Check Point FireWall-1™
`White Paper
`
`Version 3.0 — June 1997
`P/N 400-3000
`
`http://www.checkpoint.com
`
`Executive Summary
`Expanding Internet technologies have redefined corporate approaches to
`internetworking and security. As the Internet becomes the forum for corporate
`communications and international commerce, enterprises require an innovative,
`comprehensive security solution.
`
`Check Point Software Technologies Ltd. meets these growing connectivity needs
`with FireWall-1, the leading network security solution. FireWall-1 enables
`enterprises to define and enforce a single, comprehensive security policy while
`providing full, transparent connectivity. Utilizing Check Point’s patented Stateful
`Inspection Technology and Open Platform for Secure Enterprise Connectivity
`(OPSEC), FireWall-1 integrates and centrally manages all aspects of network
`security.
`
`This document describes the unique features of Check Point FireWall-1’s Security
`Suite, and also presents OPSEC, an innovative framework that provides
`integrated management for FireWall-1 and third-party security applications. In
`addition, simple step-by-step procedures demonstrate how to build a FireWall-1
`Rule Base to implement a security policy for both a simple and more detailed
`network configuration. Finally, performance data illustrates how FireWall-1’s
`high levels of speed, transparency and efficiency deliver unmatched network
`security.
`
`In This Document:
`
`The Check Point FireWall-1 Security Suite
`Configuring FireWall-1
`Performance
`Conclusion
`
`page 3
`page 24
`page 31
`page 32
`
`0001
`
`Blue Coat Systems - Exhibit 1067
`
`

`
`Copyrights and Trademarks
`© 1994–1997 Check Point Software Technologies Ltd.
`
`Copyrights and Trademarks
`
`All rights reserved. This product and related documentation are protected by copyright and
`distributed under licensing restricting their use, copying, distribution, and decompilation. No part of
`this product or related documentation may be reproduced in any form or by any means without prior
`written authorization of Check Point. While every precaution has been taken in the preparation of
`this book, Check Point assumes no responsibility for errors or omissions. This publication and
`features described herein are subject to change without notice.
`
`RESTRICTED RIGHTS LEGEND:
`
`Use, duplication, or disclosure by the government is subject to restrictions as set forth in
`subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
`252.227-7013 and FAR 52.227-19.
`
`TRADEMARKS:
`
`FireWall-1, SecuRemote, Stateful Inspection, INSPECT, Check Point and the Check Point logo are
`trademarks or registered trademarks of Check Point Software Technologies Ltd. Sun, SPARC, Solaris
`and SunOS are trademarks of Sun Microsystems, Inc. UNIX and OPEN LOOK are registered
`trademarks of UNIX System Laboratories, Inc. Cisco is a registered trademark of Cisco Systems, Inc.
`Bay Networks is a registered trademark of Bay Networks, Inc. Security Dynamics and SecurID are
`registered trademarks and ACE/Server is a trademark of Security Dynamics Technologies, Inc. HP is
`a registered trademark of Hewlett-Packard Company. Windows is a trademark and Microsoft is a
`registered trademark of Microsoft Corporation. Telnet is a registered trademark of SoftSwitch, Inc.
`Netscape Communications, Netscape, Netscape Navigator and the Netscape Communications logo are
`trademarks of Netscape Communications Corporation.
`
`All other products or services mentioned herein are trademarks or registered trademarks of their
`respective owners. The products described in this document may be protected by one or more U.S.
`patents, foreign patents, or pending applications.
`
`Check Point Software Technologies Ltd.
`International Headquarters:
`3A Jabotinsky
`Ramat Gan 52520, Israel
`Tel: 972-3-613 1833
`Fax: 972-3-575 9256
`
`e-mail: info@checkpoint.com
`
`U.S. Headquarters:
`400 Seaport Court, Suite 105
`Redwood City, CA 94063
`Tel: 800-429-4391
` 415-562-0400
`Fax: 415-562-0410
`HTTP://www.checkpoint.com
`
`2
`
`0002
`
`

`
`The Check Point FireWall-1 Security Suite
`
`The Check Point FireWall-1 Security Suite
`Check Point FireWall-1’s comprehensive Security Suite delivers an enterprise-wide
`security solution that goes far beyond the capabilities of previous firewall solutions.
`FireWall-1’s unique and innovative Security Suite includes:
`Open Platform for Secure Enterprise Connectivity (OPSEC)
`•
`Stateful Inspection Technology
`•
`Enterprise-wide Security Management
`•
`• Distributed Client/Server Architecture
`Authentication
`•
`Network Address Translation
`•
`Encryption
`•
`Content Security
`•
`Connection Control
`•
`Router Management
`•
`
`OPSEC
`
`Check Point’s OPSEC introduces a new standard in enterprise security that
`integrates all aspects of network security through a single, extensible
`management framework.
`
`OPSEC allows enterprises to take full advantage of the FireWall-1 Security Suite
`and other security applications. The OPSEC framework provides central
`configuration and management for FireWall-1, while integrating third party
`security applications. Enterprises can choose the security components, from
`Check Point and other vendors, that best meet their requirements. OPSEC is
`both open and extensible, incorporating a variety of security applications in a
`single, centrally managed security system. Enterprises can take full advantage of
`the latest security technologies and can upgrade individual components without
`having to reconfigure an entire security system.
`
`Enterprises can plug into Check Point’s OPSEC framework in the following ways:
`OEM/Bundling
`•
`The FireWall-1 Inspection Module runs directly on third-party security
`equipment.
`Published APIs
`Check Point provides Application Programming Interfaces for open protocols.
`Network Security Applications
`FireWall-1 supports third-party applications securely out-of-the-box.
`
`•
`
`•
`
`The OPSEC Model
`
`In the OPSEC framework, the enterprise security system is composed of several
`components, each of which is provided by different a different vendor and
`installed on a different machine. FireWall-1 distributes security tasks to the
`OPSEC components. Transactions between FireWall-1 and OPSEC security
`components take place using open, industry standard protocols.
`
`3
`
`0003
`
`

`
`The Check Point FireWall-1 Security Suite
`
`Example OPSEC components are:
`a CVP (Content Vectoring Protocol) server that examines files for viruses
`•
`a UFP (URL Filtering Protocol) server that categorizes URLs
`•
`
`Published APIs
`OPSEC provides C language APIs for configuring transactions between FireWall-1
`and OPSEC components. The OPSEC API is a powerful and easy to use
`environment that defines an asynchronous interface suitable for developing:
`servers that implement one or more OPSEC security tasks
`•
`clients that use an OPSEC server
`•
`
`OPSEC Client/Server Interaction
`In a common OPSEC model, FireWall-1 acts as a client sending requests to an
`OPSEC server. FireWall-1 intercepts a connection and generates a request to the
`OPSEC server. The server processes the request and sends a reply to FireWall-1.
`FireWall-1 processes the original connection based on the reply.
`
`OPSEC
`Client
`
`OPSEC
`API
`
`FireWall
`Module
`
`OPSEC
`API
`
`OPSEC
`API
`
`OPSEC
`Server
`
`Figure 1
`
`OPSEC Client/Server Communication
`
`For example, FireWall-1 intercepts a connection request from an internal host to
`a specific URL. FireWall-1 passes the request to a UFP server, which checks a
`list of permitted and denied URLs. The UFP server sends FireWall-1 a reply
`stating that the requested URL is a denied Web site. FireWall-1 denies the
`original connection.
`
`In the “standard” framework, FireWall-1 is the OPSEC client, but other scenarios
`are also possible:
`An OPSEC client (not a FireWall) communicates directly with an OPSEC server
`•
`without the intervention of a FireWall Module.
`A FireWall Module acts as the OPSEC server
`
`•
`
`Stateful Inspection Technology
`
`FireWall-1’s patented Stateful Inspection Technology delivers full firewall
`capabilities, assuring the highest level of network security. FireWall-1’s powerful
`Inspection Module analyzes all packet communication layers and extracts the
`relevant communication and application state information. The Inspection
`
`4
`
`0004
`
`

`
`The Check Point FireWall-1 Security Suite
`
`Module understands and can learn any protocol and application. By employing
`this flexible, extensible technology, FireWall-1 meets the dynamic security
`requirements of today’s enterprise.
`
`FireWall-1 Inspection Module
`The FireWall-1 Inspection Module resides in the operating system kernel, below
`the Network layer, at the lowest software level. By inspecting communications at
`this level, FireWall-1 can intercept and analyze all packets before they reach the
`operating systems. No packet is processed by any of the higher protocol layers
`unless FireWall-1 verifies that it complies with the enterprise security policy.
`
`FireWall-1 Inspection Module
`
`IP TCP Session
`
`Application
`
`Packet
`Matches
`Rule?
`
`No
`
`Is There
`Another
`Rule?
`
`Yes
`
`Yes
`
`Log/Alert
`
`Pass
`the
`Packet?
`
`Yes
`
`No
`
`No
`
`Send NACK
`
`Drop the Packet
`
`END
`
`Communication Layers
`
`7 Application
`
`6 Presentation
`
`5 Session
`
`4 Transport
`
`3 Network
`FireWall-1 Inspection Module
`2 Data Link
`
`1 HW Connection
`
`Figure 2
`
`FireWall-1 Inspection Module
`
`Full State Awareness
`The Inspection Module has access to the “raw message,” and can examine data
`from all packet layers. In addition, FireWall-1 analyzes state information from
`previous communications and other applications. The Inspection Module
`examines IP addresses, port numbers, and any other information required in
`order to determine whether packets comply with the enterprise security policy.
`
`The Inspection Module stores and updates state and context information in
`dynamic connections tables. These tables are continually updated, providing
`cumulative data against which FireWall-1 checks subsequent communications.
`
`FireWall-1 follows the security principle of “All communications are denied
`unless expressly permitted.” By default, FireWall-1 drops traffic that is not
`explicitly allowed by the security policy and generates real-time security alerts,
`providing the system manager with complete network status.
`
`Securing “Stateless” Protocols
`The FireWall-1 Inspection Module understands the internal structures of the IP
`protocol family and applications built on top of them. For stateless protocols
`such as UDP and RPC, the Inspection Module extracts data from a packet's
`application content and stores it in the state connections tables, providing
`
`5
`
`0005
`
`

`
`The Check Point FireWall-1 Security Suite
`
`context in cases where the application does not provide it. In addition, the
`Inspection Module can dynamically allow or disallow connections as necessary.
`These capabilities provide the highest level of security for complex protocols.
`
`FireWall-1 Inspection Module
`
`Client
`
`record in
`connections
`table
`
`src sport dst dport
`
`src sport dst dport
`
`lookup in
`connections
`table
`
`Server
`
`Figure 3
`
`FireWall-1 Inspecting a UDP Session
`
`INSPECT Language
`Using Check Point’s INSPECT language, FireWall-1 incorporates security rules,
`application knowledge, context information, and communication data into a
`powerful security system.
`
`INSPECT is an object-oriented, high-level script language that provides the
`Inspection Module with the enterprise security rules. In most cases, the security
`policy is defined using FireWall-1’s graphical interface. From the security policy,
`FireWall-1 generates an Inspection Script, written in INSPECT. Inspection Code
`is compiled from the script and loaded on to the FireWalled enforcement points,
`where the Inspection Module resides. Inspection Scripts are ASCII files, and can
`be edited to facilitate debugging or meet specialized security requirements.
`
`INSPECT provides system extensibility, allowing enterprises to incorporate new
`applications, services, and protocols simply by modifying one of FireWall-1's
`built-in script templates using the graphical user interface.
`
`Enterprise-Wide Security Management
`
`Centralized Security Policy
`
`FireWall-1 allows an enterprise to define and implement a single, centrally
`managed security policy. A FireWall-1 security policy is expressed in terms of a
`Rule Base and Properties.
`
`The Rule Base is an ordered set of rules against which each communication is
`tested, while Properties define overall standards of communication inspection.
`FireWall-1 rules specify the source, destination, service and action taken for each
`communication. The security rules also specify which communication events are
`logged and the information included in each log entry.
`
`The security policy is managed and updated from a single, centralized
`workstation. All communications between this workstation and FireWalled
`enforcement points are authenticated and transmitted on secure channels.
`
`6
`
`0006
`
`

`
`The Check Point FireWall-1 Security Suite
`
`Graphical User Interface
`
`FireWall-1’s intuitive graphical user interface offers a powerful set of tools for
`the centralized management and implementation of an enterprise security policy.
`
`Object-Oriented Management
`Rule Base Editor
`
`FireWall-1’s object-oriented Rule Base enables an enterprise to easily define and
`implement a comprehensive security policy. Administrators can specify
`enterprise networks, users, and servers, and the relationships between them.
`This centrally managed solution makes it easy to modify network object
`parameters and update the security policy.
`
`Figure 4
`
`FireWall-1 Rule Base Editor
`
`A FireWall-1 Rule Base specifies the actions taken on communication attempts —
`whether they are allowed, disallowed, logged, etc.
`
`7
`
`0007
`
`

`
`The Check Point FireWall-1 Security Suite
`
`Properties Setup
`
`A security policy is defined not only by the Rule Base, but also by the
`parameters in the Properties Setup window. Properties define the overall aspects
`of communication inspection without the need to specify repetitive details in the
`Rule Base.
`
`Figure 5
`
`Properties Setup window - Security Policy tab
`
`Object Managers
`
`Object Managers make it easy to define all the network’s elements in terms of
`object classes and their properties. Objects can be grouped in families or
`organized in hierarchies for more efficient control. Object properties can be
`centrally managed and updated.
`
`Every object has a set of attributes, such as network address, subnet-mask, etc.
`The user specifies some of these attributes, while others are extracted by
`FireWall-1 from the network databases, like the hosts and networks files,
`
`8
`
`0008
`
`

`
`The Check Point FireWall-1 Security Suite
`
`Network Information Services (NIS/Yellow Pages), and the Internet domain
`service. SNMP agents are used for extracting additional information, including
`the interfaces and network configuration of hosts, routers and gateways.
`
`Figure 6
`
`Workstation Properties window - General tab
`
`•
`
`•
`
`FireWall-1’s graphical user interface allows Administrators to define the
`following object classes:
`Network Objects — networks and sub-networks, hosts, gateways and servers
`•
`(FireWalled or not), routers, Internet domains, and logical servers
`Users — individuals and groups accessing the network
`Administrators can define user access privileges, including allowed sources and
`destinations as well as user authentication schemes.
`Services — services known to the system and used in the security policy
`FireWall-1 includes a comprehensive set of over 100 TCP/IP and Internet
`services. New services can be added easily.
`Resources — sets of entities which can be accessed by a specific protocol
`FireWall-1 Resources can be defined based on HTTP, FTP and SMTP.
`Time Objects — time periods during which rules are in effect
`Servers — content screening and authentication servers
`Keys — encryption keys for interoperability with third party encryption
`devices that do not support automated key management
`
`•
`
`•
`•
`•
`
`Visual Tracking and Accounting: Log Viewer
`FireWall-1’s graphical Log Viewer provides visual tracking, monitoring and
`accounting information for all connections passing through FireWalled gateways.
`On-line viewing features enable real-time monitoring of communication activities
`and alerts. The Log Viewer also displays significant network events, such as
`security policy installations or system shutdowns.
`
`9
`
`0009
`
`

`
`The Check Point FireWall-1 Security Suite
`
`The Log Viewer provides precise control over the log file display, providing quick
`access to relevant information. Administrators can customize the Log Viewer to
`display or hide specific fields. Logs and log records can be filtered and searched
`to quickly locate and track events of interest. Colors and icons attached to
`events and fields also facilitate tracking.
`
`Figure 7
`
`Log Viewer
`
`Reports are easily generated by applying selection criteria to chosen fields,
`providing both detailed and comprehensive views. Reports can be printed or
`exported to third party applications, such as spreadsheets or trouble-ticketing
`systems. Exported log information is authenticated and transmitted on secure
`channels to protect sensitive auditing information.
`
`Real-time Alerting: System Status Viewer
`FireWall-1 provides real-time status, auditing, and alerting capabilities. The
`System Status window displays a snapshot of all the FireWalled systems
`throughout the enterprise. The status of each FireWalled host is available at a
`glance. The System Status window also provides packet statistics — the number
`of packets accepted, logged or rejected — for each FireWalled host.
`
`10
`
`0010
`
`

`
`The Check Point FireWall-1 Security Suite
`
`Administrators can also specify an action taken if the status of a FireWalled host
`changes. For example, FireWall-1 can issue an alert notifying system managers of
`any suspicious activity.
`
`Figure 8
`
`System Status Window
`
`Anti-Spoofing
`FireWall-1 detects spoofed packets by checking that the source IP address of a
`packet entering a FireWalled gateway corresponds to the appropriate gateway
`interface. FireWall-1’s object-oriented interface allows Security Administrators to
`define anti-spoofing for all gateway interfaces and generate alerts.
`
`The Interface Properties window specifies anti-spoofing detection. Figure 9
`depicts the anti-spoofing properties for a gateway’s external interface — le0. By
`specifying “Others” under Valid Addresses, the Security Administrator assures
`that only packets that whose source IP address does not belong to the networks
`behind this gateway will be allowed to pass.
`
`Figure 9
`
`Interface Properties window with anti-spoofing defined
`
`11
`
`0011
`
`

`
`Distributed Client/Server Architecture
`
`The Check Point FireWall-1 Security Suite
`
`FireWall-1 manages the enterprise security policy through a distributed
`Client/Server architecture that ensures high performance, scalability and
`centralized control.
`
`FireWall-1 consists of two primary modules — the Management Module and the
`FireWall Module. These modules can be deployed in a number of flexible
`Client/Server configurations across a broad range of platforms (see “Platform
`Summary” on page 34).
`
`FireWall-1’s Client/Server architecture is completely integrated. There is only
`one security policy and one Rule Base, defined and maintained at a single
`management point, which controls multiple FireWalled enforcement points.
`
`Management Module
`The Management Module includes the GUI and the management database
`functionalities — the Rule Base, network objects, services, users etc. The
`security policy is defined on the GUI. The components of the Management
`Module can reside on the same machine or be deployed in a Client/Server
`configuration (see Figure 10 on page 13).
`
`FireWall Module
`The FireWall Module includes the Inspection Module and Security Servers.
`
`The FireWall Module implements the security policy, logs events, and
`communicates with the Management Module using the FireWall daemons. A
`machine on which the FireWall-1 Inspection Module is installed is known as a
`“FireWalled system.”
`
`The FireWall Module can be installed on a broad range of platforms (see
`“Platform Summary” on page 34). It usually resides on a dual-homed host (a
`gateway) but can also be installed on a server.
`
`A FireWall-1 security policy is defined using the GUI on the Management
`Module. Inspection Code is then generated and installed on the FireWall
`Modules that will enforce the security policy.
`
`The Management Module GUI client, the Management Module server and the
`FireWall Module can be installed on the same computer if its platform supports
`all three components, or on three different computers. In either case, the System
`Administrator defines and maintains the security policy on the Management
`Module, while the FireWalled Gateways (where the FireWall Module is installed)
`enforce the security policy.
`
`Distributed Configurations
`Figure 10 depicts a distributed configuration, on which a Management Module
`(in the Client/Server implementation) controls three FireWall Modules, each of
`which is on a different platform, which in turn protect three heterogeneous
`networks.
`
`12
`
`0012
`
`

`
`The Check Point FireWall-1 Security Suite
`
`In this configuration the Security Administrator can configure and monitor
`network activity for several sites from a single desktop machine. The security
`policy is defined on the GUI Client, while the FireWall database is maintained on
`the Management Server. The connections between the client, server and multiple
`enforcement points are secured, enabling true remote management.
`1
`
`This Management
`Module ...
`
`Management
`Server
`
`GUI
`Client
`
`Intranet
`
`FireWalled
`Gateway
`(Sun)
`
`Router
`
`Internet
`
`Router
`
`FireWalled
`Gateway
`(NT)
`
`2 3
`
`... manages these
`FireWall Modules ...
`
`... that protect
`these networks.
`
`NFS
`Server
`
`Database
`Server
`
`Internal
`FireWall
`(HP)
`
`Legend
`= Unix
`
`= PC
`
`NOTE: The Management Module can also manage
`FireWall Modules on Bay Networks routers and
`Xylan switches, and Access Lists for routers.
`
`Figure 10
`
`Distributed FireWall-1 Configuration
`
`Although FireWall-1 is deployed in a distributed configuration, security policy
`enforcement is completely integrated. Any number of FireWall Modules can be
`set-up, monitored and controlled from a single workstation, but there is still
`only one enterprise-wide security policy maintained by a single rule base and log
`file. Authorized management clients can access security control information from
`anywhere on the network.
`
`Authentication
`
`FireWall-1 provides remote users and telecommuters secure, authenticated access
`to enterprise resources using multiple authentication schemes. FireWall-1
`authentication services securely validate users or clients that try to access the
`internal network. Modifications to local servers or client applications are not
`required. Authentication services are fully integrated into the enterprise-wide
`security policy and can be centrally managed through FireWall-1’s graphical user
`interface. All authentication sessions can be monitored and tracked through the
`Log Viewer.
`
`13
`
`0013
`
`

`
`The Check Point FireWall-1 Security Suite
`
`Authentication Methods
`
`FireWall-1 provides three authentication methods:
`1. User Authentication
`2. Client Authentication
`Session Authentication
`3.
`
`User Authentication
`FireWall-1’s transparent User Authentication provides access privileges on a per
`user basis for FTP, TELNET, HTTP, and RLOGIN, regardless of the user’s IP
`address. If a local user is temporarily away from the office and logging in on a
`different host, the Security Administrator may define a rule that allows that user
`to work on the local network without extending access to all users on the same
`host.
`
`The FireWall-1 Security Servers implement user authentication on the gateway.
`FireWall-1 intercepts a user’s attempt to start an authenticated session on the
`requested server and directs the connection to the appropriate Security Server.
`After the user is authenticated, the FireWall-1 Security Server opens a second
`connection to the host. All subsequent packets of the session are intercepted and
`inspected by FireWall-1 on the gateway.
`
`Client Authentication
`Client Authentication enables an administrator to grant access privileges to a
`specific user at a specific IP address. In contrast to User Authentication, Client
`Authentication is not restricted to specific services, but provides a mechanism
`for authenticating any application, standard or custom. FireWall-1 Client
`Authentication is not transparent, but it does not require any additional
`software or modifications on either the client or server. The administrator can
`determine how each individual is authenticated, which servers and applications
`are accessible, at what times and days, and how many sessions are permitted.
`
`Session Authentication
`Session Authentication can be used to authenticate any service on a per-session
`basis. After the user initiates a connection to the server, FireWall-1 opens a
`connection with a Session Authentication Agent. The Agent performs the
`required authentication, after which FireWall-1 allows the connection to continue
`to the requested server.
`
`Authentication Schemes
`
`2.
`
`FireWall-1 supports the following authentication schemes:
`S/Key — The user is challenged to enter the value of requested S/Key iteration.
`1.
`SecurID — The user is challenged to enter the number displayed on the
`Security Dynamics SecurID card.
`3. OS Password — The user is challenged to enter his or her OS password.
`Internal — The user is challenged to enter his or her internal FireWall-1
`4.
`password on the gateway.
`RADIUS — The user is challenged for a response, as defined by the RADIUS
`server.
`
`5.
`
`14
`
`0014
`
`

`
`The Check Point FireWall-1 Security Suite
`
`6.
`
`Axent — The user is challenged for the response, as defined by the Axent
`server.
`
`Network Address Translation
`
`FireWall-1’s Network Address Translation features provide complete Internet
`access for internal hosts with invalid or secret IP addresses. Internal hosts can
`be accessible from the Internet, even though their internal IP addresses are
`invalid Internet addresses. FireWall-1 supports both IP address hiding and static
`Address Translation, providing full Internet connectivity for internal clients. At
`the same time, FireWall-1 completely integrates Address Translation rules in the
`security policy, maintaining full network security.
`
`Configuring Address Translation
`
`FireWall-1 Address Translation rules can be simply generated and integrated into
`the enterprise security policy. FireWall-1 provides three methods for configuring
`Address Translation:
`Automatic Configuration
`1.
`Address Translation Rule Base (Windows and X/Motif only)
`Command Line Interface
`
`2.
`
`3.
`
`Automatic Configuration
`Address Translation properties can be defined for particular objects, such as
`workstations or networks. Address Translation rules are then automatically
`generated, and the object’s properties are applied whenever it is used in the
`security policy.
`
`Figure 11
`
`Automatically Generating Address Translation for a network
`
`Graphical Address Translation Rule Base
`FireWall-1’s graphical user interface simplifies the definition and implementation
`of Address Translation rules. This flexible Address Translation Rule Base allows
`administrators to:
`specify objects by name rather than by IP address
`•
`
`15
`
`0015
`
`

`
`The Check Point FireWall-1 Security Suite
`
`•
`
`•
`•
`•
`
`restrict rules to specified destination IP addresses, as well as to the specified
`source IP Addresses
`translate both source and destination IP addresses in the same packet
`restrict rules to specified services (ports)
`translate ports
`
`Figure 12
`
`Address Translation Graphical User Interface
`
`Command-Line Interface
`Address Translation rules can be defined using a command line interface
`application (fwxlconf). It is also possible to directly edit the text file
`$FWDIR/conf/xlate.conf.
`
`Translation Modes
`
`FireWall-1 supports two kinds of Address Translation modes to protect internal
`addressing schemes while providing full Internet access:
`• Dynamic
`FireWall-1 translates many invalid addresses to a single valid address and
`dynamically assigns port numbers to distinguish between the invalid address.
`Dynamic address translation is called “Hide Mode,” because the invalid
`address are hidden behind the valid address.
`Static
`FireWall-1 translates each invalid address to a corresponding valid address.
`
`•
`
`Virtual Private Networks
`
`Long-distance communications between enterprises, partners, branch offices and
`mobile users have become essential to business relations. Enterprises are
`increasingly using public networks, such as the Internet, as a flexible, cost-
`effective connection between their private networks. However, public networks
`expose corporations to the following dangers:
`break-ins — unauthorized Internet access to internal networks
`•
`eavesdropping — enterprise communications can be monitored and tampered
`•
`with as they travel over the Internet
`
`Check Point FireWall-1 allows enterprises to take full advantage of Virtual
`Private Networks. FireWall-1’s encryption services establish secure
`communication channels over the Internet, assuring full privacy, authenticity
`and data integrity in corporate internetworking.
`
`16
`
`0016
`
`

`
`The Check Point FireWall-1 Security Suite
`
`FireWall-1 Encryption
`
`FireWall-1 provides transparent, selective encryption for a wide range of
`services, allowing organizations to make full use of the Internet for all business
`and connectivity needs. Multiple encryption schemes, key management and an
`internal Certificate Authority are fully integrated with other FireWall-1 features.
`FireWall-1’s intuitive graphical interface makes it simple to define and manage
`encryption in an enterprise security policy.
`
`Secure VPNs
`FireWalled gateways encrypt data communications traveling over the Internet
`between private networks, creating secure, Virtual Private Networks. FireWall-1
`implements encryption for corporate internetworks without the need to install
`and configure encryption software on every host in the networks involved. A
`FireWalled gateway performs encryption on behalf of its encryption domain
`—the local area network (LAN) or group of networks that it protects. Behind the
`gateway, in the internal networks, packets are not encrypted. Only packets
`traveling over public segment of the connection are encrypted.
`
`Selective Encryption
`FireWall-1's selective encryption feature allows the transmission of both clear
`and encrypted data between the same workstations and networks. Instead of
`encrypting all communications between corporate networks, FireWall-1 allows
`administrators to define the specific services that require encryption.
`
`Multiple Encryption Schemes
`FireWall-1 supports three encryption schemes:
`FWZ, a proprietary FireWall-1 encryption scheme
`1.
`2. Manual IPSec, an encryption and authentication scheme that uses fixed keys
`SKIP (Simple Key-Management for Internet Protocols), developed by Sun
`3.
`Microsystems, that adds improved keys and key management to IPSec
`
`17
`
`0017
`
`

`
`The Check Point FireWall-1 Security Suite
`
`The relationship between the components of the encryption schemes, as
`implemented in FireWall-1, is illustrated in Table 1.
`
`Table 1
`
` Comparison of Encryption Schemes
`feature
`FWZ
`portability
`Check Point
`proprietary
`
`key management
`Session Keys
`
`number of keys
`required is
`proportional to the...
`packet size
`gateway can
`encrypt/decrypt on
`behalf of other hosts
`
`yes
`each TCP or
`UDP session
`has a new key
`
`number of
`correspondents
`
`unchanged
`yes
`
`Manual IPSec
`standard
`
`no
`fixed
`
`square of the
`number of
`correspondents
`increased
`yes (in Tunnel
`Mode)
`
`SKIP
`standard
`supported by Sun
`and other vendors
`yes
`keys change over
`time or as amount
`of data encrypted
`exceeds threshold
`number of
`correspondents
`
`increased
`yes (in Tunnel
`Mode)
`
`DES, FWZ1 and RC4 are all encryption algorithms used to encrypt the data
`portion of a packet.
`
`High Efficiency and Performance
`FireWall-1 encryption does not alter communication length, maintains MTU
`validity and eliminates packet fragmentation, thus achieving the highest
`performance available over the network. FireWall-1 supports encryption speeds
`greater than 10 Mb/sec through a standard desktop workstation. In addition,
`routing priorities and policies are preserved.
`
`FireWall-1 SecuRemote
`
`FireWall-1 SecuRemote extends the Virtual Private Network to the desktop and
`laptop. Mobile and remote Microsoft Windows 95 and NT users can connect to
`their enterprise networks via dial-up Internet connections — either directly to
`the server or t