connections
`connections
`connections
`
`C H E C K
`
`P O I N T
`
`S O F T W A R E
`
`T E C H N O L O G I E S
`
`L T D .
`
`V O L U M E O N E
`
`DearC H E C K
`
`P O I N T C U S T O M E R
`
`TABLE OF CONTENTS
`
`On behalf of Check Point Software Technologies, I would like to welcome you to the
`
`1 Letter to Our
`Customers
`
`2 OPSEC Alliance
`
`3 DHL Protects
`Critical Information
`Resources with
`FireWall-1
`
`4 IBM Resells
`FireWall-1
`
`4 ISPs Rely on
`FireWall-1
`
`5 Xylan Embeds
`FireWall-1 Engine
`
`5 Reference Desk
`
`6 ConnectControl
`Module
`
`7 Tech Tips
`
`8 Calendar
`
`inaugural issue of Check Point Connections, our new quarterly customer newsletter. As the name
`
`implies, this newsletter is intended to keep you, our valued customer, “connected” with Check Point
`
`and our products. Each issue will contain product feature highlights, overviews of key products and
`
`partnerships recently announced by Check Point, technical tips from our outstanding technical team,
`
`and updates on network security issues and references to keep you on top of the latest fast-moving
`
`network security market.
`
`The theme of this issue of Check Point Connections is OPSEC, Check Point’s Open Platform for
`
`Secure Enterprise Connectivity. OPSEC is Check Point’s answer to the evolving network security requirements of today’s enter-
`
`prise, one in which Internet, intranet and extranet computing are critical to the lifeblood of the corporation. With the explosion
`
`and rapid acceptance of the Internet, the physical corporate boundaries that previously defined and governed
`
`corporate networks are irrelevant and obsolete. A new paradigm has evolved, pioneered in part by Check Point, whereby
`
`corporate networks are being defined by enterprise-wide security policies. To be effective, these policies must include a broad
`
`range of security ser vices that govern access to network information resources and protect the privacy and integrity of network
`
`communications, including access control, validation of authorized network users, protection of data privacy,
`
`anti-virus scanning, URL filtering, protection against malicious Java and ActiveX applets...the list is virtually endless.
`
`And because enterprise-wide networking means connectivity to anyone, anywhere, internal or external to the corporate
`
`network, a security policy must also be enterprise-wide, providing policy-based management for an organization’s worldwide
`
`offices, remote and mobile users, business partners and customers. This is the OPSEC vision.
`
`Since its initial unveiling in late 1996, OPSEC has been endorsed by more than 80 leaders in network security and the
`
`general computer and software industries, including 3Com Corporation, Bay Networks, Hewlett-Packard, IBM, Netscape, Oracle,
`
`RSA Data Security, and Security Dynamics. Through OPSEC and our expanding partnerships within the OPSEC Alliance (see
`
`article on page 2), Check Point will be able to broaden the range of security functions supported through its integrated
`
`management console to meet your evolving requirements.
`
`The essence of the OPSEC architecture is to provide a single platform which integrates and manages all aspects of network
`
`security through an open, extensible management framework. Third-party security applications can plug into the OPSEC frame-
`
`work through open, published APIs, industry-standard protocols, as well as INSPECT, Check Point’s high-level scripting
`
`language. As a result of this architecture, you can easily and seamlessly integrate a customized set of security components to
`
`best meet your requirements and later add new security modules as needed. With OPSEC, all facets of network security are
`
`defined and driven by a single enterprise-wide security policy.
`
`Yours Truly,
`
`Deborah Triant, President and CEO
`Check Point Softwar e Technologies, Inc .
`
`Juniper Ex. 1035-p. 1
`Juniper v Implicit
`
`

`

`c o n n e c t i o n s
`
`OPSEC
`
`A L L I A N C E
`
`In suppor t of OPSEC (Open Platform for Secure
`
`OPSEC Alliance Program members to-date include:
`
`Enterprise Connectivity), Check Point’s emerging
`
`I N F R A S T R U C T U R E P A R T N E R S
`
`industry standard for enterprise security, over 80 industry
`
`leaders have joined Check Point’s OPSEC Alliance, an open
`
`industry-wide initiative. The OPSEC Alliance is dedicated to
`
`providing enterprise security solutions and designed to
`
`AST Research
`Bay Networks
`Hewlett-Packard Company
`Ipsilon Networks, Inc.
`TimeStep Corporation
`Sun Microsystems, Inc.
`
`3Com Corporation
`FTP Software, Inc.
`IBM Corporation
`NCR
`U.S. Robotics
`Xylan Corporation
`
`ensure interoperability between best-of-class, leading edge
`
`F R A M E W O R K P A R T N E R S
`
`security products at the policy level. It is open to all vendors
`
`providing the technology building blocks for enterprise
`
`security solutions.
`
`The industry’s only open enterprise security platform enabling
`
`the integration and management of broad range of enterprise
`
`network security technologies through a single, enterprise-
`
`wide security policy, the OPSEC Alliance provides Check Point
`
`customers a comprehensive set of security components
`
`from which to select and easily integrate products already
`
`implemented within the corporation.
`
`All OPSEC Alliance partners have use of
`
`OPSEC
`Alliance
`that their products can plug into the OPSEC framework.
`
`the “OPSEC Alliance” logo, indicating
`
`Additionally, OPSEC Alliance partners can elect to have their
`
`products certified by Check Point, providing a measure of
`
`interoperability assurance for customers. Products passing
`
`Check PointOPSEC
`
`this interoperability testing will receive
`
`the “OPSEC Certified” designation and logo
`
`from Check Point to clearly designate these
`
`C E R T I F I E D
`
`certified products.
`
`OPSEC Alliance Partners are divided into three categories:
`
`Infrastructure, Framework and Passpor t. Infrastructure
`
`Partners embed or bundle Check Point FireWall-1 with their
`
`products deliver ed to their customer base. Framework
`
`Partners are developing or have developed complementary
`
`value-added products that can be certified as compatible with
`
`Content Security
`Computer Associates/
`ASAP Ltd.
`Command Software Systems, Inc. Cheyenne Software
`DataFellows
`Digitivity, Inc.
`Dr. Solomon’s Software
`EliaShim, Inc.
`Finjan Software
`Integralis, Inc.
`McAfee Associates
`Security-7 Ltd.
`NetPartners Internet Solutions, Inc. Symantec Corporation
`
`Authentication and Authorization
`Axent Technologies, Inc.
`ActivCard, Inc.
`Blockade Systems Corp.
`CryptoCard
`Funk Software
`MEMCO Software
`NeTegrity, Inc.
`Secure Computing Corp.
`Security Dynamics
`Vasco Data Security, Inc.
`
`Encryption
`RSA Data Security
`
`Router Security Management
`3Com Corporation
`Bay Networks, Inc.
`
`Intrusion Detection
`AbirNet
`Internet Security Systems
`
`Haystack Labs, Inc.
`Netect
`
`Event Analysis & Repor ting
`Accrue Software, Inc.
`Bellcore
`BGS Systems, Inc.
`Kaspia Systems
`SecureIT, Inc.
`Sequel Technology Corp.
`TELEMATE Software, Inc.
`
`Event Integration
`Hewlett-Packard Company
`The Qualix Group, Inc.
`
`Stonesoft
`
`P A S S P O R T P A R T N E R S
`
`BMC Software, Inc.
`BackWeb Technologies
`Citrix;Connected Corp.
`Campbell Ser vices, Inc.
`FreeTel Communications
`e-motion, Inc.
`Informix Software
`Gradient
`Intel Corporation
`InfoData Systems, Inc.
`Microsoft Corporation
`Liquid Audio, Inc.
`Netscape Communications Corp. OnLive! Technologies
`Oracle Corporation
`OutReach Technologies, Inc.
`PointCast, Inc.
`PictureTel Corporation
`Progressive Networks, Inc.
`Starlight Networks
`Sybase, Inc.
`VDOnet Corporation
`VocalTec
`Vosaic
`Voxware, Inc.
`Vxtreme, Inc.
`White Pine Software, Inc.
`Xing Technology Corp.
`
`Check Point’s OPSEC protocols and APIs. Passport Partners
`
`To stay current on OPSEC-compliant products and for
`
`are application development vendors that ensure secure
`
`assistance in building your enterprise security solution,
`
`computing over the Internet via application compatibility with
`
`visit the OPSEC Alliance Solutions Center at www.check-
`
`the OPSEC platform.
`
`point.com/opsec.
`u
`
`connections connections
`
`connections
`
`2CHECK POINT SOFTWARE TECHNOLOGIES LTD.
`
`Juniper Ex. 1035-p. 2
`Juniper v Implicit
`
`

`

`customer profile
`customer profile
`
`3
`
`DHLP R O T E C T S C R I T I C A L I N F O R M AT I O N R E S O U R C E S W I T H F I R E WA L L - 1
`
`In today’s competitive international package delivery busi-
`
`use graphical user
`
`ness, only tracking information moves faster than documents
`
`interface that stream-
`
`and packages: where a package may take two to three days
`
`lines maintenance
`
`to reach its destination, tracking data associated with the
`
`activities.”
`
`package must span the globe in minutes in order to meet
`
`customer need and demand for this information.
`
`In 1996, that firewall
`
`was upgraded
`
`to
`
`“Tracking information is a critical element in our business
`
`FireWall-1 Version 2.1 running on a Sun Solaris platform to
`
`because customers want to know where their packages are
`
`meet the increased security requirements associated with
`
`almost as soon as the courier picks them up,” explains
`
`the launch of a new application that empowers customers
`
`Vanessa Lea, Gateway and Internet Services Manager at DHL
`
`to track their own packages from the DHL Web site
`
`Systems, Inc. “If we don’t have this data available when
`
`(www.dhl.com). “By simply entering a package tracking
`
`customers need it, we simply will not be able to compete in
`
`number, this Web-based application accesses our database
`
`the global marketplace.”
`
`hidden from the customer by the firewall and reports back
`
`through the firewall with the package status,” van Reijendam
`
`DHL Systems, a technology service company for the DHL
`
`explains. “We stayed with the Check Point firewall for this
`
`Worldwide Express organization, is charged with providing
`
`new application because of its proven track record in our net-
`
`global network services to the entire enterprise, the world’s
`
`work as well as the fact that it operates between the second
`
`largest and most experienced international air express
`
`and third OSI (Open Systems Interconnect) layer. As a result,
`
`network, linking more than 825,000 destinations in more than
`
`there is no way for data or traffic to circumvent the firewall.”
`
`225 countries.
`
`DHL currently has FireWall-1 installed at both of their Web
`
`DHL Systems realized the potential importance of electronic
`
`servers, one in Burlingame, California, the other in London,
`
`communications in achieving the company’s information
`
`England. “With this configuration,” Lea adds, “we can effec-
`
`needs back in 1988 when they installed their first Internet
`
`tively eliminate over-loading that otherwise might occur at
`
`connection to expedite e-mail communications with
`
`either site at any given time. Furthermore, with replicated
`
`customers and suppliers. “As e-mail and Internet usage
`
`sites and firewalls distributed on either side of the Atlantic,
`
`caught on,” says Johan van Reijendam, Senior Network
`
`we have a high degree of both security and disaster protec-
`
`Engineer, “we soon recognized that if we were going to put
`
`tion: should an earthquake ever impact our California facility,
`
`any value on these services then we would have to protect our
`
`for example, London stands ready with its own FireWall-1 to
`
`investments with a firewall as a precautionary measure.”
`
`carry on.” u
`
`Accordingly, in 1994, DHL Systems implemented the first
`
`DHL firewall, using FireWall-1 from Check Point Software
`
`Technologies Ltd., on a Sun SPARC-2 server. “FireWall-1 was
`
`selected,” Lea says, “because it met our security needs,
`
`was straightforward to implement, and features an easy to
`
`c o n n e c t i o n s
`
`Juniper Ex. 1035-p. 3
`Juniper v Implicit
`
`

`

`IBMO E M S F I R E W A L L - 1
`
`c o n n e c t i o n s
`
`Adding to Check Point Software Technologies’ strong list
`
`FireWall-1 for AIX will be available in the third quar ter of
`
`of OEM par tners, the company recently announced an
`
`1997 from IBM and its authorized resellers, both as a
`
`agreement with IBM Corporation to OEM the Check Point
`
`stand-alone software product and as part of an RS/6000
`
`FireWall-1 enterprise security solution. As part of the agree-
`
`Internet POWERsolution, ready-to-run Web server systems.
`
`ment, Check Point also announced FireWall-1 for IBM’s
`
`The product will also be available through Check Point
`
`RS/6000 ser ver family running the AIX operating system.
`
`authorized distributors and resellers.u
`
`The addition of FireWall-1 for AIX makes Check Point the only
`
`network security software vendor to support all major
`
`commercial ser ver platforms,
`
`including Sun Solaris,
`
`HP-UX, Microsoft Windows NT and IBM AIX-based systems.
`
`IBM is reselling
`FireWall-1 as part
`of its Internet
`POWERsolutions
`and as a stand-
`alone product.
`
`ISPsR E L Y O N F I R E W A L L - 1
`
`The proliferation of intranets and extranets in corporations has brought with it
`
`the need to secure these networks from unwanted intruders and unauthorized users. Many
`
`companies are choosing to outsource not only the design and management of their intranets and extranets, but also the
`
`security component that goes hand-in-hand with these networks. Internet Service Providers worldwide are responding to this
`
`demand with comprehensive managed service of ferings for their business customers. Check Point FireWall-1 has become the
`
`preferred solution among ISPs for the network security component of the majority of managed service offerings available today.
`
`Two of the most recent ISPs to select FireWall-1 for their managed service offerings are
`
`MCI and UUNET, who together comprise a majority of the total ISP market. As part of their
`
`recent announcement of networkMCI Intranet Builder and networkMCI Intranet Complete,
`
`MCI announced that it is using FireWall-1 for the managed firewall component of their
`
`networkMCI Intranet Services. MCI will provide both on-site and complete, fully-managed
`
`end-to-end solutions to its corporate customers using FireWall-1. Services offered include
`
`installation, super vision, technical management and firewall suppor t.
`
`UUNET, the world’s largest ISP, is integrating FireWall-1 into its ExtraLink secure virtual
`
`private network offering including ExtraLink Remote, which provides integrated remote
`
`dial-in capability over the Internet using UUNET’s dial-up infrastructure. UUNET is incorpo-
`
`rating FireWall-1 SecuRemote, Check Point’s client encr yption software, to provide secure
`
`ExtraLink Remote dial-up links.u
`
`W O R L D W I D E I S P S
`I N C L U D E :
`
`• Concentric Networks
`• Digex
`• CompuServe Network
`Services
`• EUNet Deutschland
`(Germany)
`• Genuity
`• Hitachi
`• Netrex
`• NTT PC (Japan)
`• Quza (UK)
`• Telenor Bedrift AS
`(Norway)
`• UUNET
`• UUNET Pipex (UK)
`• U S West
`• WilTel
`
`CHECK POINT SOFTWARE TECHNOLOGIES LTD.
`
`4
`
`Juniper Ex. 1035-p. 4
`Juniper v Implicit
`
`

`

`connectionsconnections
`
`connections
`
`5
`
`XylanS W I T C H E S S E C U R E L Y W I T H F I R E W A L L - 1
`
`Xylan Corporation has par tnered with Check
`Point Software Technologies to integrate IP firewalls
`
`same, central Check Point
`
`enterprise management con-
`
`into the OmniSwitch and PizzaSwitch. Xylan already offers
`
`sole that customers use to
`
`the industry’s most sophisticated switching solutions, com-
`
`manage their FireWall-1
`
`bining integrated routing, VLANs and LAN/ATM networking in
`
`installations on UNIX or
`
`a single chassis. By adding IP firewalls to these powerful
`
`Windows NT servers, or the
`
`products, Xylan now offers customers an integrated secure
`
`other router and switch plat-
`
`connectivity solution.
`
`forms in which the FireWall-1 engine is embedded.
`
`Customers can now integrate IP firewalls into their new or
`
`Firewalls Between VLANs. Switching alone creates
`
`existing OmniSwitches and PizzaSwitches to secure the
`
`flat networks that do not allow networks to scale t o
`
`perimeter of their networks from malicious attacks as well
`
`hundreds or thousands of users. VLANs allow large,
`
`as from access by unauthorized external users. The same
`
`switched networks to scale and fit their organization’s needs
`
`firewall capability can also be used to safeguard internal
`
`by carving broadcast domains out of the network. Xylan has
`
`resources from unauthorized access. IP firewalls are ideal for
`
`created the most advanced VLAN architecture in the internet-
`
`controlling traffic between VLANs, giving only authorized
`
`working industry, giving administrators a wide variety of
`
`users access across VLAN boundaries. In particular, a fire-
`
`criteria on which to base their virtual LANs.
`
`wall can ser ve as a security barrier in front of ser vers, main-
`
`frames and other sensitive resources.
`
`Inter-VLAN communications requires the routing function
`
`to take place somewhere within the network. Xylan has
`
`Enterprise-wide Security. Xylan’s firewalls provide an
`
`integrated the routing function to the OmniSwitch and
`
`enterprise-wide security solution that organizations can inte-
`
`PizzaSwitch for inter-VLAN communication. Administrators
`
`grate into the OmniSwitches and into the PizzaSwitches in
`
`can use firewalls to control access to VLANs that contain
`
`use at their remote offices and campus networks. Instead of
`
`sensitive resources and information. By adding firewall capa-
`
`dedicating one piece of hardware for wide area connectivity,
`
`bilities into the OmniSwitch and PizzaSwitch, administrators
`
`another for switching and a third for firewalls, an organiza-
`
`can secure resources within their networks and protect their
`
`tion can integrate all of these features into a Xylan switch
`
`network from unwelcomed users. Administrators can define
`
`and use it as an integrated security solution wherever it is
`
`the access levels of users by the applications used and by
`
`deployed. It is a simple, yet powerful solution that can be
`
`VLAN membership. u
`
`used at remote offices or at the core of a large network.
`
`Most impor tantly, the firewall capabilities built into the
`
`OmniSwitch and PizzaSwitch can be managed from the
`
`ReferenceD E S K
`
`—Antoine Gaessler, Director of Channels Marketing
`Check Point Software Technologies, Inc.
`
`GENERAL SECURITY RESOURCES:
`• Great Cir cle Associates
`http://www.greatcircle.com
`
`JAVA SECURITY RESOURCES:
`• JavaSoft FAQ on Security
`http://www.javasoft.com/sfaq/index.html
`
`• Computer Emergency Response Team (CERT)
`http://www.cert.org
`
`• Official Directory for Java
`http://www.gamelan.com
`
`• Computer Incident Advisory Capability (CIAC)
`http://ciac.llnl.gov
`
`• National Institute of Standards and Technology
`(NIST) Computer Security Resource Clearinghouse
`http://csrc.ncsl.nist.gov
`
`c o n n e c t i o n s
`
`ACTIVE X SECURITY RESOURCES:
`• The Unofficial Active X Guide
`http://www.shorrock.u-net.com/netindex.html
`
`Juniper Ex. 1035-p. 5
`Juniper v Implicit
`
`

`

`ConnectControlM O D U L E
`
`c o n n e c t i o n s
`
`W I T H T H E R A P I D E X P L O I TAT I O N O F
`T H E I N T E R N E T to provide instantaneous information
`
`to employees and customers alike, or ganizations are
`
`Five different pre-defined balance algorithms are available to
`
`meet the specific needs of an organization.
`
`often forced to provide ever more powerful servers to meet
`
`One popular means of balancing incoming connection
`
`the burgeoning demand for connectivity. If a company’s
`
`attempts is to distribute traffic to the server experiencing the
`
`Web ser ver is over whelmed with connection requests,
`
`lightest load. For example, all incoming HTTP requests to a
`
`customers may experience poor response times or
`
`particular IP address can be efficiently balanced among
`
`even connection timeouts. Now, Check Point Software
`
`multiple ser vers which share this single address. This
`
`Technologies Ltd. provides the ideal solution for organiza-
`
`method evenly balances the load on all the servers in a
`
`tions whose servers are straining under the growing number
`
`logical pool that provides support for the same Internet
`
`of connection requests.
`
`service. By utilizing existing servers, organizations avoid the
`
`expensive proposition of upgrading their network servers
`
`Check Point FireWall-1 version 3.0 includes the
`
`whenever incoming traf fic increases.
`
`ConnectControl module, incorporating advanced connection
`
`control functionality to ensure the highest degree of network
`
`In addition, Check Point has designed the FireWall-1 load
`
`connectivity and optimal server response times. FireWall-1
`
`balancing feature with enterprise connectivity in mind. The
`
`provides the ability to allocate connection attempts among
`
`individual servers comprising the logical server pool do not
`
`multiple physical servers. While companies are relieved of
`
`have to reside behind the firewall, or even on the same
`
`the need to upgrade to more expensive network servers,
`
`network. By using the Domain load balancing algorithm,
`
`users benefit by realizing improved response times.
`
`companies can direct requests to the closest server based
`
`on domain names. Check Point has recognized that because
`
`FireWall-1 customers can replace a single server providing
`
`not all users are located in proximity to one another, it makes
`
`HTTP, or other service, with a logical pool of servers sharing
`
`sense to disperse an organization’s servers throughout the
`
`a common IP address. An incoming connection request is
`
`network and utilize load balancing to optimize response
`
`directed to a particular server based on the load balancing
`
`times. Other FireWall-1 load balancing algorithms enable
`
`algorithm selected from the FireWall-1 configuration options.
`
`incoming connection attempts to be distributed to individual
`
`servers based on round trip delays, round robin schemes, or
`
`random ser ver assignment.
`
`The load balancing functionality of FireWall-1 proactively
`
`addresses the needs of corporations to utilize existing hard-
`
`ware to provide optimal user response times. Organizations
`
`can provide complete network connectivity while maintaining
`
`the integrity of their enterprise-wide network security policy.u
`
`— Greg Smith, Product Marketing Manager
`Check Point Software Technologies, Inc.
`
`Five server load balancing methods are defined allowing
`customers to choose how connection requests will be
`directed for optional performance.
`
`product highlight
`product highligh
`
`6CHECK POINT SOFTWARE TECHNOLOGIES LTD.
`
`Juniper Ex. 1035-p. 6
`Juniper v Implicit
`
`

`

`technical tiptechnical tip
`
`7
`
`FireWall-1
`
`S Y N C H R O N I Z A T I O N A N D T H E B O O T P P R O T O C O L
`
`FIREWALL SYNCHRONIZATION IS A NEW FEA-
`TURE IN FIREWALL-1 VERSION 3.0 that allows
`FireWall modules running on different machines to share
`
`When designing the rule base for a dual-homed implementa-
`
`tion, it is important to consider the refresh rate of the
`
`table synchronization. It is possible that near the start of a
`
`information about connection states. Because each FireWall
`
`connection, packets will flow to a second module before that
`
`module is kept aware of the connections going through the
`
`module has been made aware of the new connection. If the
`
`other modules in the synchronization, a module can correctly
`
`second module is configured to reject unknown packets, it
`
`process a connection that did not initiate through it. This
`
`will send a connection reset packet to the sender, aborting
`
`loosens the restrictions on traffic flow by removing the
`
`the connection. If the module is instead configured to drop
`
`firewall as a bottleneck, making dual-homed networks and
`
`the packet, the sender will retransmit after a delay. During
`
`highly-available firewalls much easier to implement.
`
`this delay, the modules will have synchronized, and the
`
`connection will continue normally. The dropped packets will
`
`In earlier versions of FireWall-1, the network manager was
`
`be logged if the ‘Log Established TCP Packets’ option is
`
`required to design traffic flow so that all packets entering and
`
`turned on, but they should be considered a normal part of
`
`leaving the protected network were seen by a single FireWall
`
`establishing a connection through synchronized modules.
`
`module. This limited the manager’s ability to implement
`
`redundant firewalls and dual homed networks.
`
`Setting up FireWall Synchronization is a very simple process.
`
`On each of the modules participating in the synchronization,
`
`do the following:
`
`STEP ONE - Place the names of the other FireWall modules
`
`in the file '$FWDIR/conf/sync.conf'.
`
`STEP TWO - Stop the firewall by typing ‘fwstop’.
`
`STEP THREE - If a control path does not already exist
`
`between the modules, use the ‘fw putkey’ command to
`
`establish one. (See page 253 of the FireWall-1 Achritecture
`
`BOOTP AND FIREWALL-1. The bootp protocol
`consists of two simple UDP protocols: bootpc (from the client
`
`which boots to the server where the boot image is help) on
`
`port 67, and bootps (the other way around) on por t 68.
`
`It is easy to define those two as UDP services in the GUI.
`
`T h e s e r v i c e s n o r m a l l y u s e t h e b r o a d c a s t a d d re s s
`
`(255.255.255.255) as the client’s address. Additional
`
`information is available in RFCs 951 and 1340.
`
`In order to allow BOOTP, there are several things you should
`
`and Administration User Guide Version 3.0 for more details
`
`take care of:
`
`on this command).
`
`STEP FOUR - Verify that the system clock is correct with
`
`ONE - Find out which address bootp clients use (normally
`
`it would be 255.255.255.255) and create a machine with
`
`regard to the other modules. If the module clocks are out of
`
`this IP.
`
`synch by more than a few seconds, the synchronization
`
`TWO - Use this machine as the source for the port 67
`
`will fail.
`
`STEP FIVE - Start the firewall by typing ‘fwstart’.
`
`There are some restrictions that the network manager needs
`
`to be aware of when implementing FireWall Synchronization.
`
`FireWall-1 Security Servers are implemented as a combina-
`
`tion of processes and state tables.
`
`Because processes can not be synchronized between mod-
`
`ules, authenticated connections will not work in a dual-homed
`
`environment. For similar reasons, encr ypted sessions should
`
`only flow through a single module.
`
`service and destination for the port 68 ser vice.
`
`THREE - Since bootp uses the IP broadcast address
`
`255.255.255.255, you need to add it to the anti-spoofing
`
`group for the interface of the server, so that IP packets
`
`destined to it will be passed. Since the IP source address
`
`is often 0.0.0.0, you might also need that address to be
`
`part of the anti-spoofing group for the interface of the client
`
`(the device which attempts to boot). To do these things, you
`
`need to create a network object which will contain this
`
`address, so you'll be able to add it to the anti-spoofing group.
`
`c o n n e c t i o n s
`
`Juniper Ex. 1035-p. 7
`Juniper v Implicit
`
`

`

`c o n n e c t i o n s
`EventsC H E C K P O I N T S O F T W A R E T E C H N O L O G I E S L T D .
`
`Networks 97
`Product Demonstrations - Booth # HOS7
`June 24-26, 1997
`Birmingham, UK
`
`Network Security Asia 97 Conference
`and Exhibition
`Firewalls and Network Security
`August 12, 1997
`Singapore
`
`Internet Expo
`Product Demonstrations - Booth #2636
`in the Triumph Technologies Booth
`August 12-14, 1997
`Boston, MA
`
`ICE Los Angeles
`Internet Town Hall
`September 9, 1997
`Los Angeles, CA
`
`Gar tner Intanet+Extranet Expo
`Firewalling Intranets and Extranets
`September 24, 1997
`San Francisco, CA
`
`NetWorld + Inter op
`The Future of Internet Security:
`A View from Behind the Firewall
`Product Demonstrations
`October 9, 1997
`Atlanta, GA
`
`ICE Japan
`Keynote Panel
`December 5, 1997
`Tokyo, Japan
`
`Check Point Connections is published quarterly and is free to all qualified sub-
`scribers. Check Point, the Check Point logo, Check Point FireWall-1, FireWall-1,
`FireWall-1 SecuRemote, FireWall-First!, OPSEC and INSPECT are trademarks of
`Check Point Software Technologies Ltd. All other trademarks are the property of
`their respective owners.
`
`© Check Point Software Technologies Ltd. All rights reserved. No part of this
`publication may be reprinted or otherwise reproduced without written permission
`from the editor. Emily Cohen, Director of Corporate Communications
`Check Point Softwar e Technologies, Inc.
`400 Seapor t Cour t, Suite 105, Redwood City, CA 94063
`Tel: 415-562-0400 x228, Fax: 415-562-0410, www.checkpoint.com
`
`Presorted
`First-Class Mail
`US Postage Paid
`Santa Rosa, CA
`Permit No. 191
`
`Check Point Software Technologies Ltd. •3A Jabotinsky Street, 24th Floor • Ramat-Gan 52520, Israel
`Check Point Software Technologies, Inc. •400 Seaport Court, Suite 105 • Redwood City, CA 94063
`
`connections
`
`connections
`
`connections
`
`Juniper Ex. 1035-p. 8
`Juniper v Implicit
`
`