Solutions Fast Track

Using third-party OPSEC-certified applications enables you to build onto your existing Check Point security infrastructure to address specific security needs, while ensuring compatibility and interoperability.

There are three types of OPSEC server applications: CVP, UFP, and AMON. UFP and CVP servers interoperate with VPN-1/FW-1 by passing data back and forth and participating in the control process, whereas AMON is used by other applications to report status information back to the firewall management server.

OPSEC client applications, as a general rule, either send data to or pull data from VPN-1/FW-1, and generally do not affect the control process directly as servers do. There are six methods for OPSEC clients to send or receive data from VPN-1/FW-1: LEA, ELA, SAM, OMI, CPMI, and UAA.

ELA allows third-party applications to send log data to the VPN-1/FW-1 log database for consolidation and alerting functions.

LEA provides a method for applications to extract log data from the central log database, either historically or in real time.

SAM provides a conduit for IDS devices to signal and make changes to the current security policy, such as blocking traffic from a specific host.

The OMI provides support for legacy applications that need to access the VPN-1/FW-1 object database.

CMPI replaces OMI in the NG version of VPN-1/FW-1. CPMI allows applications to access the object database as well as authentication information known to the firewall. CPMI also provides the needed APIs to allow third-party applications to make limited changes to the security policy.

The UAA can be used to access VPN and LAN authentication information from VPN-1/FW-1. This allows applications to be designed to use existing logon information to provide single sign-on capabilities.

CVP is normally used for sending data, such as binary files or e-mail messages from VPN-1/FW-1, to a third-party server to be scanned. The results of the scan have a direct impact on the control decision for that data, which can include blocking the data entirely or just modifying it to an acceptable format (in the case of removing a virus).

CVP resources are created using an OPSEC Application object as the server to send data to, and contain configuration settings for what actions the CVP server is to perform on the data.

CVP groups allow you to load share between servers or chain multiple CVP servers together to perform different tasks one after another.

Load sharing splits the incoming work to be done evenly among the defined servers, using the method that you specify.

A URI describes how to access a resource and is made up of two parts . The scheme defines which protocol (such as HTTP) to use and is separated by a colon from the path to the desired resource.

UFP can be implemented through the use of URI resources in the security policy, and allows you to examine and filter URIs passed from the VPN-1/FW-1 security servers as part of the control decision.

UFP is commonly used to verify that requested or returned URLs conform to an acceptable standard, by classifying URLs into categories and enabling you to choose which categories are permissible in your environment.

UFP groups enable you to share load between multiple UFP servers to increase efficiency and provide availability, if a UFP server should fail.

URI file resources allow you to use a specially formatted file to define the URIs that you want to filter on. This option is commonly used when you have many URIs to filter but do not want to use a UFP server.

URI wildcards allow you to build a completely customized URI string to match to incoming data. The flexibility of wild cards enables you filter on a specific file extension or even specify entire IP address blocks.

SMTP resources enable you to inspect and modify e-mail traffic passing through your firewall. You can, for example, modify sender or recipient information in addition to the data within the body of the message. It is also possible to perform limited screening for potentially malicious content by removing Active X and/or JAVA code from the messages. For more granular screening capabilities, the SMTP Resource enables you to send e-mail messages, with complete headers, to a CVP server to be analyzed .

FTP resources allow you to control FTP data streams. In addition to looking for certain paths or file names being requested, you can control when and where your users can use the FTP GET and PUT commands to control data moving into or out of your network.

The TCP resource allows you to send data from TCP protocols not covered by the normal security servers to a CVP or UFP server for inspection.

The CIFS resource enables an administrator to very granularly define access to file and print sharing servers over NetBIOS and Microsoft-DS protocols.