Summary

Check Point s OPSEC standards program certifies that third-party applications meet minimum integration and compatibility requirements with the VPN-1/FW-1 products. This, in essence, extends the reach of your VPN-1/FW-1 security infrastructure to encompass areas where highly specialized or customized solutions are required to meet the needs of your network.

Through the use of CVP and UFP application servers, you are able to extend the information used by VPN-1/FW-1 to make data control decisions to include input from third-party solutions. In addition to providing you with greater flexibility, this enables you to build best-of-breed solutions into your firewall from vendors that specialize in the task you need to perform.

CVP is used to send an entire data stream, such as a downloaded file, to another server to be validated either as a whole or in parts . This validation can be as simple as checking the file for viruses or using image recognition software to discard images that may not be acceptable in your environment. In many cases, such as when using a virus scanner, the CVP server may modify the data before returning it to the security server to be passed along to its final destination. CVP objects can be grouped together to share load among servers performing a similar function, or servers can be chained together to perform multiple actions and validation checks on the data before returning it to the firewall.

UFP is used to check the scheme and path of data resource requests . UFP is most commonly used for HTTP traffic to control access to sites that may not be appropriate in a corporate setting, but can also be used with other protocols. UFP servers enable you to choose from predefined categories to specify which sites are to be filtered or denied from the data requests passing through the firewall. UFP applications often come with a subscription service that will provide updates to the database of sites and categories known to the product, as well as enabling you to specify your own so that your protection is kept up to date. As with CVP resources, you can group UFP servers together to provide high availability and load sharing among servers providing the same service. You cannot, however, chain UFP servers together.

AMON is new to the NG version of VPN-1/FW-1 and provides a method for third-party servers to report status information to the firewall products. This allows you to monitor the status of other security devices using the tools from Check Point, or other vendor tools that you re already using to keep an eye on your firewalls.

OPSEC applications can also access VPN-1/FW-1 information and resources by using LEA, ELA, SAM, OMI, CPMI or UAA. These client applications are not normally used in the data control process as OPSEC servers are, but often make use of the status, log, and object databases to report on and manipulate VPN-1/FW-1 devices and applications.

There are five major types of resources in VPN-1/FW-1: URI, SMTP, FTP, CIFS, and TCP. URI is the most common and offers the greatest flexibility, since URI resources can be created using wildcards or from specially formatted files that define the pattern to match on. Most commonly, URI resources are used with CVP or UFP servers as a method to move data between the security policy and third-party servers.

SMTP resources allow you to manipulate e-mail messages and provide a method to replace or substitute information in certain fields as messages pass through the firewall. FTP resources allow you to control FTP sessions down to the level of being able to specify whether users can issue GET or PUT commands, as well as the ability to stop users from accessing specific paths on the server. Both SMTP and FTP resources support using CVP servers to validate data coming into or leaving your protected networks. The TCP resource enables you to use either a UFP or a CVP server with TCP data that is not handled by one of the built-in security servers. A CIFS resource is used to granularly control access to file and print servers based on user , server, or share name .