9.7 SMTP Resource CVP Properties
Figure 9.8 Rule with SMTP Resource
Rule 4 is for SMTP mail services. It permits all sources to send mail via SMTP, but you will notice that in the SERVICE section, the service is listed as “smtp->Email- Virus-CVP”.This means that the firewall will redirect traffic that matches this rule to the resource you configured earlier, which will then verify the content of the message with the CVP server you defined.
To add a service with a resource, right-click on the SERVICE section and select Add with Resource(see Figure 9.9).
In this case, highlight smtp—in other cases you would highlight the service you are configuring—and you will then see the Resource section become available. In the drop-down box, select the CVP server you have configured—in this case,Email- Virus-CVP—and click OK.
Troubleshooting CVP
The most sensible way to troubleshoot CVP is to examine each component and use process of elimination to determine where the problem lies. Because there are a number of components involved—the CVP server, the resource, the SMTP server, and the firewall—troubleshooting can quickly become complex if you look at the process as a whole. Looking at each component separately makes for a much more manageable troubleshooting exercise.
In the case of scanning e-mail for viruses, the first thing you need to do when troubleshooting is accurately collect the symptoms of the problem. What exactly is hap- pening to the e-mail, assuming it has not been delivered successfully? The first place to check is the mail server that hosts the users’ mailboxes. Its log files should give you a good indication of whether the e-mail in question even made it as far as the server.
If the server log files show that the e-mail arrived at the server, the reason that e-mail was not delivered may have nothing to do with the firewall—the server may be the culprit. However, if the server log files show no sign of the e-mail, you need to step back and look at the firewall to see what went wrong.
Figure 9.9 Adding Service with Resource
The first thing to check on the firewall is the SmartView Tracker, to make sure the external mail server on the Internet actually attempted to connect and deliver the mail. If you see this connection as dropped, check your rule base to ensure that you have a rule defined to allow SMTP traffic (with a resource in this case) inbound from any source.
If the inbound SMTP connection was accepted, double-check the setup of your CVP server under Manage | OPSEC Applications to ensure that you have the cor- rect object and that the object has the correct IP address. If this is correct, the firewall has passed the e-mail to the CVP server, so the next place to check is the CVP server log file. Consult the documentation of your particular CVP server to determine how to access its log files and how to interpret the information contained in them. What you are looking for is proof that the e-mail arrived at the CVP server and information about what happened to the e-mail at that point. For example, the CVP server may indicate that an error prevented it from properly processing the e-mail, in which case you need to troubleshoot that problem by consulting the CVP server documentation.
Once the CVP server is operating normally, it will have returned the e-mail to the firewall. At this point you should recheck the mail server logs to see if the e-mail has arrived there. If not, recheck the SmartView Tracker to determine if anything in your rule base is preventing the e-mail from being delivered.
Finally, if you continue to have difficulties and none of these techniques helps to find the problem, your last resort is to use the fw monitorcommand to monitor packets entering and leaving the firewall, to prove where the problem component is that is preventing the normal flow. Usage of fw monitoris outside the scope of this chapter, but your firewall documentation will have syntax and examples.