Check Point's FireWall-1, Enterprise Security Management

Internet technology has changed not only the way organizations do business, but also the way they approach network security. Corporate networks are no longer defined by physical boundaries, but instead by enterprise-wide security policies. To be effective, these policies must include a broad range of security services that govern access to network information resources while protecting the privacy and integrity of network communications across the Internet, intranet and extranet.

Check Point Software Technologies offers a comprehensive solution to meet these new and expanding security requirements. Check Point FireWall-1 is an enterprise security suite which combines Internet, intranet/extranet and remote user access control with authentication, encryption, network address translation (NAT) and content screening services to deliver an integrated solution that scales to meet the demands of organizations large and small. The product suite is unified by Check Point's OPSEC [Open Platform for Secure Enterprise Connectivity] policy management framework which provides central integration, configuration and management for Check Point FireWall-1 as well as other third-party security applications. Only FireWall-1 provides organizations with the ability to define a single, integrated security policy that can be distributed across multiple firewall gateways and managed remotely from anywhere on the enterprise network. Additional capabilities such as router security management, traffic load balancing and high availability are also available and can be fully integrated into the overall, enterprise security policy. Check Point FireWall-1 is transparent to network users and delivers the highest possible performance across multiple protocols and high-speed networking technologies. With installations at thousands of customer sites worldwide, Check Point FireWall-1 is the most widely tested firewall available.

Based on Stateful inspection technology, the new generation of firewall technology invented and patented by Check Point Software Technologies, Check Point FireWall-1 provides the highest level of security possible. Stateful inspection incorporates communication- and application-derived state and context information which is stored and updated dynamically. This innovative approach provides full application-layer awareness without requiring a separate proxy for every service to be secured. Customers benefit through improved performance, scalability, and the ability to secure new and custom applications much more quickly. Check Point FireWall-1 supports hundreds of pre-defined services, applications and protocols out-of-the-box. The programmable INSPECT virtual machine, at the core of the FireWall-1 technology, allows Check Point to add support for new and custom applications quickly and easily.

Check Point FireWall-1 employs a distributed, client/server architecture, providing scalability and centralized management for multiple firewall gateways located anywhere on the enterprise network. Cross-platform support for Windows 95, Windows NT, UNIX and internetworking equipment (routers, switches, remote access devices) from one of Check Point's OPSEC partners provides the highest degree of deployment flexibility in the industry.

What to consider?

Check Point Software Technologies provides a suite of applications scalable to small, medium and large businesses, providing complete enterprise-wide security, regardless of how customers define their network boundaries. To learn more about specific areas to consider when building an enterprise-wide security policy, follow the links listed below:

Access Control
Authentication
Encryption/Virtual Private Networks
Router Security Management
High Availability
Network Address Translation
Content Security
Connection Control
Auditing, Logging, Alerting

What about hackers?

Many well known and documented types of hacker attacks exist today and new forms of attack are appearing every day. This makes it very difficult for an organization using a home-grown security system to keep up. Check Point Software Technologies is dedicated to monitoring and analyzing new methods developed to breach network security and to incorporate new defenses against these attacks into FireWall-1. With its unsurpassed flexibility and extensibility, Stateful inspection technology is a key differentiator in this area, allowing Check Point FireWall-1 customers to benefit from the incorporation of defenses against new security threats as soon as they appear. Some common attacks and defenses are described below.

SYN Flooding attack
Ping of Death attack
IP spoofing attack
Stealthing Defense

What is Stateful Inspection?

Stateful inspection is the new generation of firewall technology, invented and patented by Check Point Software Technologies. Stateful inspection provides full application-layer awareness without requiring a separate proxy for every service to be secured. This results in multiple benefits to customers including excellent performance, scalability and the ability to support new and custom applications and services quickly and easily. Giga Information Group reported in its March 17, 1997 issue of Gigawire, "We believe that stateful inspection will be adopted by a broad segment of the computer industry as the standard way to provide gateway security in the future". The evolution in the industry has been from packet filters to application-layer proxies, to stateful inspection. This evolution has taken place based upon the advantages introduced with each new generation of firewall technology. Stateful inspection architecture is unique in that it understands the state of any communication through the firewall machine, including packet, connection and application information. Packet filters do not track application or connection state, which are integral to a comprehensive security decision. Application proxies track only application state, not packet or connection state, which may introduce security vulnerabilities.

Check Point FireWall-1's patented stateful inspection implementation provides the highest possible level of security. FireWall-1 inspects communications at layers 3-7 of the OSI model, whereas application gateways can only check layers 5-7. This provides Check Point FireWall-1 with the unique triad of packet-, connection-, and application-awareness. Cumulative data from communication states, application states, network configuration and security rules are used to enforce the enterprise security policy. For added protection, FireWall-1 intercepts, analyzes, and takes action on all communications before they enter the operating system of the gateway machine, ensuring that the operating system is protected from exposure to untrusted communications.

Check Point's stateful inspection implementation is a high performance solution, experiencing no degradation even at high networking transmission speeds. Driven by its patented INSPECT Virtual Machine, Check Point FireWall-1 offers much better performance than the leading application gateway firewall systems, as validated by independent performance tests (see Data Communications, March 21, 1997; http://www.data.com/lab_tests/firewalls97.html).

Check Point's stateful inspection implementation uses the information in dynamic state tables to its advantage by checking this information first when evaluating communication attempts. This provides excellent performance and ensures that communications are being assessed according to the very latest state information. State tables are kept in the operating system kernel memory and cannot become corrupted like disk files. If the system fails due to a hardware or software error, new tables are allocated and no old/corrupted data is valid anymore. Furthermore, the data in the state tables represents active connections, so if a hardware or software error were to occur, the connections would no longer be active and therefore disabled, preserving the security of the network.

What is OPSEC?

Check Point's Open Platform for Secure Enterprise Connectivity [OPSEC] is a revolutionary concept in enterprise-wide security - a single platform that integrates and manages all aspects of network security through an open, extensible management framework. Third party security applications can plug into the OPSEC framework via published application programming interfaces (APIs), industry-standard protocols and INSPECT, a high-level scripting language. Once integrated into the OPSEC framework, all applications can be configured and managed from a central point, utilizing a single policy editor.

How do I define a single security policy across multiple platforms?

Check Point FireWall-1 uses a state-of-the-art distributed client server architecture that allows you to define the security policy in a central location, and then distribute the security policy to all enforcement points. In addition, multiple user access control allows different people across the organization to manage the security policy, based upon their authorization levels, through the intuitive, point and click graphical user interface. Once the security policy is defined, the system converts the rule base into an INSPECT applet which is sent to all appropriate enforcement points throughout the network. Since the INSPECT applet is platform independent, virtually any system can be supported using Check Point's stateful inspection technology.

What is the best platform to use?

This is a frequently asked question to which there is no one correct answer. The right platform depends upon the specific network configuration, the number of network nodes to be secured, the required performance and the skill set of the security administrators within the organization. At Check Point Software Technologies, we believe that all points of network access should be secured, regardless of platform technology. It is not reasonable to require special hardware or software to provide secure connectivity. This is why Check Point FireWall-1 can be supported across multiple platforms, including NT and UNIX servers, routers, switches and many other internetworking devices. The important factor is that all of these platforms are running the same software and can be managed with the same graphical user interface from a central management console. An important consideration when evaluating a platform is the number of interfaces it supports. Platforms limited to two network interfaces cannot support a DMZ (De-Militarized Zone) which may be crucial for your security implementation.

Should I consider a DMZ?

A DMZ (De-Militarized Zone), is a secure network attached directly to the secure point of access. This is typically a third interface on the gateway or device running the security application. Implementing a DMZ ensures all traffic goes through the secure access point which provides the highest level of protection against hacker threats. Without a DMZ implementation, all resources are located behind the firewall in a secure network. In this scenario, once a connection attempt is allowed through the firewall to communicate with a resource, it is already inside the perimeter defense. If there was a malfunction at the resource, the security of the entire network could be compromised at that point.

In the diagram above, if network resources were located behind the firewall, instead of being in the DMZ, any malicious attacks that reached those resources would have already broken through the secure access point - without any further security measures. However, if network resources are located in the DMZ, all traffic to and from network resources must pass through the access point, which is secured with the same security policy. This is the most secure configuration possible.