OPSEC Applications

Realizing that no single product or vendor could address network security completely and do it well, Check Point designed the OPSEC standard to enable security managers to easily extend the functionality of VPN-1/FW-1 with best-of-breed third-party applications designed for specific security requirements. By using a standard set of Application Programming Interfaces (APIs) and open protocols, OPSEC applications are able to easily move data in and out of the VPN-1/FW-1 infrastructure.

An OPSEC session is a dialog between two OPSEC entities using one of the OPSEC APIs , and usually is between VPN-1/FW-1 and a third-party application that performs a specific task on the data received from the firewall. For a list of available applications, check the OPSEC Alliance Solutions Center at www.opsec.com.

The properties of the OPSEC session are defined in the OPSEC application s object properties in the Security Policy Editor database. As you can see in Figure 7.1, there are three major types of OPSEC servers using the CVP, UFP, and AMON (Application MONitoring) protocols, as well as six client options using the following APIs:

• Event logging API (ELA)

• Log exporting API (LEA)

• Suspicious activities monitor (SAM)

• Check Point management interface (CPMI)

• Object management interface (OMI)

• UserAuthority API (UAA)

  
  Figure 7.1: OPSEC Application Properties “General Tab

Each one of these protocols is a specific interface used to extend the capabilities of the firewall to another application. This tight integration provides functionality exceeding what would be available with each piece operating individually.

Besides the required naming information, the General tab of the OPSEC Application Properties window requires you to specify the host that this server is running on. You must create the host object before creating a new OPSEC application object, as you will not be able to create a new workstation object while application properties window is open. You must then define the application properties, located in the section of that same name . To set the application properties you can select User defined from the Vendor drop-down menu, and then manually select both the server and client entities, or you can select a specific vendor, product, and version here. Vendors and products available from the Vendor menu include the following: Computer Associates SafeGate product, Finjan Software s SurfinGate, as well as a variety of solutions from Trend Micro, F-Secure, Aliroo, and Aladdin Knowledge Systems. Over 70 vendors are predefined and listed in Next Generation Application Interface (NG AI), some with multiple products listed. A complete list of OPSEC certified CVP vendors and products can be found at www.opsec.com/solutions/sec_content_security.html. After selecting a predefined vendor and product from the list, the appropriate Server and Client Entities sections will be filled in automatically.

If you selected User Defined from the Vendor menu, the next step in defining a new OPSEC application object for use in your security policy is to select the Client or Server entry that matches how the application functions. As shown in Figure 7.1 with CVP checked, once you select the appropriate application type, the second tab of the OPSEC Application Properties window, which contains application-specific communication configuration information, will change to match your selection. Your final step on this tab is to configure SIC, or Secure Internal Communication, by clicking the Communication button. Setting up SIC for OPSEC applications is identical to setting up SIC for firewall modules.

The next few pages will discuss each of these communication methods in detail and give you a sense of the flexibility and ease of integration that the OPSEC standard offers.