Introducing the Check Point Next Generation with Application Intelligence Suite of Products


Introducing the Check Point Next Generation with Application Intelligence Suite of Products

It seems that the Internet moves a little further into the network everyday, and along with it comes new network security and management challenges. A few years ago, it was easy to define and visualize a network into simple security zones: trusted for anything behind the firewall and un-trusted for anything in front of it. Security at that time seemed easy: stick a firewall where the internal network met the Internet, and maybe add a Demilitarized Zone (DMZ) for the Web and e-mail servers. Now, however, with new Internet applications, extranets, and VPNs becoming common, the un-trusted network is creeping into the DMZ and even right into the trusted network. To address the security needs of this new network, we not only need secure scaleable firewall technology but also the tools to provide Quality of Service (QoS) and network management, and to log and report on the usage and health of the network infrastructure.

The Check Point NG AI suite is composed of several different products bundled to create a complete enterprise security solution. The combination of these specialized tools allows the NG AI suite to address the major security and network management challenges facing today s security managers. Rather than look at network security solely from the firewall or VPN solution, Check Point set out with its Secure Virtual Network (SVN) architecture to encompass all areas of enterprise security into a single, easy-to-use product. Until recently, many enterprise security managers believed that simply firewalling their network at the Internet connection provided all the security they needed. In today s network world there are Intranet and extranet connections and remote dial and VPN access to secure. The SVN architecture looks at the entire enterprise network, encompassing not only Local Area Network (LAN) and Wide Area Network (WAN) connections, but extending right down to the individual VPN-connected user . This new enterprise level view of security defines a complete, scalable, and secure architecture that requires the integration of several products to achieve.

The NG with AI suite is designed to fill the security and management needs of the SVN architecture. Using VPN-1/FireWall-1 to firewall between networks and provide a robust endpoint for VPN traffic addressed most companies primary security needs. Having secured the front door, SecuRemote was added to the NG AI suite as a desktop application to enable easy VPN setup. SecureClient was designed to build on to the functionality of SecuRemote by enabling security managers to set and enforce a desktop Security Policy for desktop machines connecting to the VPN service. Having addressed the firewall and user VPN capabilities most companies are looking for, NG AI turned to address the user management problems identified by the SVN. Two products were added to the suite to enable security managers to easily manage users and accounts. The Account Management component was added to manage user accounts stored on LDAP servers, and UserAuthority (UA) was introduced to make authentication information acquired by VPN-1/FireWall-1 available to other applications to provide Single Sign-On (SSO) capabilities. To help manage the Internet Protocol (IP) network, two more tools where added to the NG AI suite. Meta IP allows easy management of DNS and DHCP servers, while FloodGate-1 provides the QoS and bandwidth management needed for VPN and Internet networks. To provide the scalability necessary for deploying hundreds or thousands of firewalls, Check Point added a SmartLSM to provide profile (or template) based management. Finally, to provide detailed security and usage reports from not only the NG AI suite of products, but also from supported third-party applications, Check Point added the SmartView Reporter tool. By combining all of these tools into a comprehensive suite, NG AI provides network and security managers with the security and management tools needed in today s enterprise networks in one integrated, scaleable package.

To tie all of these products together into an easy-to-manage solution, NG AI includes a new Security Dashboard that incorporates the best features of the Policy Editor with additional object display windows and the optional Smart Map. The Security Dashboard, as shown in Figure 1.1, not only provides a single point of access for managing the entire NG AI suite, but also shows how the different products integrate together allowing configuration information to be moved and shared between applications quickly and easily.

click to expand
Figure 1.1: NG AI Security Dashboard

VPN-1/FireWall-1

At the cornerstone of the NG AI suite is VPN-1/FireWall-1. The VPN-1 and FireWall-1 (FW-1)products are designed to prevent unauthorized access to or from the networks connected to the firewall, based on the rules defined by the security manager. VPN-1/FW-1 uses a set of rules to create a Security Policy. This policy is compiled and loaded into the inspection engine component of the firewall and is applied to all traffic that traverses the firewall s network interfaces. VPN-1/FW-1 enforces part of the overall security policy from a technical aspect. Of course, you should have a written security policy that is enforced via procedures, audits , and other technical implementations .

Although it is common to think of VPN-1 and FW-1 as a single product, and although many people use the term FW-1 to refer to both products, they have very different functions. FW-1 provides the data filtering, logging, and access control as expected of any firewall gateway. VPN-1 integrates tightly into FW-1 to add VPN tools alongside the firewall. Combining VPN-1 with FW1 has allowed Check Point to provide firewall and VPN products that not only leverage each other s strengths, but that also function together seamlessly and are managed through a single management application. Tying VPN-1 and FW1 together enables you to build VPN gateways into your firewall rather than having to maintain two separate machines to provide firewall and VPN services. This can simplify the network complexity and Security Policy required, allowing for easier management and reducing the possibility of configuration errors.

Although VPN-1 provides all the tools you need to support site-to-site VPNs, and has even improved support for easy setup with third-party firewall products, there is still the issue of individual user-to-site VPN connections. To ensure that VPN-1 could provide the level of encryption, security, and control required when used with user-to-site VPNs, Check Point has updated the SecuRemote and SecureClient software packages. By integrating SecuRemote and SecureClient tightly with VPN-1, Check Point has not only provided you with the tools you need to secure your user-to-site VPN, but has also ensured their continued dominance in the VPN market space.

In the NG AI suite, Check Point provides the tools required to manage VPN-1/FW-1 in a distributed environment, allowing security managers to define and enforce a single Security Policy across the entire enterprise. By building FW-1 on a distributed model, Check Point has designed a product that functions equally well as a stand-alone single gateway product, as it does in large multiple firewall gateway networks. This distributed nature allows multiple VPN-1 and FW-1 gateways to be managed from a single management station, simplifying not only Security Policy definition, but also logging functions since the logs from all gateways are available from a centralized server.

Managing NG AI products has been simplified by the creation of the Security Dashboard. This new application took the best features of the Policy Editor from FW-1 4.1 (CP2000) and added new tools to simplify firewall and other product management. New drag-and-drop lists and the SmartMap not only speed up the rule creation process, but also provide an easy-to-understand visual look at your Security Policy, hopefully reducing security holes caused by errors in the policy. To further enhance the manageability of VPN-1/FW-1 in a distributed environment, several new tools were added to the NG AI suite. SmartUpdate enables security managers to maintain the newest product code levels not only on FW-1 products but also on Open Platform for Security (OPSEC) certified products from a centralized location. To ensure that communication between firewall enforcement points, the management station, and the management client is reliable, Check Point uses the Secure Internal Communication (SIC) function to encrypt and validate traffic between modules.

start sidebar
Designing & Planning
What is Provider-1?

Standard installations, which are covered in this book, work wonderfully for most customers, but the security infrastructure of a large enterprise or a Managed Service Provider (MSP) requires a much more robust solution with separate policies, objects, and logs for each customer, business unit, or other logical grouping of firewalls. With the standard enterprise management solution (SmartCenter or SmartCenter Pro), the only way to separate logs, polices, and objects was to run multiple management stations , which led to a much higher hardware cost as well as more management overhead. Provider-1 was developed from customer requests by large enterprises and MSPs whose scale and requirements went beyond the capabilities of an individual management station.

By design, Provider-1 allows role-based administration of multiple virtual management stations to run on a single physical system. Based on the same three- tier management infrastructure, each virtual management station contains its own logs, policies, and objects. However, enabling virtual management stations did not solve all the management scalability concerns faced by large implementations. Provider-1 Superusers can also leverage the Multi-Domain GUI (a graphical user interface [GUI] that oversees all the virtual management stations; also referred to as the MDG) to administer global policies, administrators, objects, and VPNs that span multiple virtual management stations. This enables an administrator to make a single change, which is applied across the entire enterprise (or multiple virtual management stations) to quickly react to new threats.

end sidebar
 

On the surface, VPN-1/FW-1 NG AI looks like an update to version 4.1, but when you dig deeper you find that, although the core FW-1 technology of Stateful Inspection is still the heart of the system, new tools and updated applications work together to provide an updated and complete security solution. VPN-1/FW-1 NG AI provides the security tools that enterprises are looking for with the ease of manageability that security managers need. The following sections examine the additional products that enable FW-1 NG AI to be a complete security solution, and then discuss FW-1, pointing out the technology and features that have made Check Point the market leader in Internet and VPN gateway solutions.

start sidebar
Designing & Planning
What is OPSEC?

Although the NG AI suite contains many products to help you secure your network, no one vendor can account for every security challenge you may face and do it well. Whether it is load balancing network hardware or two-factor authentication software, there will almost always be a requirement to use additional, third-party applications to achieve the level of security and robustness you need. Using OPSEC-certified solutions will guarantee central management, interoperability, and ease of use by ensuring the security products you implement will work together.

Check Point s OPSEC Partner Alliance program allows Check Point to extend their security suite well beyond what any one company can offer, by certifying hardware and software solutions from third-party vendors in the security enforcement, network management and reporting, performance, and high availability, as well as eBusiness markets. To ensure the broadest number of solutions available to customers, Check Point even allows its competitors to join the alliance if they meet the standards. For example, even though Check Point develops a reporting solution, there are other vendors in the same category including WebTrends.

To become OPSEC-certified, applications are tested to ensure compliance with the defined OPSEC standards as well as the SVN architecture. This ensures that solutions you invest in today will operate and integrate with legacy OPSEC applications as well as new applications as they come to market. With the support of over 350 vendors, finding OPSEC security solutions for even your most unique issues while ensuring compatibility in your environment, is fast and easy. For more information, including a list of certified partners , go to www.opsec.com

end sidebar
 

Smart Directory (LDAP)

One of the many features that distinguish VPN-1 and FW-1 from the competition is the ability to easily authenticate users at the gateway. Whether it is as simple as verifying a user s access to surf the Internet or as sensitive as authenticating VPN connections, managing user accounts quickly becomes a big part of managing your enterprise Security Policy. To help make user management easier, Check Point provides the Smart Directory (formerly called the account management module) component integrated into SmartDashboard. Smart Directory allows one or more OPSEC-compliant LDAP servers, including Microsoft s Active Directory and Novell s Novell Directory Services (NDS), to provide user identification and security information to FW-1. Once enabled, FW-1 can use information stored on the defined servers to enforce rules within the Security Policy.

The Smart Directory module also integrates a specialized GUI that can be used to manage user accounts and define user level access. Users and privileges defined with the Account Manager are then available not only to FW-1 but also to any other application that is able to query the LDAP database. The Smart Directory tool is available as a tab on the Objects List, allowing you to manage user accounts stored in LDAP directories as easily as users defined in the local FireWall-1 user database.

To ensure that sensitive user information is not collected or tampered with in transit, Secure Sockets Layer (SSL) communications can be enabled between the Smart Directory machine and the LDAP server. SSL can also be enabled between the LDAP server and the firewall module, ensuring that sensitive information such as user encryption schemes or account passwords are always protected.

SecuRemote/SecureClient

As part of the VPN-1 solution, Check Point developed the SecuRemote application to provide the VPN endpoint on client machines. Designed for the Microsoft 32-bit Windows, Apple Macintosh, and Linux operating systems (OSs), SecuRemote provides the authentication and encryption services required to support simple desktop-to-firewall VPNs. SecuRemote can not only be used to encrypt traffic from Internet-based clients , but also for LAN and WAN and intra-LAN users who deal with sensitive information. By encrypting all data between the user s desktop and the VPN-1 gateway, you can be sure that information transferred has not been read or modified in transit.

The explosion in affordable home broadband cable modem and Digital Subscriber Line (DSL) access revealed the need to secure these always on VPN-connected users, which lead to the SecureClient product. SecureClient is an extension to the SecuRemote software; along with the standard encryption and authentication services, it also provides powerful client-side security and additional management functions. The SecureClient application contains personal firewall software that is centrally managed by the VPN-1 security manager and uses the same proven Stateful Inspection technology found in VPN-1/FW-1. To ensure that the client machine cannot be configured in a way that would circumvent the Security Policy set by the security manager, VPN-1 uses a set of Secure Configuration Verification (SCV) checks to ensure that the desired security level is in place. The SCV checks can be as simple as setting the Security Policy enforced at the client, right down to ensuring that the newest version of your chosen virus-scanning software is installed. Coupled with the encryption and authentication services found in SecuRemote, SecureClient provides the security tools needed to build a secure VPN tunnel between individual desktop hosts and the VPN-1 gateway. This enables you to extend the enterprise network to include the client PC, whether that machine is LAN-connected in the next office, or a mobile user working via an Internet connection.

To make user setup easier, VPN-1 SecureClient enables you to build custom install packages with all the connection options pre-defined. This reduces the set up complexity for the end user, which ultimately results in fewer support calls to your helpdesk. SecureClient also includes centrally managed Security Policy update and VPN client software update capabilities to ensure that VPN clients are always up-to-date with the newest software version and policy settings.

SecureClient and SecuRemote support the industry standard encryption algorithms, including 256-bit Rijndael Advanced Encryption Standard (AES) and 168-bit Triple Data Encryption Standard (3DES) all the way down to 40-bit single Data Encryption Standard (DES), to ensure compatibility with whatever application you have in mind. Add flexible user authentication including everything from token-based two-factor mechanisms through X.509 Digital Certificates and biometrics, down to OS- or FW-1-stored passwords, and you have a VPN solution that can be easily integrated and scaled into almost any environment.

To keep your users connected and working, both SecuRemote and SecureClient support Multiple Entry Point (MEP) VPN-1 gateway configurations. This allows the SecuRemote or SecureClient software to be aware of more than one gateway that is available to provide VPN access to a protected network or system. Should one path or gateway become unavailable for any reason, the connection will be attempted through another VPN-1 gateway, if defined. This provides not only for redundancy to maintain high availability statistics on your VPN solution, but can also allow you to spread the network and firewall load out to reduce latency.

SmartView Reporter

Although the built-in log viewer (SmartView Tracker) is perfect for most day-to-day log file examinations, the FW-1 suite has, until NG, lacked a good tool to produce state of the network and diagnostic graphs. The SmartView Reporter fills this need to produce summary and detailed reports from the log data. To provide the best view possible of your network, you can create reports with the detail level you specify not only from log data generated from traffic intercepted by Check Point products, but also from the logs of other OPSEC applications.

Using the SmartView Reporter to create reports from your logs enables you to check the security and performance of your network, firewalls, and Security Policy at a glance. Generating network traffic reports can help ensure that you dedicate your bandwidth budget dollars where needed and reduce spending on services that are underutilized . The network traffic reports also enable you to see trends in network usage, which, with a little luck, will allow you to increase capacity proactively rather than have to scramble when network users start to complain of slow access.

Generating reports of dropped or rejected session attempts can turn up suspicious traffic you may not otherwise notice. This may enable you to see low and slow port scans that take days or weeks to complete, in an effort to be stealthy or to see that one of your servers is acting funny . I once worked with a company whose Web server had been rooted, or taken over by an unauthorized user. The server administrator had not noticed the server malfunctioning or failing in any way, but the firewall logs showed dropped packets from attempted connections to hosts on the Internet and to the firewall s own interface (presumably from a host scan to identify other machines in the DMZ) from the Web servers network address. Seeing this dropped traffic alerted the administrator to a problem, since anyone authorized to work on the Web server would have known that they did not have any network access from its console and would normally not attempt these connections. Situations like this are difficult to distinguish from the filtered log data with the SmartView Tracker [Log Viewer]) since, instead of filtering for something specific, what you want to see is everything from a high level to be able to spot odd behavior that is easy to achieve by generating overview reports.

One of the best reasons to use this tool, aside from trending usage of your network and security resources, is what has been referred to as the pretty picture effect. Especially when trying to increase bandwidth budgets or lobbying to double some of your infrastructure and enable load balancing, a picture is worth more than a thousand words. You can try to explain to the budget managers that your Internet connection is running at capacity and will soon become a bottleneck with no results, but pull out six months worth of bandwidth graphs that show a steady increase in bandwidth usage that is now approaching the limit, and things may start moving. To help automate this, trending and history creation of your Security Policy enforcement and network health reports can be scheduled to automatically generate. This allows you to have the most current reports waiting in your e-mail inbox every Monday at 8:00 a.m . if you like, or have the reports saved in HTML format that is easy to share via an internal Web site. SmartView Reporter is also ideal for providing regular reports to end-users, auditors , or customers who are also intrigued by the pretty picture effect .

The SmartView Reporter is made up of two components :

  • The Consolidation Policy Editor

  • The Reporting Tool

The Consolidation Policy Editor is integrated into the Security Dashboard and can be viewed from the View Products Log Consolidator menu. The Consolidation Policy Editor enables you to set the level of detail recorded into the log database as well as to summarize log entries into meaningful connection data. For example, rather than log every session that is established with the Web server, you can consolidate this information and log it every 10 minutes. You can create consolidation rules for an individual Web server or for the entire farm, enabling you to trend and report the data in whatever format is most useful in your environment. Since the report module logs are stored onto a separate log server (or at least in a separate application database on the same server, if you choose) the original raw log data is still stored in the source device s logs. Using FW1 as an example, you could see the individual sessions allowed through to your Web server in the FW-1 logs, and see the summarized data in the Report Server database. Another advantage of this architecture is the ability to consolidate and correlate the logs from all your supported OPSEC applications; this enables you to create reports that show the interaction of devices and give a more complete picture of your environment.

The second half of the SmartView Reporter is the Report Tool, which is used to actually mine data from the report database and create the final output. Built on the same model as FW-1, the Report Tool can be run as a separate client to the report server from another PC. The Report Tool contains many default reports that can be used out of the box or customized as needed. As well, you can create your own reports from scratch, enabling you to see as much or as little data from only the devices and servers that you need to see.

ClusterXL

With VPN connections being used for more critical day-to-day network operations, and with more businesses selling online though e-commerce sites 24 hours a day, 7 days a week, keeping firewall and VPN services always up and online is becoming increasingly important. Aside from the lost productivity from a service outage, businesses also have to consider customer confidence. Even the shortest outage may be all it takes to lose a potential customer to a competitor. The Check Point ClusterXL module enables you to create highly available VPN-1 and FW-1 services to help keep your infrastructure online and running 24 hours a day, 7 days a week.

The ClusterXL module enables you to create clusters of VPN-1/FW-1 machines, providing seamless failover for critical services and network connections. By tightly integrating into VPN-1/FW-1, the ClusterXL module allows one or more of the cluster machines to fail without impacting the users ability to connect and maintain established sessions with your servers. By keeping state information synchronized between the individual machines in the cluster, when a failure occurs, another machine is able to seamlessly take over the sessions that had been using the now-failed gateway. Since users never see the failover, any file transfers or VPN sessions continue as normal, without the need to restart or re-authenticate.

In addition to having a highly available cluster of firewalls, systems can participate in load sharing to aggregate the total throughput capabilities of each individual firewall together to scale linearly. This combination of the processing power of multiple systems ensures that connections are handled quickly even for CPU- intensive applications such as authentication, encryption, and the use of

Security Servers. Aside from protecting against hardware or OS failures, creating high availability clusters can also be useful for performing routine maintenance such as backups , disk checks, or upgrades that may require a machine to be taken offline or rebooted. In the always-on, always-connected world of the Internet, there no longer exists a good time to take services offline for maintenance, and many companies are turning to clusters and redundancy to keep their availability statistics as close to 100 percent uptime as possible. In addition to creating highly available VPN and Internet gateways, you can also create highly available management stations, so that logging and Security Policy creation and maintenance can continue as normal in the event that the primary management station is unavailable. This enables you to geographically separate additional gateways and management stations, if needed, to provide for disaster recovery and offsite maintenance of your security infrastructure.

Once a previously down server is back online, either from being repaired or from finishing its maintenance programs, the cluster will automatically return the machine to active duty without administrator intervention. This means that if your servers are configured to automatically reboot after a failure, and the reboot successfully repairs the problem so that the server returns to the cluster, the only evidence of the failure may be in the logs.

UA

The UA module provides authentication services to VPN-1/FW-1 and other third-party applications. By extending the user account and group information from multiple sources such as VPN-1/FW1, Windows NT, or LDAP servers to the firewall and other eBusiness applications, the UA module reduces the need to maintain multiple user information databases for application authentication services. This provides not only reduced complexity for the users by being able to use the same account information for multiple applications, but also simplifies development of new applications by providing the necessary authentication procedures.

The UA module can be used to enable a SSO solution for multiple applications. Many companies have seen increased support calls and user dissatisfaction from the need for users to authenticate themselves to multiple systems and applications, often with different credentials each time. Companies have also seen development costs for new applications drop by leveraging a pre-built authentication mechanism ”especially when using less known means of authentication, such as biometrics, two-factor authentication, and digital certificates. The UA module allows authentication services and information to be shared between applications so that users only need to provide authentication credentials once, per session, to be able to use multiple applications. To enable this, the authorization information is captured by the UA module and is made available to all trusted UA-enabled applications.

FloodGate-1

FloodGate-1 enables you to improve performance of your IP networks by assigning and controlling QoS priority to traffic passing through the VPN-1/FW-1 gateway. Like FW-1, FloodGate-1 is policy-based and managed from the Policy Editor. The integration with VPN-1/FW-1 is what allows FloodGate-1 to outperform other QoS solutions. For example, by working with VPN-1, FloodGate-1 can manage VPN traffic with finer control than other QoS products because it can manage data before it is encrypted and assign weighting to different types of VPN data, whereas other applications can only see and manage the entire encrypted data stream as one. Being built into VPN-1/FW-1 also allows the same objects and user definitions to be used in the QoS policy as in the Security Policy.

To control QoS, FloodGate-1 enables you to set a weighting on individual types of traffic. The weighting for each rule is relative to that of the other active rules in the database. For example, if data is applied to a rule that has a weight of 10 and, when combined, all the rules with open connections have a total weight of 90, then the data gets 10 percent of the available bandwidth dedicated to it. However, if the rule has a weight of 10 and the rules with open connections have a total weight of only 10, then the data receives 50 percent of the available bandwidth. This allows QoS to be applied dynamically, maximizing use of the available bandwidth and ensuring that no class of traffic is starved completely, even under heavy load. Figure 1.2 shows a FloodGate-1 policy loaded into the Policy Editor in the same fashion as the Security or Network Address Translation (NAT) policy.

click to expand
Figure 1.2: FloodGate-1 Policy

QoS performance can be monitored from the SmartView Monitor application, and can be selected to show all rules and networks or can be customized to only show VPN or specific application traffic. Since FloodGate-1 integrates with VPN-1/FW-1, general QoS overview statistics are available from the System Status viewer. This enables you to check the health and effectiveness of your QoS policy by looking at the current number of connections as well as pending byte and packet information. Since FloodGate-1 integrates so tightly into FW-1, data logged by your QoS policy (if enabled) is stored in the normal VPN-1/FW-1 logs, enabling you to correlate your policy actions with QoS information with the standard log viewing tools.

Another added benefit of this integration with VPN-1/FireWall-1 is the ability to prioritize and mark packets for QoS even inside the VPN tunnel. This allows an administrator to, for example, limit remote VPN clients Simple Mail Transfer Protocol (SMTP) sessions to a specific bandwidth, and for uploading quarterly sales data, allow unlimited bandwidth and mark the encrypted packets with Differential Services (DiffServ). This type of complexity is impossible without an integrated VPN and QoS solution.

SmartLSM

In extremely large deployments where configurations are going to be similar, profile- or template-based management may be more suited for the task. For example, when deploying small devices to 1,500 stores across the country or 5,000 devices to regional offices for an insurance company, the standard management may prove to be less efficient than one would like. Even routine tasks like pushing a policy become unmanageable due to the time it would take to push 1,500 policies. SmartLSM simplifies this task by allowing an administrator to create dynamic objects (which are resolved at run-time) and policy profiles centrally and, when ready, push the compiled version to a central office firewall, which becomes a distribution point to all the remote firewalls managed by the SmartLSM. All the remote firewalls fetch the policy from the central office firewall on a given interval (if necessary) and because they all start the intervals at random times based on when they startup, the load of sending updated policies is distributed over a longer period of time. From the SmartLSM GUI, one can quickly see the status of hundreds of firewalls at a glance and manually push the dynamic objects or policy immediately, update the software, update the OS, manage licenses, get extended status details, and restart/reboot the gateway. Even more useful is that SmartLSM can manage both normal installations of VPN-1/FW-1 as well as low-end devices running Sofaware s Safe@ software.

SmartLSM can be used with a normal SmartCenter Pro or inside a Provider-1 virtual management station to provide similar policies to many systems whose logs will all come to the same system. Contrasted to SmartLSM, Provider-1 virtual management stations are most useful when managing systems that have very different functions and differing policies. SmartLSM is used primarily for managing systems with very similar configurations.

Meta IP

As your network grows larger and more complex, IP addressing and name resolution services can become time consuming and often difficult to manage. Not only are DHCP and DNS services important to keep your network running smoothly, but they may also be a large part of your overall network security architecture. We often write security rules by creating groups of IP addresses or defining entire networks as objects, and grant access to services based on a client machine s membership in one of these IP address ranges. For example, it is common to allow all user workstation machines to be used to browse the Internet, but restrict operators from browsing when logged onto a server. This is a good practice if you are concerned that someone may inadvertently download and execute a virus or another malicious code on a server where it could do more damage than it would if just run on a workstation. This raises the issue of keeping the workstations out of the server IP network space and ensuring that the servers are not configured with workstation addresses. To help mitigate network addressing problems and the security issues that can arise as a result of poor address management, Check Point designed Meta IP to provide you with the ability to securely manage DHCP and DNS services on your network.

The centrally managed DHCP and DNS servers provided by Meta IP can interoperate with any existing standards-based service, making integration into your network easy as well as providing the framework necessary to scale up as your network expands. These features not only help you manage the IP address and namespace on your network, but also can help you reduce support costs by managing related services from a central location. The built-in analysis tools help you manage the often complex server configuration files and enable you to periodically check all files for errors and corruption, either interactively or as an automated, scheduled task.

High availability has been built into the Meta IP DNS and DHCP servers to help ensure that the IP address management services stay up and service clients 24 hours a day. The DNS servers support the primary and secondary configuration that we are all used to, but DHCP Check Point has something unique. The Meta IP DHCP service supports a one-to-one failover module as well as a many-to-one model that will enable you to have a single centrally located server provide backup for any number of severs in a distributed network, reducing the hardware and support costs of maintaining service availability.

To protect the IP address and name service database and configuration from being tampered with or corrupted, Meta IP servers can use Transactional Signatures (TSIGs) to digitally sign and verify the configuration update and replication information they send and receive. This ensures that only services with the appropriate TSIG keys can modify the DHCP scope or DNS zone information.

Arguably the most exciting feature of Meta IP is the ability to provide the SecureDHCP service. By integrating with VPN-1/FW-1 and the UA, Meta IP s DHCP service enables you to authenticate users to a Windows domain or to the FW-1 user database before being issued a useable IP address. To accomplish this, the client machine is first given a non-routable IP address that provides them with sufficient connectivity to authenticate. Once authenticated, the user s workstation is issued a new address that allows the user to work normally. This not only increases the security of your network by allowing only authenticated users access to network services, but also improves user accountability, by showing users that all network access can be logged, if needed, back to their username. This can be particularly useful if your company needs to enforce an acceptable use policy for accessing LAN or Internet resources. The access users are provided before and after authenticating is all controlled via the same SmartDashboard security policy discussed throughout this book.




Check Point NG[s]AI
Check Point NG[s]AI
ISBN: 735623015
EAN: N/A
Year: 2004
Pages: 149

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net