 |
The issue of securing corporate networks is very important in today's technological age. Firewalls are one of the most potent defense mechanisms for internet-based networks. Firewall-1 is one of the best network security products to use as defense for your network. FireWall-1 examines data from all seven-communication layers and also analyzes state information from previous communications. The Inspection Module checks IP addresses, port numbers and any other information required to determine whether packets are permitted by the enterprise Security Policy. FireWall-1 understands the internal structures of the IP protocol family and the applications built on top of them, and is able to extract data from the packet's application content and store it to provide context in those cases where the application does not provide it. The Inspection Module stores and updates state and context information in dynamic connections tables. These tables are continually updated, providing cumulative data against which FireWall-1 checks subsequent communications.
Using Check Point's INSPECT language, FireWall-1 incorporates security rules, application, state and communication information into a powerful security system. INSPECT is an object-oriented, high-level script language that provides the Inspection Module with the enterprise security rules. The Security Policy is defined using FireWall-1's graphical user interface. From the Security Policy, FireWall-1 generates an Inspection Script, written in INSPECT. Inspection Code is compiled from the script and loaded to the Inspection Module on the network's FireWalled enforcement points. Inspection Scripts are ASCII files and can be edited to meet specialized security requirements.
FireWall-1 Components
FireWall-1's scalable, modular architecture enables an organization to define and implement a single, centrally managed Security Policy. The enterprise Security Policy is defined at a central management console and downloaded to multiple enforcement points throughout the network. FireWall-1 consists of the following components:
Graphical User Interface (GUI)
An enterprise-wide Security Policy is defined and managed using an intuitive graphical user interface. The Security Policy is defined in terms of network objects (for example, hosts, networks, gateways, etc.) and security rules. The FireWall-1 GUI also includes a Log Viewer and System Status Viewer.
Management Server
The Security Policy is defined using the GUI and saved on the Management Server. The Management Server maintains the FireWall-1 databases, including network object definitions, user definitions, the Security Policy, and log files for any number of FireWalled enforcement points. The GUI and the Management Server can be deployed on the same machine or in a Client/Server configuration.
FireWall Module
The FireWall Module is deployed on Internet gateways and other network access points. The Management Server downloads the Security Policy to the FireWall Module, which protects the network. The FireWall Module can be installed on a broad range of platforms. The FireWall Module includes the Inspection Module and the FireWall-1 Security Servers. The Security Servers provide Authentication and Content Security features.
Authentication
The Security Servers provide authentication for users of FTP, HTTP, TELNET and RLOGIN. If the Security Policy specifies authentication for any of these services, the Inspection Module diverts the connection to the appropriate Security Server. The Security Server performs the required authentication. If the authentication is successful, the connection proceeds to the target server.
Content Security is available for HTTP, FTP and SMTP. The HTTP Security Server provides Content Security based on schemes (HTTP, FTP, GOPHER, etc.), methods (GET, POST, etc.), hosts (for example, "*.com"), paths and queries. A file containing a list of IP addresses and paths to which access will be denied or allowed can be used. The FTP Security Server provides Content Security based on FTP commands (PUT/GET), file name restrictions, and anti-virus checking for files transferred.
The SMTP Security Server provides Content Security based on "From" and "To" fields in the mail envelope and header and attachment types. In addition, it provides a secure send mail application that prevents direct online connection attacks. The SMTP Security Server also serves as an SMTP address translator; that is, it can hide real user names from the outside world by rewriting the "From" field while maintaining connectivity by restoring the correct addresses in the response.
Distributed Client/Server Deployment
FireWall-1 manages the enterprise Security Policy through a distributed Client/Server architecture that ensures high performance, scalability and centralized control. FireWall-1 components can be deployed on the same machine or in flexible Client/Server configurations across a broad range of platforms. In this configuration, the Security Administrator configures and monitors network activity for several sites from a single desktop machine. The Security Policy is defined on the GUI Client, while the FireWall database is maintained on the Management Server. The Security Policy is downloaded to three FireWall Modules (each on a different platform), which in turn protect three networks. The connections between the client, server and multiple enforcement points are secured, enabling true remote management.
Although FireWall-1 is deployed in a distributed configuration, Security Policy enforcement is completely integrated. Any number of FireWall Modules can be set up, monitored and controlled from a single workstation, but there is still only one enterprise-wide Security Policy that is defined and updated from a centralized management interface.
OPSEC
Check Point's OPSEC (Open Platform for Secure Enterprise Connectivity) integrates all aspects of network security within a single, extensible framework. The OPSEC framework provides central configuration and management for FireWall-1, while integrating third-party security applications. The enterprise security system is composed of several components, each of which may be provided by a different vendor and installed on a different machine. FireWall-1 distributes security tasks to the OPSEC components. Organizations can choose the security components, from Check Point and other vendors, that best meet their requirements.
OPSEC solutions allow enterprises to take full advantage of the FireWall-1 Security Suite and other security applications. Enterprises can plug into Check Point's OPSEC framework in the following ways:
The FireWall Module or the Inspection Module runs directly on third-party security or networking devices. Example OEM or embedded devices include Alcatel (Xylan) switches or Nortel (Bay Networks) routers.
The Check Point OPSEC SDK provides Applications Programming Interfaces (APIs) for open protocols. Administrators can use the OPSEC APIs to configure transactions between FireWall-1 and OPSEC components, such as servers that implement security tasks (for example, anti-virus servers) or clients that use an OPSEC server. The OPSEC SDK includes several APIs. For example, Content Vectoring Protocol (CVP), which is used to implement content screening and anti-virus checking. URL Filtering Protocol (UFP) is another API that is used by OPSEC, which is used to control access to external Web sites.
Another example is Suspicious Activity Monitoring Protocol (SAMP), which is used to detect and block intrusion attempts. Log Export API (LEA) is used to retrieve and export FireWall-1 Log data. Lastly, Object Management Interface (OMI) is used to develop a client that can query, modify and install a FireWall-1 Security Policy.
Open Industry-Standard Protocols
FireWall-1 supports industry-standard network security and management protocols to enable the integration of third-party security products and network management tools. Example standards include RADIUS (Remote Authentication Dial-in User Service), which is used to authenticate dial-up users. RADIUS servers are available from third-party vendors such as Axent and Security Dynamics. LDAP (Lightweight Directory Access Protocol) is another excellent example that is used to integrate and manage user directories. Integrated OPSEC solutions can be configured and managed using the FireWall-1 graphical user interface. Check Point tests and certifies all OPSEC solutions for interoperability.
|
