Internet technology provides a cost
effective, global communications
infrastructure that enables world-wide
access for employees, customers, vendors,
suppliers and key business partners. This
is a critical enhancement to
collaborative information sharing, but it
also exposes an organization's network to
new risks and threats. How can an
organization keep its resources and
information protected from unauthorized
network access, from both inside and
outside the organization? Access control,
a fundamental building block in any
security policy, addresses this issue.
What
Goes In and Out of The Network
Access
control protects an organization from
security threats by specifying and
enforcing what can go in and out of an
organization's network. A key element of
access control is an awareness of all
underlying services and applications.
First generation packet filters were not
aware of applications, nor could they
handle UDP or dynamic protocols. Second
generation application proxies required a
tremendous amount of CPU overhead, and
were slow to provide support for new
services appearing regularly on the
Internet, such as multimedia services.
Check Point FireWall-1's stateful
inspection technology, combined with a
powerful object oriented approach,
provides full application-layer awareness
as well as quick and easy support of new
Internet services. FireWall-1 provides
comprehensive access control with over
160 pre-defined applications, services
and protocols as well as the flexibility
to specify and define custom services.
In
addition to understanding the full state
and context of a communication,
FireWall-1 includes the ability for rules
within a security policy to be enforced
using a time parameter. This provides
extensive granularity in access control
allowing rules to be valid for specific
hours, days, months or years. For
example, an organization may decide to
limit HTML or web traffic to the Internet
during working hours, allowing access
only during lunch time, after normal
working hours and on weekends. Another
example is to disallow access to critical
servers while system backups are being
performed.
Defining
a Security Policy
Implementing
access control parameters is simple and
straight forward with a well-defined
graphical user interface such as that
provided by Check Point FireWall-1. In
fact, all aspects of an organization's
security policy can be specified using
FireWall-1's award winning user
interface. All elements are specified
using an object oriented approach. Once
defined, these objects are used to define
the security policy within the Rule-Base
Editor. Each rule can be comprised of any
combination of network objects, services,
actions, and tracking mechanisms. Once a
rule is defined, FireWall-1 provides the
ability to define which network
enforcement points it should be
distributed to across the network.
Supported platforms include UNIX and NT
servers, and internetworking equipment
(routers, switches, edge devices) from
Check Point's many OPSEC Alliance
partners. A distinct advantage of Check
Point FireWall-1 is the ability to define
an enterprise security policy once,
distribute it to multiple access points
throughout the network, and manage it
locally and remotely from a single
centralized console. Click on the
thumbnail below to see a full screen
sample of a security policy.
Distributed
Access
FireWall-1's
architecture is fully scalable so that it
grows as an organization's security
requirements grow. The system is capable
of providing multi-level concurrent user
access. This allows the assignment of
different access privilege levels to
FireWall-1 administrators. Upon
authentication, each FireWall-1
administrator inherits the access rights
assigned by the security manager and are
indicated within the Rule-Base Editor.
This feature also provides the ability
for a single desktop to connect to
multiple management modules concurrently.
Supported access levels
are defined as follows:
- Read/Write: access
to all functionality of
FireWall-1 management tools
- User Edit: the
ability to modify user
information only; access to all
other functionality is read-only
- Read Only:
read-only access to the Security
Policy Editor
- Monitor Only:
read-only access limited to the
Log Viewer and the System Status
tools
Secure
Access
IP Spoofing - A technique where an intruder
attempts to gain unauthorized access by
altering a packet's IP address to make it
appear as though the packet originated in
a part of the network with higher access
privileges. For example, a packet
originating on the Internet may be
disguised as a local packet. FireWall-1
has integrated protection and logging
against this type of attack.
Denial
of Service Attack - A TCP
connection is initiated with a client
issuing a request to a server with the
SYN flag set in the TCP header. Normally
the server will issue a SYN/ACK back to
the client identified by the 32-bit
source address in the IP header. The
client will then send an ACK to the
server and data transfer can commence.
When the client IP address is spoofed
(changed) to be that of an unreachable
host, however, the targeted TCP cannot
complete the three-way hand-shake and
will keep trying until it times out. This
is the basis for the attack.
Application
gateway based solutions by themselves are
not able to defend against SYN flooding
attacks. In fact, the firewall itself may
be attacked to create a denial of service
condition. Packet filtering based
solutions are also not able to guard
against SYN flooding attacks since they
lack the necessary capability to perform
Stateful Inspection of connections.
FireWall-1 with Stateful Inspection can
protect against this attack using
SYNDefender.
Ping
of Death - On almost every OS,
including some routers, PING (ICMP)
packets larger than 65508, become larger
than 64k (because of the header additions
of 28 bytes) and therefore are not
handled well by kernels, making some
systems crash or reboot. FireWall-1 with
Stateful Inspection can protect against
this attack by defining a service object
and adding a rule to the security policy
that prevents packets larger than 64K
from passing.
Defenses
Stealth the Firewall - Under normal situations,
anyone on the corporate network could
potentially access the firewall gateway
or security access point. This can be
prevented by stealthing the firewall or
hiding its access point. Check Point
FireWall-1 provides this capability with
the addition of one simple rule in the
security policy. Protecting the gateway
in this manner makes it inaccessible to
any user or application, except for
management and configuration purposes,
effectively making the device invisible.
Network
Address Translationcan conceal
or hide the internal network addresses
from the Internet, avoiding their
disclosure as public information.
Connection
Accounting - FireWall-1 allows
the security manager to monitor
accounting data on selected connections.
For each connection handled by the rule
an accounting log entry is then generated
which includes the usual fields as well
as the connection's duration, the number
of bytes and the number of packets
transferred.
The accounting log
records are generated when the monitored
connection ends, so they can be viewed in
the Log Viewer. In addition, when running
the Log Viewer to show the live
connections (see below), the Active
Connections View can be used to monitor
ongoing connections.
Active
Connections - With FireWall-1,
the security manager can use the Log
Viewer in active connection mode to view
in real time all connections currently
active through the Firewall Modules. The
live connections are stored and handled
in the same way as ordinary log records,
but are kept in a special file that is
continuously updated as connections start
and end. In this way, all the standard
Log Viewer features, such as selection,
search engine, etc., can be used to
monitor current network activity.
When using
the accounting option, the connection
accounting data (time elapsed, bytes and
packets transferred) is continuously
updated, so the security manager can
monitor not only the fact of the
connection but also its activity.
Multiple
Alerting Capabilities -
FireWall-1 provides integration of
multiple alert options including email
notification and SNMP traps for
integration with SNMP-based network
management systems such as HP OpenView,
SunNet Manager, or IBM's NetView 6000. A
User Defined alerting mechanism is also
available to integrate with paging,
trouble-ticketing and help desk systems
providing a great deal of flexibility in
how security alerts are integrated into
current management systems.
@1999
Check Point Software Technologies Ltd.
All rights reserved. Used with permission
|
