The Internet provides a worldwide communications infrastructure allowing organizations to provide cost-effective, worldwide connectivity to network users. Increasing reliance on Internet technology, along with the explosive increase in the deployment of corporate intranets and extranets has not only changed the way organizations do business, but also how they approach network security. While this is a critical requirement to collaborative information sharing, it also exposes an organization's network to new risks and threats.
Internet technology has not only changed the way organizations do business, but also the way they approach network security. The dynamic nature of today's corporate networks means that they are no longer defined by physical boundaries, but instead by enterprise-wide security policies. To be effective, these policies must include a broad range of security services that govern access to network resources, while protecting these same resources from both internal and external threats.
A complete enterprise security solution must provide the ability to grant selective network access to authorized remote and corporate users. Also, it should be able to authenticate network users with strong authentication techniques before granting access to sensitive corporate data. Furthermore, it should ensure the privacy and integrity of communications over untrusted, public networks like the Internet. On the other hand, it should provide content security at the gateway to screen malicious content, such as viruses and malevolent Java/ActiveX applets. Moreover, it should detect network attacks and misuse in real time and respond automatically to defeat an attack. Also, it should protect internal network addressing schemes and conserve IP addresses. Further, it should ensure high availability to network resources and applications. Finally, it should deliver detailed logging and accounting information on all communication attempts.
With its Enterprise Security Management product family, Check Point Software Technologies offers a comprehensive set of solutions that meet these demanding requirements. Check Point's FireWall-1/VPN-1 security suites enable all functionality to be deployed and managed with a single enterprise-wide security policy for straightforward management and administration.
Enterprise security solutions are unified by Check Point's OPSEC [Open Platform for Security] policy management framework that provides central integration, configuration and management for Check Point products as well as other third-party security applications. Only Check Point provides organizations with the ability to define a single, integrated security policy that can be distributed across multiple gateways and managed remotely from anywhere on the enterprise network. There is never any need to individually reconfigure each security gateway.
All of Check Point's security solutions are built on Stateful Inspection, the de facto standard for network security that was invented and patented by Check Point. Stateful Inspection provides full application-layer awareness without requiring a separate proxy for every Internet service and protocol. This provides unparalleled performance, scalability and the ability to support new and custom applications and services quickly and easily.
Enterprise Firewall Requirements
Enterprise firewall requirements can be summarized as follows:
- Availability
- Performance
- Network Address Translation
- Centralized Management
- Logging/Report Generation
Check Point Software Technologies Ltd. meets these requirements with Check Point (tm) FireWall-1(r), the industry's leading network security solution, with over 80,000 FireWall-1 installations at more than 20,000 customer sites worldwide. FireWall-1 enables enterprises to define and enforce a single, comprehensive Security Policy while providing fully transparent connectivity. Utilizing the Check Point patented Stateful Inspection Technology and the Check Point Open Platform for Secure Enterprise Connectivity (OPSEC(tm)) architecture; FireWall-1 integrates and centrally manages all aspects of an organization's network security policy. An integrated product suite extends FireWall-1's capabilities to all levels of security management.
Availability
Check Point FireWall-1 is based on advanced Stateful Inspection technology that extracts connection information from all communication layers. This information is maintained in dynamic state tables and is updated continuously. All network traffic is evaluated based on examination of this information. The key component of a high-availability security solution is the synchronization of the information held within the Stateful Inspection tables between different security gateways. When one gateway fails, another FireWall-1 can transparently assume security responsibility without any loss of connectivity.
State synchronization affords customers the flexibility to deploy a high-availability security solution specific to their network needs. Whether the deployment requires dynamic or static routing, a high-availability security solution can be constructed using FireWall-1 and components from one of several Check Point OPSEC partners.
Utilizing multiple FireWall-1 firewalls with state synchronization has the additional benefit of providing asymmetric routing support. The synchronization of state information is necessary when packets that are part of the same session travel different routes and pass through different gateways. Without accurate state information on all communications into the enterprise network, a firewall may not recognize a packet that is part of an authorized session and will drop or reject that packet. This results in a loss of connectivity and dropping of connections. By synchronizing state information, all FireWall-1 firewalls have full knowledge of all authorized connections. This permits each gateway to support all communications, even if the particular connection was not initiated through the gateway in question. Stateful Inspection enables this level of communication awareness on an enterprise scale.
Performance
Not all firewall architectures provide the same level of performance. The FireWall-1 Stateful Inspection technology is designed to deliver superior performance with the highest level of network security. Stateful Inspection offers multiple performance advantages, such as enhanced throughput from eliminating the burdensome context switching required by older generation, application layer firewalls - there is no need to copy packets between the firewall application and the operating system. Another performance advantage comes from intercepting all communications below the network layer (layer three of the seven layer OSI network model), which reduces latency.
Additionally, a reduction in CPU overhead is achieved by running the Stateful Inspection engine inside the operating system kernel. As a result, FireWall-1 achieves demonstrated network throughput performance of over 100 megabits per second and 50,000+ concurrent connections, more than sufficient to meet most enterprises requirements, now and in the future.
Network Address Translation
The advanced network address translation (NAT) capability of FireWall-1 supports all applications and services, including H.323 applications. In addition, NAT works seamlessly with the virtual private networking (VPN) capability of Check Point VPN solutions. For example, a VPN tunnel can be established between two gateways that allow internal hosts on each network to communicate securely, even if each host uses an illegal IP address. Additionally, throughput performance is not significantly degraded when deploying NAT.
There are two modes of operation for NAT: dynamic mode and static mode. Dynamic NAT provides users access to the Internet while conserving registered IP addresses and hiding the actual IP addresses of network resources. Dynamic mode uses a single IP address to hide all internal network resources. An unlimited number of internal IP addresses can be mapped to a single public IP address. Since the IP address used in dynamic mode is used only for outbound communication and not used by any internal server or user, there is nothing to hack or spoof.
As an organization's communication infrastructure requirements grow, the need may arise to publish IP addresses for public servers, such as FTP and Web. Static mode supports this requirement and provides a one-to-one assignment between the published IP address and the internal IP address. Static mode would typically be implemented when administrators did not wish to expose the real IP addresses of the network servers. With FireWall-1, static and dynamic address translations together provide an unlimited amount of control and flexibility in setting up an organization's network.
Centralized Management
FireWall-1 manages the enterprise Security Policy through a distributed Client/Server architecture that ensures that high performance, scalability and centralized control. FireWall-1 components can be deployed on the same machine or in flexible Client/Server configurations across a broad range of platforms. In this configuration, the Security Administrator configures and monitors network activity for several sites from a single desktop machine.
The Security Policy is defined on the GUI Client, while the FireWall-1 database is maintained on the Management Server. The Security Policy is downloaded to three Firewall Modules (each on a different platform), which in turn protect three networks. The security policy download is accomplished using a single command, instead of having to issue three separate command instructions, one for each firewall. The connections between the client, server and multiple enforcement points are secured, enabling true remote management.
Although FireWall-1 is deployed in a distributed configuration, security policy enforcement is completely integrated. Any number of Firewall modules can be set-up, monitored and controlled from a single workstation, but there is still only one enterprise-wide security policy that is defined and updated from a centralized management interface.
Logging/Report Generation
A wide variety of event analysis and reporting tools have been integrated with FireWall-1 using the OPSEC API set. These tools allow you to fully integrate FireWall-1 into your enterprise management, reporting and accounting infrastructures, as well as extract specific and concise information from the FireWall-1 log files.
The FireWall-1 log viewer provides the ability to review FireWall-1 log files for unauthorized attempts to access protected networks. Additionally, FireWall-1 can be configured to alert administrators via a screen based alert, e-mail, pager or any other type of user defined action, when an unauthorized access attempt occurs.
An extension to FireWall-1 in the Q3 1999 timeframe will be the Reporting Module. As an optional component of FireWall-1, the Reporting Module will allow creation of easy-to-read and easy-to-comprehend reports on user/group activity, network traffic activity, and suspicious activity, as well as cost estimation for various services. The Reporting Module allows reporting on all attributes included in the FireWall-1 log files. Reports can be displayed as List Reports (textual) or Graphs (single and multi-graphs) 
Jamal Barmil is the Vice President of DACON, Inc., a software consulting company in McLean, VA. He has over 15 years of experience in Information Technology and over 7 years of experience managing and directing information system projects. He can be reached at Jbarmil@prodigy.net
Science & Technology
