Content Vectoring Protocol | Check Point NG[s]AI

Content Vectoring Protocol is normally used to move data, such as Web pages or e-mail messages, from VPN-1/FW-1 to another server for validation. Though a CVP server (such as an antivirus server) could reside on the same physical server as a firewall module, it is not recommended as this would add a significant amount of overhead to the firewall (in the case of an antivirus server, looking through a database of known viruses for each HTTP connection would likely slow down the firewall). For example, CVP could be used to move all inbound SMTP e-mail messages to a content-scanning server that will check for malicious Active-X code. Most commonly, CVP is used to virus-scan file data from e-mail messages or files downloaded from the Internet as they pass through the firewall. However, it has also been used to monitor and filter incoming traffic to a SQL database from the Internet by Log-On Software s SQL-Guard application.

Defining Objects

There are three steps involved in creating a new CVP object to use in your Security Policy.

Create a standard workstation object for the server. The workstation object enables you to assign an Internet Protocol (IP) address and name to the server that hosts the application you will be sending data to.
Create a new OPSEC application object to define the properties of the service you re enabling. This can be done by selecting Servers and OPSEC Applications from the Manage menu, and then clicking New, or by right-clicking in the OPSEC Applications tab of the Object Tree and selecting New , and then OPSEC Application . When you complete the General tab of the OPSEC Application Properties window, you will be using the workstation object you created for the resources host. Figure 7.1 shows the completed General tab.
Configure the CVP properties. This is done on the CVP tab that appeared when you checked the CVP option under the Server Entities . The CVP tab is used to define how this application communicates with the firewall. As shown in Figure 7.2, CVP applications only require a few options, consisting only of a Service drop-down list and an optional directive to use backward compatibility.

Figure 7.2: OPSEC Application Properties ”CVP Options Tab

The Service selected on the CVP Options tab defines the port on which this application will be listening for connections from the firewall, and is almost always set to FW1_cvp (Transfer Control Protocol port 18181). The Use backwards compatibility mode section replaces the function of the fwopsec.conf file that was used in the version 4. x of FireWall-1. If your OPSEC vendor has supplied instructions relating to that file, then this is the area where you implement them. Generally, applications based on the OPSEC Software Development Kit (SDK) version 4.1 or lower will require that you use backward compatibility. Typically when applications use backward compatibility they also require the legacy fw putkey command to be used on both sides to establish trust instead of SIC.

Creating a CVP Resource

Now that you ve defined your OPSEC application server, you ll want to start sending it data from your security policy through a resource definition. There are five resource types that can be used in your security policy to send data to a CVP server:

URI URI resources are mostly used to manipulate HTTP requests .
SMTP SMTP resources enable you to filter and modify e-mail message data as it passes through your firewall.
FTP FTP resources provide the tools needed to control you users FTP sessions.
TCP The Transfer Control Protocol resource enables you to work with other TCP services that are not covered by the other resources.
CIFS The Common Internet File System resource enables you to granularly filter CIFS file and printer sharing connections.

The previously listed resources are implemented by the VPN-1/FW-1 security servers. Each security server is a specialized module that provides detailed control for specific services. Located just above the Inspection Module in the firewall daemon, the security servers have the ability to monitor and manipulate SMTP, Telnet, FTP, and HTTP traffic, providing highly tunable access control and filtering capabilities.

Since each security server has full application awareness of the protocols it supports, it is capable of making control decisions based on the data and state of the session similar to how proxy firewalls function. In addition to performing specific content filtering, the security servers provide a conduit to send and retrieve data to and from third-party severs, allowing VPN-1/FW-1 to use other security applications in the traffic control process.

When invoked by a resource, the security servers will proxy the affected connections. Aside from the possibility of adding latency to the session (normally only measurable on very busy firewalls or with servers that are improperly equipped to run the OPSEC application) and additional load to the firewall, Network Address Translation (NAT) cannot be used with data allowed (or dropped) using resources. Since the firewall must proxy the connection, all data will appear from the address of the firewall that is closest to the server. This means that any applicable NAT rules will not be used because the firewall itself will function as the server the client is connecting to. Then, once the content is approved, the firewall will create a new connection to the actual server that will service the request. This is probably not a big deal when using hide-mode NAT, but it can be a bit confusing when debugging a problem between networks where NAT is not used. In this case, you would expect the traffic to be coming from the server s IP address, but it would actually be coming from an IP address on the firewall.

To help understand how CVP servers can be used as part of the security policy, let s look at how to integrate virus scanning into the security policy. Later on, we ll examine in detail how FTP and other resources match data streams that we can send to our CVP server, but for now let s just look at how to set up a simple FTP resource that enables users to retrieve files from the Internet and scans those files for viruses before sending them to the user . There are three steps involved in setting up this simple resource:

Create the resource object by selecting Resources from the Manage menu. Click New , then FTP . Set up the object name, comment, and color on the resulting FTP Resource Properties window. The other two tabs of this window will allow you to specify the details for the resource s filter and allow you to send data to the CVP server.
On the Match tab, set Method to GET . This instructs the VPN-1/FW-1 FTP security server to only allow users to download files via FTP, since uploading would require the use of the put command.
Use the CVP tab, shown in Figure 7.3, to select the antivirus server object and define how it will function for this resource.

Aside from the Use CVP checkbox, which enables the CVP server drop-down list where you select the server to use, the CVP tab has two other important options that control how the CVP server functions in your resource. The CVP server is allowed to modify content checkbox controls whether or not VPN-1/FW-1 will pass on data that has not come back from the CVP server in its original form. This option is particularly useful for virus scanning where an infected file may be sent to the antivirus server and cleaned before being returned. This option would allow the VPN-1/FW-1 security server (which enforces the FTP Resource definition) to accept the cleaned file and send it on to its destination. If the CVP server is allowed to modify content option was not enabled, the antivirus software would only be allowed to report that the file was infected, causing the security server to discard the file completely.

Figure 7.3: FTP Resource Properties ”CVP Tab

The Reply Order options control when and how the CVP server will scan data being passed to the user. The options for controlling how data is scanned are:

Return data after content is approved This option sends the entire file or data stream to the CVP server to be checked after the security server has validated the content. In our example, the GET request would be validated before the file was checked for viruses.
Return data before content is approved Some packets are returned to the security server before the CVP server has approved them. This option is especially useful for resources that may deal with large files. Continuing to send the data stream before it has been approved may help stop problems with FTP or HTTP sessions timing out while the CVP server downloads and then checks the requested file. With this option the CVP server will allow all packets to be sent back to the security server and on to its destination, but the final packet will be held pending approval from the CVP server. This means the file will be incomplete and unusable at the end of the transfer if it is disallowed .

The method you select will depend greatly on what function your CVP server performs on the data, and on how the application is designed. In the antivirus server example, the CVP server controls the reply order. This allows the antivirus software maximum flexibility for scanning files and raw data differently if desired, since the application could decide to assemble a complete binary file before scanning, but scan HTML packets individually. Note that your CVP application must support this option, so check the documentation that came with your application before creating the resource to ensure compatibility.

Using the Resource in a Rule

The final step in using a CVP server, after creating the OPSEC application object and using it in a resource definition, is to build it into a rule in your security policy. Creating a security policy rule to use a resource is almost identical to creating a normal rule. The only exception is in the service column where, instead of selecting Add after right-clicking, you will select Add With Resource . Figure 7.4 shows the Service with Resource window that enables you to configure the resource to be used in the security policy.

Figure 7.4: Service with Resource Window

The Service with Resource tab allows you to select from the supported services and define which resource to use with that service. In the case of our virus-scanning example, we ll be using the FTP service with the ftp_get resource. Figure 7.5 shows the completed rule that allows local network traffic to FTP data from the Internet using the resource that limits access to FTP GETs only, and will use the CVP server we defined to scan all files for viruses before passing them to the user. Notice that the Service_Net is negated in the destination. This enables the user to control access to known networks separate from access to the Internet as well as to strictly adhere to the security principle of least access. If the destination field had been set to Any , it would have inadvertently opened FTP access to the network represented by the Service_Net object even though the intention was just to allow FTP GETs from the Internet. You will also notice that the icon used in the Service column indicates that we re allowing the FTP service with the ftp_get resource.

Figure 7.5: Security Policy Rule Using Resource

The important thing to remember when using resources is that data is matched or denied on a per-packet basis. You could, for example, select to scan only files of type *.exe downloaded via HTTP, with an accept rule that uses a CVP resource. However, this will only accept the downloaded files, not the pages you must browse to find the file you want. To make this work, you must specify a rule to match all other HTTP traffic, otherwise the HTTP-browsing traffic will fall through to the cleanup rule and be discarded.

CVP Group

As with most other objects in the Security Policy, CVP objects can be grouped. When you combine two or more OPSEC applications into a group, additional options for load balancing and chaining become available. Figure 7.6 shows a CVP group configuration tab being used to enable load balancing across two antivirus servers.

Figure 7.6: CVP Group Properties

Creating a new CVP group can be done easily by right-clicking in the Servers and OPSEC Applications tab of the object list. Next , select N ew and CVP Group . After defining the group s name, adding a descriptive comment, and assigning the color you want for this object, you ll need to select the servers that will be members of this group. Note that groups don t have to be of identical object types. You can have a group consisting of a UFP server (which we ll look at next) and a CVP server to enable application chaining.

Once the components of the group have been defined, you ll have to select the function of this group by making the appropriate selection in the Work distribution method section. You have two choices:

Load sharing When selected, the workload is distributed among the servers in the group. There are two distribution methods allowed: round robin or random.
Chaining Chaining allows a data stream to be inspected by several servers that perform different functions. For example, a chaining group consisting of an antivirus scanner and a Web content scanner could be employed to check your incoming e-mail traffic for viruses and appropriate language. If you select chaining, you ll have an option to abort the chain when any individual server detects a violation, or to allow all the servers to inspect the data before making a control decision.

Once you have the CVP group created, it can be used in the security policy to create a resource rule, just like any other group object would be used to create a standard rule.