Other Resource Options

URI Resources

In addition to the resource we examined earlier (Figure 7.9) to use a UFP server in the security policy, there are two other types of URI resources. URI file resources allow you to use a specially formatted file to load complete URL strings, while wildcard resources allow you to create completely custom-match strings that may be as simple as looking for all executable files.

When you select a type of URI resource on the General tab, the Match tab will change to offer specific options for that type of object (Wildcard, File, or UFP). We ve already looked at the UFP Match tab (Figure 7.10), and will examine the File and Wildcard tabs next , but it s worth noting that regardless of which URI Match Specification Type you choose, the Action and CVP tabs remain unchanged.

As we saw when we looked at CVP servers, the CVP tab (Figure 7.3) enables you to configure the resources interaction with the CVP server. The Action tab, shown in Figure 7.14, enables you to specify some interesting things to further control and filter URI requests . Here you can enter a Replacement URI , which redirects the user s session to a site of your choice if the rule that matches this object sets the action to reject. Many companies use this option to redirect users to the corporate acceptable Internet-use policy when certain blocked URLs are requested .

Limited content filtering is available through the use of HTML Weeding on the Action tab. You have five options for removing Active X, JAVA, and JAVA Script code from the HTML data.

• Strip Script Tags Remove JavaScript information from the selected Web page.

• Strip Applet Tags Remove Java Applet information from the selected Web page.

• Strip ActiveX Tags Remove ActiveX information from the selected Web page.

• Strip FTP Links Remove links destined for an FTP site from the selected Web page.

• Strip Port Strings Remove port strings from the selected page.

Although removing this data from the HTML code before the user sees it does reduce the risk of malicious code being sent to your users, the data stripping is non-selective, so all tags are removed. In addition, you have the option, under Response Scanning , to block all Java execution. You need to consider how these settings may reduce the functionality of some pages and have a negative impact on your users before enabling this type of filtering. To achieve more granular control over these data types, you need to look into the services provided by a good CVP or UFP application.

Figure 7.14: URI Resource Properties ”Action Tab

URI File

After selecting File on the URI Resource Properties General tab (Figure 7.15), the Match tab will display the import and export options, as seen in Figure 7.16. These options enable you to load the match string definitions from disk rather than having to create complicated match strings manually.

Figure 7.15: URI Resource Properties ”General Tab

Figure 7.16: URI File Configuration

Clicking Import will enable you to specify the directory and filename of the file that contains the URIs you want to apply the filter to. The Export option will create a file containing the currently filtered URIs.

A URI specification file can be bought from companies that specialize in URL classification, or you can create your own. When creating a URI specification file, be sure to use an ASCII editor that uses a \n as the new line character, as this is the character the security server expects at the end of each line. There are three parts to each line in the URI specification:

• The IP address of the blocked server.

• An optional path to filter.

• A category number. Typically, each line is set to 0 (zero), but you can pick any number you like. Be careful when applying service or feature packs to your firewall, as it is possible that Check Point may start using this field in the future, so you may need to adjust it to an acceptable value.

The completed line will look similar to this: 192.168.0.1 /home 0 , which will deny any data request for information under the /home directory on the 192.168.0.1 server. Your firewall will require access to a domain name service (DNS) server if you use the name of the blocked resource rather than the IP address. Also, note that you could be generating a considerable amount of DNS traffic if you have a busy firewall and are using names rather than IP addresses, since each URI must be resolved before being checked.

URI Wildcards

When you select the Wildcards option from the General tab on the URI Resource Properties window (Figure 7.17), you are offered several options on the Match tab that will help you build a customized string to search for. You ll also notice that a new tab, SOAP, is created.

Figure 7.17: URI Wildcard Resource General Tab

Figure 7.18 shows the predefined checkbox options available on the Match tab. As well as the commonly used schemes and methods provided, the Other option can be used to provide even greater flexibility.

Figure 7.18: URI Wildcards Match Specification

Under the Schemes section, you can select from the predefined common schemes of HTTP, FTP, Gopher, mailto, NEWS, and WAIS. If what you re looking for isn t among the six schemes provided, you can specify exactly what you need in the Other field. Most commonly, you ll be entering complete schemes to catch such as HTTPs, but this field also supports wildcards, so you can, if needed, specify something similar to *tp in this field. This would enable you to catch any scheme that ended in the string ˜tp such as FTP, NNTP, SMTP, and HTTP, among others. You need to choose your wildcards carefully to ensure that you re not blocking or allowing something that you hadn t intended with a poorly written search string.

The Methods section provides the most common HTTP methods in a predefined set of options:

• Get The GET method is used to retrieve all the information specified by a URI. It is commonly used to download a complete HTML file as part of a Web browser session.

• POST Used to ask the server to accept a block of data, and is usually found in forms to send input from the user back to the server for processing.

• HEAD This method functions almost exactly like GET, except that the entire requested resource is not returned. HEAD is commonly used to validate URL links and to check time and date stamps for modification (normally to see if a cached copy is still current).

• PUT This method is used to place data (normally files) into the location specified by the URI, and is unlike the POST method, which sends data to an application as input.

The Other field in the Methods section supports the following less-common methods as well as wildcards that can be used to specify a custom pattern to match.

• OPTIONS This method can be used to determine the parameters available and supported at a specified URL. The OPTIONS method is commonly used to retrieve information about the server or specific resources without using a method like GET or HEAD, which would attempt to retrieve the actual object.

• PATCH Functions like PUT except that only a list of changes or differences between the file specified in the URL and the client s copy is sent. This method is most likely to be used when dealing with large files that only receive small updates, so sending only the changes is more efficient than sending the entire file again.

• COPY The COPY method specifies a second URL in the request headers and instructs the server to place a copy of the specified resource at the location defined in the headers. This would enable the user to copy data from one server to another without having to download a copy of the data first, and is commonly used if the network between the servers is faster than between the client and the servers.

• DELETE Instructs the server to delete the resource (normally a file) specified in the URL.

• MOVE The MOVE method will first copy the data to another specified URL then delete the original.

• LINK Allows you to create relationships between resources and is similar to the ln command on UNIX systems.

• UNLINK Deletes the relationships created by LINK.

• TRACE The TRACE method is normally used for testing and will cause the server to echo back the information it receives from the client. This allows the client to analyze the information that was received by the server and compare it to what was sent.

The final section of the Match tab allows you to specify the host, path , and query options to match. The Host option can be specified by name (such as www.syngress.com) or by IP address. If you specify the host by name, you will need to ensure that the firewall has access to a DNS server to resolve the name to an IP address. You can use wildcards to help build the pattern to match if needed.

The Path option must include the directory separation character (normally /) in order for a match to be made. When you define the path to match, you must specify the complete path, down to the individual file, or use wildcards to match all files or directories. Table 7.1 shows common strings used in the path field and how they will match to incoming data.

Table 7.1: Path Field Search Examples

String	Results
/home	Will match a file called home in any directory. For example: /home and /mysite/mydir/home would both be matched. In either case, if home was a directory, no match would be found.
/home/*	This pattern will match all files and directories under the home directory. For example, /home/index.htm and /home/files/index.htm would be matched.
*/home/*	This will match any URI that contains the directory home, so files in /home would be matched as well as files in /mydir/home/mysite.
*/index.htm	This will match the file index.htm in any directory.
*/*.mp+	This pattern will match three character file extensions that start with mp, such as mp3 and mpg.
*/*.{exe,zip,gz}	Will match all files that end in .exe, .zip, and .gz in any directory.

The Query field can be used to match on any string of characters found after a question mark (?) in a URL. Since wildcards are supported here as well, it is not necessary to know the exact placement of the key words you are looking for in the query. For example, this will allow you to block or redirect searches for keywords that are in violation of your Internet acceptable-use policy.

When working with URI resources, it is common to use a single asterisk in the three match fields so that all possible requests can be matched. However, when using CVP servers, it is often useful to do specific file matching with wildcards in the patch field to ensure that only supported data types are sent to the server to be scanned.

The final tab is the SOAP tab. SOAP stands for Simple Objects Access Protocol. It is a lightweight protocol used in the exchange of information in a decentralized, distributed environment. SOAP messages are encoded in XML (extensible markup language). A full discussion of SOAP and XML is well outside the scope of this book. More information can be found in other books or at http://www.w3.org/TR/SOAP/.

The SOAP option can only be used with HTTP connections that are accepted. It is not usable if the action is drop or reject. The additional checking that VPN-1/FW-1 does when Allow all SOAP requests is selected is to confirm that the SOAP requests conform to RFC standards (see Figure 7.19). When selecting Allow SOAP requests as specified in the following file , a file named scheme1 through scheme10 in the management station s $FWDIR/conf/XML directory will specify the namespaces and methods used for the exchange. The namespace and XML methods being passed can be viewed in SmartView Tracker by setting the Track SOAP connections option. An example can be seen in $FWDIR/conf/XML/SchemeSample.dat. The syntax for the file is as follows :

 namespace method 

Example:

 http://tempuri.org/message/ EchoString http://tempuri.org/message/ SubtractNumbers 

Figure 7.19: URI Wildcards SOAP Specification

SMTP Resources

The SMTP resource defines the methods used by VPN-1/FW-1 to control and manipulate incoming and outgoing e-mail. There are many options, including the ability to remove active scripting components , rewriting fields in the envelope (such as to: or from:), or filtering based on content. The configuration of an SMTP resource is similar to that of URI resources, including the ability to use a CVP server to provide third-party content filtering. Figure 7.20 shows the General tab of the SMTP Resource Properties window that is used to set basic operational parameters for the resource.

Figure 7.20: SMTP Resource Properties ”General Tab

This tab includes the standard initial object setup of name, comment, and color . If you want to forward all messages to another server, specify its name or IP address in the Server text field. Enable the Deliver messages using DNS/MX records option to have these messages delivered directly to the specified server rather than to a group of servers used for redundancy purposes. The Check Rule Base with new destination option can be used to instruct the security server to recheck the SMTP message s destination server against the security policy after being modified by the SMTP resource. Identical settings are available for the handling of error mail messages if the Notify sender on error option is selected.

The Match tab, shown in Figure 7.21, has only two option fields that control how to match messages being examined by the security server. The Sender and Recipient fields are used to define the addresses you want to work with. Wildcards are supported in these fields to provide the ability to specify all addresses (using *) or all users in a specific domain (with *@domain.com) if needed. The example shown in Figure 7.21 shows how an administrator would allow incoming mail to mycompany.com, but not allow relays or outgoing mail. In most cases an administrator would configure two resources, one for inbound mail and another for outbound mails .

Figure 7.21: SMTP Resource Properties ”Match Tab

When you create a new SMTP resource, the Sender and Recipient fields are blank and must be filled in before the resource will function. You need to be careful with these options, though; it s common to just set the Recipient field to an asterisk to save time. You need to keep in mind that the resource defines how the security server will function, and by placing an asterisk in both of the available fields, you could be allowing external hosts to bounce mail off your firewall. This makes your firewall an open relay for SMTP traffic, and aside from the possibility of your server being used to send unsolicited bulk e-mail (spam), many domains and even some ISPs may refuse to accept SMTP traffic from your domain if it s found that you have an open relay. For information on blocking open relays from your domain, or checking to see if you ve become blacklisted, check an open relay database site such as www.ordb.org and check your Postmater@yourdomain.com mailbox.

The Action1 tab has a few simple options that allow you to re-address messages and change limited content. The Sender and Recipient fields allow you to re-address messages on a single-user basis, or by using wildcards, to translate addresses for an entire domain. The Field option allows you to modify data in any of the other standard SMTP fields such as the carbon copy (cc), blind carbon copy (bcc), or subject. Once you ve specified the field to change, you need only specify the string to look for, and what to replace it with. Shown in Figure 7.22, this tab is very useful if you have recently changed your SMTP domain name but still have a few messages coming to the old domain. Using the simple rewrite options shown, you could easily translate an address joe@olddomain to joe@newdomain.com. The Help button for this section has some useful information in the section entitled Using wildcards and Regular Expressions in Resources . It also defines how you can specify multiple rewriting rules even though you see only one text box.

Figure 7.22: SMTP Resource Action Tab Showing Address Rewrite

The Action2 tab allows the removal of information found within the body of the message. The Attachment handling section provides two simple methods of discarding attachments from messages. In Figure 7.23, the resource is configured to strip attachments of the message/partial type. There are seven supported options, as defined in RFC 2046, for removing specific file.

• Text

• Multipart

• Image

• Message

• Audio

• Video

• Application

  
  Figure 7.23: SMTP Resource Properties ”Action2 Tab

You can use the Strip file by name field to remove files based on a pattern, using wildcards if needed, rather than by Multipurpose Internet Mail Extension (MIME) type. This field is often used to stop zero day or new viruses and worms that spread via e-mail. It s often faster to start filtering out viruses by their specific attachment names (once known), than it is to update the virus signatures throughout your entire enterprise. In Figure 7.23, files ending with the extension .exe, .vbs, or .scr will be stripped. If nothing else, this function will buy you enough time to update your signatures properly while you block new infections from entering (or leaving) your network.

Use the Do not send mail larger than field to specify the maximum allowable message size . Use the Allowed Characters options to specify whether the security server will accept messages in either 7- or 8-bit ASCII. The Weeding section allows you to remove JAVA, JAVA Script, Active X, FTP URI links, and Port strings from the message s headers and body.

One common mistake made when creating SMTP resources is not checking the Do not send mail larger than field. By default, the messages larger than 10,000 KB will be dropped. Note that in NG AI the default maximum message size has been raised to 10,000 KB, compared with 1,000 KB in its predecessor. This is because many attachments are larger than the previous limit of just under one megabyte. Aside from irritating users, failing to check this option often resulted in e-mail administrators spending hours troubleshooting lost SMTP messages, since the security server would discard the entire message.

The CVP tab of the SMTP Resource Properties window provides the standard options we discussed when examining CVP servers. The only exception, as shown in Figure 7.24, is the addition of a single SMTP-only option to Send SMTP headers to CVP server . This option instructs the CVP server to scan messages full headers in addition to the message body.

Figure 7.24: SMTP Resource Properties ”CVP Tab

FTP Resources

We looked at FTP resources briefly when we first examined CVP servers. In addition to enabling you to send FTP data streams to another server for content filtering, FTP resources can be used without a CVP server to just control FTP sessions.

The General tab in the FTP Resource Properties window (Figure 7.25) allows you to specify the normal VPN-1/FW-1 object information, but the interesting options (aside from the CVP tab) are on the Match tab.

Figure 7.25: FTP Resource Properties “General Tab

The Match tab, shown in Figure 7.26, contains three options that allow you to control the actual FTP session. The Path field allows you to specify specific file paths, using wildcards if desired, to perform actions on. The most interesting and useful part of the FTP resource is the use of GET and PUT, since they enable you to control FTP functions. Using these options will allow you to control the commands that your users can issue to remote servers. Allowing your users to GET but not PUT will prohibit them from pushing data out of your network, while still allowing them to download files as needed. Allowing PUT but not GET would be a good solution for a publicly accessible FTP server used to receive files from your business partners , since they could upload files to you, but could not download anything.

Figure 7.26: FTP Resource Properties ”Match Tab

The FTP Resource CVP tab enables you to specify a CVP server to send matched data to, and defines the interaction between the FTP security server and the CVP server. Similar to the example you looked at when examining CVP server objects, Figure 7.27 shows how to scan incoming files for viruses. By enabling the CVP Server is allowed to modify content option, you can specify that infected files are to be cleaned. If this option was unchecked, all infected files would be discarded.

Figure 7.27: FTP Resource Properties ”CVP Tab

TCP

The TCP resource allows you to work with services not handled by built-in security servers, and has only two methods of operation. You can use the TCP resource as a generic daemon, providing an alternative to the HTTP security server, for interaction with a CVP server.

Additionally, you can use the TCP resource to screen URLs via a UFP server without the intervention of the security server. Note that the UFP server must support this sort of interaction, as the format of its incoming data stream will not be in full URI format, since only the IP-based URL is available without the security server. The TCP resource has three possible tabs, only two of which are displayed at any time. The Type option on the General tab (Figure 7.28) enables you to select either UFP or CVP, and this dictates which other tab (UFP or CVP) is offered for configuration.

Figure 7.28: TCP Resource Properties ”General Tab

After checking UFP on the General tab, you can then access the UFP tab (shown in Figure 7.29) and configure the associated tab. The UFP configuration on this tab is similar to other resources that use UFP servers. You need only to select the UFP server that this resource will be using, configure the caching method, and select the categories against which this data stream will be checked from the supplied list.

Figure 7.29: TCP Resource Properties ”UFP Tab

If you select CVP on the General tab, you will be presented with the CVP tab (Figure 7.30), which will allow you to configure the resource s interaction with the CVP server. You will need to specify which CVP server to use from the drop-down list on the CVP tab. The other options here are identical to the CVP objects you ve looked at before, and will enable you to configure options such as whether the CVP server is allowed to modify the content passed to it, and to specify the method in which data is returned to the security server.

Figure 7.30: TCP Resource Properties ”CVP Tab

CIFS

With a CIFS resource, an administrator can grant granular access to shares on a server to different user groups or to everyone. CIFS resources are most common when controlling access to internal servers from the LAN or controlling access to a file server across a site-to-site VPN.

CIFS is the protocol used for file and print services between clients and servers on the network. Legacy CIFS connections (implemented over NetBIOS) run over port 139. In Windows 2000 and later, the Microsoft-DS protocol (running over port 445) is used. A single CIFS resource can be used with both ports to ensure consistent enforcement across both file-sharing protocols. In Figure 7.31, the resource could be used in a rule to grant access to the shared for only certain source address, to certain users, or to deny access to the shares to the entire LAN. It all depends on how the resource rule is created.

Figure 7.31: CIFS Resource Properties ”General Tab