Frequently Asked Questions | Check Point NG[s]AI

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the Ask the Author form. You will also gain access to thousands of other FAQs at ITFAQnet.com.

1.	My URI specification file looks okay, but it doesn t work properly. What should I look for?	$there are three major parts to each line in the uri specification file. after you ve entered the ip address, path, and category, you must end each line with a new line character ( \n ). if you use a windows-based computer to build your file, ensure that you use an editor that uses only \n when you end a line. the wordpad application or edit (run from a cmd.exe window) will create the file properly, whereas the notepad application may not. when in doubt, add an extra new line character at the end of the file.$
2.	What are the valid wildcard characters ?
3.	What OPSEC applications are available?
4.	How do I block the latest virus that is spreading today?	$in addition to the capabilities of smartdefense discussed later in this book, if the virus is spread through http/ftp downloads and/or through e-mail attachments, then you can use vpn-1/fw-1 resources to block these connections. using the nimda virus as an example, you could use the smtp file and/or mime stripping to match mime attachments of type audio/x-wav and the filename of readme.exe . then use a uri wildcard resource to match http, gets to any host and any query match. fill in the path field with the following string: {cmd.exe,root.exe,admin.dll,readme.exe,_*readme.eml,default.ida} . then just use these resources in rules that drop or reject the connections. for more information on blocking nimda, see check point s public knowledge base (support.checkpoint.com/public) article sk7473.$
5.	Why do my users receive the error, FW-1 Unknown WWW Server, intermittently?
6.	My users are complaining that they cannot connect to certain sites and they are receiving the following message: Web site found. Waiting for reply... All of these sites seem to include a double slash in them. Is there a problem with the firewall?
7.	In FireWall-1 4.1, there were several objects.C file modifications for the HTTP security server that resolved several problems. Are the same changes available in NG?	$yes, most of the changes that you implemented in 4.1 can be used in ng as well. to edit the objects_5_0.c file, you need to use the dbedit utility in ng. some changes are as follows. :http_disable_content_type (false) :http_disable_content_enc (true) :http_enable_uri_queries (false) :http_max_header_length (8192) :http_max_url_length (8192):http_avoid_keep_alive (true) these are the default settings that are in the objects.c file in ng hf1: :http_allow_content_disposition (false) :http_allow_double_slash (false) :http_allow_ranges (false) :http_avoid_keep_alive (false) :http_block_java_allow_chunked (false) :http_buffers_size (4096) :http_check_request_validity (true) :http_check_response_validity (true) :http_cvp_allow_chunked (false) :http_disable_ahttpdhtml (false) :http_disable_automatic_client_auth_redirect (false) :http_disable_cab_check (false) :http_disable_content_enc (false) :http_disable_content_type (false) :http_dont_dns_when_star_port (false) :http_dont_handle_next_proxy_pw (false) :http_failed_resolve_timeout (900) :http_force_down_to_10 (0) :http_handle_proxy_pw (true) :http_log_every_connection (false) :http_max_auth_password_num (1000) :http_max_auth_redirect_num (1000) :http_max_connection_num (4000) :http_max_header_length (1000) :http_max_header_num (500) :http_max_held_session_num (1000) :http_max_realm_num (1000) :http_max_server_num (10000) :http_max_session_num (0) :http_max_url_length (2048) :http_next_proxy_host () :http_next_proxy_port () :http_no_content_length (false) :http_old_auth_timeout (0) :http_process_timeout (43200) :http_proxied_connections_allowed (true) :http_query_server_for_authorization (false) :http_redirect_timeout (300) :http_servers ( :ers () :uid (`{6cac812a-202f-11d6-ab57-c0a800056370}`) ) :http_session_timeout (300) :http_skip_redirect_free (true) :http_use_cache_hdr (true) :http_use_cvp_reply_safe (false) :http_use_default_schemes (false) :http_use_host_h_as_dst (false) :http_use_proxy_auth_for_other (true) :http_weeding_allow_chunked (false)$

Answers

1.	There are three major parts to each line in the URI specification file. After you ve entered the IP address, path , and category, you must end each line with a new line character ( \n ). If you use a Windows-based computer to build your file, ensure that you use an editor that uses only \n when you end a line. The WordPad application or Edit (run from a cmd.exe window) will create the file properly, whereas the Notepad application may not. When in doubt, add an extra new line character at the end of the file.
2.	There are only four characters that can be used as wildcards in resource definitions, such as a URI wildcard object: The asterisk (*) can be used to match any number of characters. The plus sign (+) can be used to match a single character only. For example, ˜+tp will match ˜ftp but not ˜http. The ampersand (&) can only be used with SMTP addresses and allows you to manipulate information on either side of the @ symbol for address replacement objects. For example, changing from jim@yoursite.com in an object to &@yournewsite.com results in jim@yournewsite.com. A list of strings may be separated with commas (,) to match any one of the specified strings. The case of hr,sales, @yoursite.com will match hr@yoursite.com and sales@yoursite.com.
3.	The list of OPSEC-certified applications grows everyday. At the time of this writing, there are over 300 certified OPSEC vendors, each with one or more certified applications. This means that when you re looking for a third-party product to fill a specific security need in your organization, odds are that there is an OPSEC-certified product available. The current list of OPSEC-certified products and vendors can be found at www.opsec.com.
4.	In addition to the capabilities of SmartDefense discussed later in this book, if the virus is spread through http/ftp downloads and/or through e-mail attachments, then you can use VPN-1/FW-1 resources to block these connections. Using the Nimda virus as an example, you could use the SMTP file and/or MIME stripping to match MIME attachments of type audio/x-wav and the filename of readme.exe . Then use a URI wildcard resource to match HTTP, GETs to any host and any query match. Fill in the Path field with the following string: *{cmd.exe,root.exe,admin.dll,readme.exe,_readme.eml,default.ida}** . Then just use these resources in rules that drop or reject the connections. For more information on blocking Nimda, see Check Point s public knowledge base (support.checkpoint.com/public) article sk7473.
5.	If your firewall cannot resolve the Website name to an IP (DNS), then it will present this error when a Web browser has the firewall defined as a proxy. Sometimes other problems with the HTTP security server may result in this error as well. You may want to try some of the objects_5_0.C changes or contact support for assistance.
6.	If the site your users are trying to access contains a double slash within in the URL GET command, then the GET command does not conform to RFC 2616 standards (according to Check Point), and the security server will not allow a connection. Your only option (if you must pass the site) is to bypass the security server by creating an HTTP accept rule specifically for this destination above any HTTP resource rules defined in your VPN-1/FW-1 security policy. See Check Point s public knowledge base article skI3834 for more information.
7.	Yes, most of the changes that you implemented in 4.1 can be used in NG as well. To edit the objects_5_0.C file, you need to use the dbedit utility in NG. Some changes are as follows . :http_disable_content_type (false) :http_disable_content_enc (true) :http_enable_uri_queries (false) :http_max_header_length (8192) :http_max_url_length (8192) :http_avoid_keep_alive (true) These are the default settings that are in the objects.C file in NG HF1: :http_allow_content_disposition (false) :http_allow_double_slash (false) :http_allow_ranges (false) :http_avoid_keep_alive (false) :http_block_java_allow_chunked (false) :http_buffers_size (4096) :http_check_request_validity (true) :http_check_response_validity (true) :http_cvp_allow_chunked (false) :http_disable_ahttpdhtml (false) :http_disable_automatic_client_auth_redirect (false) :http_disable_cab_check (false) :http_disable_content_enc (false) :http_disable_content_type (false) :http_dont_dns_when_star_port (false) :http_dont_handle_next_proxy_pw (false) :http_failed_resolve_timeout (900) :http_force_down_to_10 (0) :http_handle_proxy_pw (true) :http_log_every_connection (false) :http_max_auth_password_num (1000) :http_max_auth_redirect_num (1000) :http_max_connection_num (4000) :http_max_header_length (1000) :http_max_header_num (500) :http_max_held_session_num (1000) :http_max_realm_num (1000) :http_max_server_num (10000) :http_max_session_num (0) :http_max_url_length (2048) :http_next_proxy_host () :http_next_proxy_port () :http_no_content_length (false) :http_old_auth_timeout (0) :http_process_timeout (43200) :http_proxied_connections_allowed (true) :http_query_server_for_authorization (false) :http_redirect_timeout (300) :http_servers ( :ers () :Uid ("{6CAC812A-202F-11D6-AB57-C0A800056370}") ) :http_session_timeout (300) :http_skip_redirect_free (true) :http_use_cache_hdr (true) :http_use_cvp_reply_safe (false) :http_use_default_schemes (false) :http_use_host_h_as_dst (false) :http_use_proxy_auth_for_other (true) :http_weeding_allow_chunked (false)