Summary

The Check Point NG AI suite of products provides a combination of market-leading tools and applications aimed to meet the basic security needs of the entire enterprise. By using the SVN architecture to view security, not only from the firewall or stand-alone VPN-connected user , but also from an end-to-end solution perspective, has allowed Check Point to bring together the tools you need to secure your data assets.

VPN-1/FW-1 is the cornerstone of the NG AI suite, providing network security and VPN capabilities, as well as serving as the foundation for many of the other NG AI products. To complete the VPN capabilities of VPN-1, SecuRemote and SecureClient were included in the NG AI suite. SecuRemote provides a mechanism to authenticate users and encrypt data between the user s desktop and the VPN-1 gateway, while SecureClient adds a personal firewall to the user s computer that can be managed from the Policy Server integrated into VPN-1. This effectively enables you to expand the perimeter of your network to encompass and secure all entry points into your network including Internet-connected VPN users.

Although VPN-1/FW-1 meets the basic security need of providing gateway protection and a secure VPN endpoint, additional products have been added to the NG AI suite to address other security challenges identified in the SVN architecture. Since efficient network management so often becomes a big part of network security, Check Point developed Meta IP to provide and manage DNS and DHCP services and introduce new features to these crucial services such as Secure DHCP. To help you make efficient use of your limited bandwidth, FloodGate-1 enables you to prioritize network traffic and provide QoS on data passing through your gateways, ensuring timely delivery of high priority data, such as traffic to your Web site, or of time-sensitive application data like streaming video.

Managing and sharing user account and authorization information is critical to ensuring that legitimate users get access to the resources they need while blocking access to unauthorized parties. Proper authentication mechanisms can also increase user satisfaction by not forcing multiple, often redundant, logons . Two tools were added to the NG AI suite to help manage user credentials and authorization information. The account management module allows LDAP-stored user accounts and associated information to be easily created and maintained alongside the Security Policy that uses them. To help share user authorization information between OPSEC applications, the UA module was developed, allowing other applications access to the user privilege information already gathered by VPN-1/FW-1.

Finally, the SmartView Reporter and tools for real-time status monitoring were added to help you keep track of how your security infrastructure is performing. By monitoring and trending your network usage, the monitoring and reporting tools aim to help you not only spot security problems or attempted violations and suspicious activity, but also can enable you to proactively monitor network traffic levels, allowing you to plan for growth or reduction of provided services.

After looking at the entire NG AI suite, this chapter focused on the VPN-1/FW-1 module, looking at how the three major components of FW-1 work together in a distributed or stand-alone environment. The GUI client enables you to remotely manage the Security Policy and provides the main interface for most NG AI products. The GUI is comprised of several modules and tools including the SmartMap and Object Lists that help you maintain your network policies. These tools help you easily create and visualize your network security rules, reducing the chances for configuration errors caused by oversight or confusion when creating and updating the rule base.

The GUI client is the tool you use to create the Security Policy that is stored on the SmartCenter (management) server. The SmartCenter s management module not only stores the Security Policy used by FW-1-based devices, but can also create and distribute ACLs for OPSEC-certified network devices such as routers and switches. The management module is also responsible for keeping the logs from all VPN-1/FW-1 enforcement modules and from SecureClient machines. Network traffic between the GUI, management server, and firewall module is encrypted using SIC to ensure that an unauthorized third party cannot read or modify sensitive data while in transit.

After being compiled into the appropriate format, the Security Policy is pushed from the management server to the firewall inspection module to be enforced. To understand how the inspection module makes control decisions for data attempting to pass through the firewall, it is necessary to understand the technology Check Point calls Stateful Inspection. By comparing the pros and cons of proxy firewalls (that provide good application control with limited scalability) and packet filters (that scale well but cannot provide in-depth application control) to Check Point s Stateful Inspection, you should have a basic understanding of how the FW-1 Inspection Engine works, and why Stateful Inspection simplifies security management while increasing overall security with application awareness.

Although network security application vendors would like to produce a single product or suite that could storm the market by providing all the security tools any organization will need, the fact is, it is not possible. Although Check Point VPN-1/FW-1 and the NG AI suite cover the basic security needs of most enterprises , there will always be small gaps where third-party applications are needed. To help ensure that you can leverage your existing investment and provide easy integration with your Check Point security infrastructure, OPSEC was created to certify that the third-party products you require will work well with VPN-1/FW-1 and other OPSEC applications.

Combining the proven, market-leading NG AI versions of VPN-1 and FW-1 with the NG AI suite of products and with Check Point OPSEC partner applications enables you to build and manage the highly available and secure network infrastructure needed to support today s eBusiness models and to scale up to future growth in enterprise network security.