Client Side OPSEC Applications

Previous page
Table of content
Next page

In addition to the UFP and CVP application servers and the AMON monitoring service, there are six client application APIs that extend the functionality and management of VPN-1/FW-1 to third-party applications. Although complete configuration and implementation details for each of the six APIs will be dependent on which third-party application you re using, this section will give a quick look at each to discuss the capabilities of the API and to show the integration options possible for OPSEC-certified products.

Event Logging API

The Event Logging API allows third-party applications to send log data to the VPN-1/FW-1 log database. Sending log data to the central log has two main advantages: log consolidation and alert triggering.

In many networks, the firewall gateways are the security focal point, making the VPN-1/FW-1 logs the primary data source for security auditing. By extending the log to third-party products with the ELA, Check Point has enabled you to collect your security logs into a single location, making it easier to analyze and trend your security infrastructure s performance. An added benefit of consolidating logs from other products into the central log is that products using ELA will be able to trigger the VPN-1/FW-1 alert mechanism. This allows products like Stonesofts StoneBeat high-availability solution to send logs and alerts to the Check Point Management Console when a FireWall-1 product has failed over to a standby machine.

Log Export API

To securely and efficiently access the Check Point log database, third-party products can use the Log Export API. The LEA allows access to the log in both real-time and historical access modes. In order to use LEA, the product vendor must write an LEA client that will access data from the Management Console that is running the LEA server. Using the LEA client/server model, OPSEC applications reduce the need to try to access the locked, proprietary formatted logs directly or having to export the Check Point logs out to plain text before being able to work with the log data.

For example, products like the WebTrends Firewall Suite can set up a secure connection to the VPN-1/FW-1 log database to pull in historical information for report generation. Since LEA supports encryption, you can be assured that the information used to generate the reports was not copied or corrupted during the transfer from one application to another.

Real-time data retrieval using LEA is most useful for generating alerts, based on firewall events, with a non-Check Point application. For example, LEA could be used to funnel firewall events into an Enterprise security manager (ESM) product that could correlate data with other security products, to generate trends and alerts based on a bigger view of the security infrastructure.

Suspicious Activities Monitoring

The Suspicious Activities Monitor was designed to provide a method for intrusion detection system (IDS) software to communicate with VPN-1/FW-1. This provides a method for an IDS application to create dynamic firewall rules to block traffic that the application believes is malicious.

Using a SAM-enabled application allows you to add some level of reflexive access to block previously allowed traffic. The key is in remembering that the access can only be granted with the static security policy rules, not the SAM application s dynamic rules. For example, if an IDS system detected something suspicious like a connection attempt to a closed port, it would be able to close all access to all resources from the IP address in question for a configurable period of time. This would block traffic, such as browsing your Internet Website, which may be explicitly allowed in your security policy. The action taken by the firewall is configurable and can include anything from making an entry in the logs, disconnecting a session in progress, or blocking all further access from the offending host. You need to be especially careful when allowing SAM applications to create firewall rules. If not configured properly, you can inadvertently create a denial of service situation on your own servers. For example, if you block all data from any host that has tried to connect to a closed port for one hour , an attacker may send connection requests to your servers with spoofed IP addresses in order to cause your own firewall to block traffic from your customers.

SmartDefense can be used to block attacks it recognizes them (as discussed in Chapter 13), but other solutions may notice traffic that is also unauthorized. The SAM API allows other devices to tell the firewall to block connections as appropriate. The SAM protocol is discussed in more detail in Chapter 9.

Object Management Interface

The Object Management Interface allows OPSEC applications to interact with the management server. The OMI has been replaced by the Check Point Management Interface, and has only been kept in NG for backward compatibility. New applications being developed with the NG OPSEC Software Development Kit (SDK) will use CPMI.

Check Point Management Interface

Replacing OMI in the NG OPSEC SDK, the Check Point Management Interface allows OPSEC applications access to the management server s security policy and objects database. This can enable you to use objects already defined with the Policy Editor in other applications. Additionally, this secure interface can provide other applications access to create objects in the VPN-1/FW-1 database. The CPMI has three main benefits that OPSEC applications can take advantage of:

  • CPMI can allow access to authentication information, enabling vendors to design single sign-on security solutions that take advantage of the authentication information already known to the firewall.

  • Access to the Check Point object database can allow for report generation and alerting based on changes to monitored objects.

  • Some management tasks can be automated, allowing software products to modify VPN-1/FW-1 in response to a security event.

UserAuthority API

The UserAuthority API is designed to extend the firewall s knowledge of users VPN and local area network (LAN) authentication to other applications. In addition to providing the information that applications need in order to enable a single sign-on model, the UAA can also be used to provide information needed to develop billing and auditing applications that track individual users instead of just sessions.

The UAA also allows third-party applications to take advantage of the secure virtual network s (SVN) openPKI infrastructure for authentication. This reduces the vendor s need to develop their own authentication methods , which not only speeds development time for new applications, but also ensures compatibility with and leverages the investment in your existing infrastructure.



Previous page
Table of content
Next page
Check Point NG[s]AI
Check Point NG[s]AI
ISBN: 735623015
EAN: N/A
Year: 2004
Pages: 149
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Project Management JumpStart
GO! with Microsoft Office 2003 Brief (2nd Edition)
802.11 Wireless Networks: The Definitive Guide, Second Edition
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy