Check Point FireWall-1 Guide
`
`NG FP3
`
`For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at
`
`http://support.checkpoint.com/kb/
`
`Part No.: 700527
`September 2002
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`' 2000-2002 Check Point Software Technologies Ltd.
`All rights reserved. This product and related documentation are protected by copyright
`and distributed under licensing restricting their use, copying, distribution, and
`decompilation. No part of this product or related documentation may be reproduced in
`any form or by any means without prior written authorization of Check Point. While
`every precaution has been taken in the preparation of this book, Check Point assumes
`no responsibility for errors or omissions. This publication and features described herein
`are subject to change without notice.
`RESTRICTED RIGHTS LEGEND:
`Use, duplication, or disclosure by the government is subject to restrictions as set forth
`in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause
`at DFARS 252.227-7013 and FAR 52.227-19.
`TRADEMARKS:
`Check Point, the Check Point logo, ClusterXL, ConnectControl, FireWall-1, FireWall-1,
`FireWall-1 GX, FireWall-1 SecureServer, FireWall-1 SmallOffice, FireWall-1 VSX,
`FireWall-1 XL, FloodGate-1, INSPECT, INSPECT XL, IQ Engine, Open Security
`Extension, OPSEC, Provider-1, SecureKnowledge, SecurePlatform, SecureXL,
`SiteManager-1, SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense,
`SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView
`Reporter, SmartView Status, SmartView Tracker, SVN, UAM, User-to-Address Mapping,
`UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Appliance, VPN-1 Certificate
`Manager, VPN-1 Gateway, VPN-1 Net, VPN-1 Pro, VPN-1 SecureClient, VPN-1
`SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer VPN-1 SmallOffice and VPN1
`VSX are trademarks or registered trademarks of Check Point Software Technologies
`Ltd. or its affiliates. All other product names mentioned herein are trademarks or
`registered trademarks of their respective owners.
`The products described in this document are protected by U.S. Patent No. 5,606,668,
`5,699,431 and 5,835,726 and may be protected by other U.S. Patents, foreign patents,
`or pending applications.
`THIRD PARTIES:
`Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and
`other countries. Entrust(cid:146)s logos and Entrust product and service names are also
`trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly
`owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate
`certificate management technology from Entrust.
`Verisign is a trademark of Verisign Inc.
`The following statements refer to those portions of the software copyrighted by
`University of Michigan.
`Portions of the software copyright ' 1992-1996 Regents of the University of Michigan.
`All rights reserved. Redistribution and use in source and binary forms are permitted
`provided that this notice is preserved and that due credit is given to the University of
`Michigan at Ann Arbor. The name of the University may not be used to endorse or
`promote products derived from this software without specific prior written permission.
`This software is provided (cid:147)as is(cid:148) without express or implied warranty.
`Copyright ' Sax Software (terminal emulation only).
`The following statements refer to those portions of the software copyrighted by
`Carnegie Mellon University.
`Copyright 1997 by Carnegie Mellon University. All Rights Reserved.
`
`Permission to use, copy, modify, and distribute this software and its documentation for
`any purpose and without fee is hereby granted, provided that the above copyright notice
`appear in all copies and that both that copyright notice and this permission notice
`appear in supporting documentation, and that the name of CMU not be used in
`advertising or publicity pertaining to distribution of the software without specific, written
`prior permission.
`CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
`INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN
`NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR
`CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
`FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
`CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
`IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
`The following statements refer to those portions of the software copyrighted by The
`Open Group.
`THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
`EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
`MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
`NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR
`ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
`CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
`WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
`The following statements refer to those portions of the software copyrighted by The
`OpenSSL Project.
`This product includes software developed by the OpenSSL Project for use in the
`OpenSSL Toolkit (http://www.openssl.org/).*
`THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ‘‘AS IS’’ AND ANY *
`EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
`IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
`PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
`ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
`SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
`LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
`USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
`AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
`OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
`OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
`SUCH DAMAGE.
`The following statements refer to those portions of the software copyrighted by Eric
`Young.
`THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ‘‘AS IS’’ AND ANY EXPRESS OR
`IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
`WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
`PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
`CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
`EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
`TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
`DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
`ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
`TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
`THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
`DAMAGE.
`Copyright ' 1998 The Open Group.
`
`September 2002
`
`Check Point Software Technologies Ltd.
`International Headquarters:
`3A Jabotinsky Street
`Ramat Gan 52520, Israel
`Tel: 972-3-753 4555
`Fax: 972-3-575 9256
`e-mail: info@CheckPoint.com
`
`U.S. Headquarters:
`Three Lagoon Drive, Suite 400
`Redwood City, CA 94065
`Tel: 800-429-4391; (650) 628-2000
`Fax: (650) 654-4233
`http://www.checkpoint.com
`
`Please direct all comments regarding this publication to techwriters@checkpoint.com.
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`Table Of Contents
`
`Preface
`
`Chapter 1
`
`Who Should Use this User Guide 9
`Summary of Contents 9
`Check Point Documentation 10
`What Typographic Changes Mean 12
`Shell Prompts in Command Examples 13
`Network Topology Examples 13
`
`SmartDefense
`Overview 15
`Configuring SmartDefense 16
`Anti Spoofing Configuration 17
`Denial of Service 18
`Teardrop 20
`Ping of Death 21
`LAND 22
`IP and ICMP 22
`Fragment Sanity Check 24
`Packet Sanity 25
`Max Ping Size 26
`TCP 26
`SYN Attack 27
`Small PMTU 30
`Sequence Verifier 32
`DNS 33
`FTP 34
`FTP Bounce Attack 35
`FTP Security Server 36
`HTTP 42
`General HTTP Worm Catcher 43
`HTTP Security Server 44
`SMTP Security Server 48
`SMTP Content 49
`Mail and Recipient Content 50
`Successive Events 52
`Address Spoofing 53
`Port Scanning 55
`Local Interface Spoofing 56
`Successive Alerts 57
`Successive Multiple Connections 58
`SYN Attacks and SYNDefender 58
`Guidelines for Deploying SYNDefender 64
`
`Table of Contents 3
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`Network Address Translation (NAT)
`Introduction 67
`The Need for Address Translation 67
`Example 69
`Configuring Network Address Translation 70
`Address Translation Modes 70
`Hide Mode 71
`Statically Translating Addresses 75
`Address Translation and Routing 78
`Configuring Routing on the Gateway 78
`IANA Recommendations 86
`Supported Services 86
`Restrictions 86
`FTP port command 87
`Generating Address Translation Rules Automatically 87
`Overview 87
`Network Address Translation Rule Base 89
`Overview 89
`Structure of a NAT Rule 89
`NAT Rule Base Example 91
`Defining Address Translation Rules 93
`Using the NAT Rule Base Editor 93
`Address Translation Examples 102
`Gateway with Two Interfaces 102
`Gateway with Three Interfaces 106
`Advanced Topics 112
`Rule Base 112
`Overlapping NAT 113
`Implementation 116
`Frequently Asked Questions 116
`
`Authentication
`Overview 123
`VPN-1/FireWall-1 Authentication 123
`Three Types of Authentication 124
`User Authentication 126
`User Authentication — Overview 127
`User Authentication — Deployment 127
`Non-Transparent User Authentication 140
`User Authentication and the HTTP Security Server - 142
`Session Authentication 162
`Session Authentication — Overview 162
`Session Authentication — Deployment 164
`Client Authentication 173
`Client Authentication — Overview 173
`Client Authentication — Deployment 177
`Single Sign On — Additional Features 190
`Client Authentication — Examples of Sign On Methods 193
`
`Chapter 2
`
`Chapter 3
`
`4
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`Chapter 4
`
`Chapter 5
`
`Encrypted Client Authentication 201
`Client Authentication — Security Considerations 202
`Client Authentication — Additional Features 202
`
`Security Servers and Content Security
`Security Servers 205
`Overview 205
`Security Servers and the Rule Base 208
`Interaction with OPSEC Products 222
`Defining Security Servers 224
`Content Security 227
`Resources and Security Servers 228
`Web (HTTP) 230
`Mail (SMTP) 233
`FTP 234
`CVP Inspection 234
`CVP Load Sharing and Chaining 236
`Security Server Configuration 237
`fwauthd.conf file 237
`
`ClusterXL
`Installing and Licensing ClusterXL 241
`State Synchronization 243
`Full and Delta Synchronization 243
`Secured Interfaces 244
`Implementing Synchronization 244
`Selective Synchronization 245
`Different Routes for Connections (Asymmetric Routing) 246
`Timing Issues 247
`Synchronized Cluster Restrictions 248
`Troubleshooting State Synchronization 249
`Check Point High Availability and Load Sharing Solutions 250
`High Availability—Overview 250
`Load Sharing—Overview 250
`High Availability Modes 251
`Improvements in Load Sharing 252
`When Does a Failover Occur? 252
`What Happens When a Gateway Recovers? 253
`VLAN Support 253
`How a Recovered Cluster Member Obtains the Latest Security Policy 253
`Cluster Protocols 254
`Configuring High Availability and Load Sharing 255
`Example New CPHA and Load Sharing Topology 255
`Example Legacy CPHA Topology 257
`Moving from a Single Enforcement Module to Load Sharing or New CPHA 260
`Configuring Load Sharing or New CPHA from Scratch 264
`Moving Between New CPHA and Load Sharing 268
`Moving from Legacy CPHA to New CPHA or Load Sharing 268
`
`Table of Contents 5
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`Chapter 6
`
`Chapter 7
`
`Configuring Legacy CPHA from Scratch 271
`Upgrading a Check Point High Availability Cluster 273
`Upgrading a Third Party cluster 274
`Adding Another Member to an Existing Cluster 274
`Moving from Load Sharing or New CPHA to Legacy CPHA 274
`Multicast Switch Settings for Load Sharing 275
`ClusterXL Advanced Settings 276
`High Availability and Load Sharing Commands 278
`Cluster Status Tools 278
`To Verify that Load Sharing Works Properly 278
`Status Manager 279
`Log Viewer 280
`
`VoIP (Voice Over IP)
`Overview 281
`H.323-Based VoIP 281
`Configuring VoIP (H.323) 282
`SIP-Based VoIP 288
`Configuration 288
`Configuring VoIP (SIP) 289
`
`Boot Security
`The Need for Boot Security 295
`Control of IP Forwarding 296
`The Default Filter 296
`Why the Default Filter is Needed 296
`What the Default filter Does 296
`Default Filter Operation 297
`The Initial Policy 298
`Stopping VPN-1/FireWall-1 for Remote Maintenance 300
`fwstop -default and fwstop -proc 300
`Changing Boot Security Settings 301
`Verifying the Default Filter 301
`control_bootsec 301
`fwboot bootconf 302
`comp_init_policy 303
`Standard Default Filter 303
`defaultfilter.boot 304
`defaultfilter.drop 304
`To change the Default Filter 304
`User-Defined Default Filter 304
`To unload a Default Filter or an Initial Policy 305
`Boot Security FAQ 305
`
`Chapter 8
`
`SNMP and Network Management Tools
`Overview 307
`VPN-1/FireWall-1 SNMP Agent (daemon) 307
`
`6
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`Chapter 9
`
`Chapter 10
`
`VPN-1/FireWall-1 HP OpenView Extension 310
`Installing the FireWall-1 HP OpenView Extension 310
`Uninstalling the VPN-1/FireWall-1 HP OpenView Extension 312
`Viewing FireWalled Objects 312
`VPN-1/FireWall-1 MIB Source 314
`
`ConnectControl — Server Load Balancing
`The Need for Server Load Balancing 319
`How Server Load Balancing Works 320
`Load Balancing using HTTP Logical Server 320
`Load Balancing using Non–HTTP Logical Server 321
`Load Balancing Algorithms 322
`Defining Logical Servers 322
`Rule Base 325
`Using HTTP Logical Servers in a Rule 325
`Using non-HTTP Logical Servers in a Rule 325
`Load Measuring 325
`
`FAQ (Frequently Asked Questions)
`Defining Objects and Services 327
`Daemons 332
`Security Servers 333
`Logging 337
`Security 338
`VPN-1/FireWall-1/n (VPN-1/FireWall-1/25, VPN-1/FireWall-1/50, etc.) Issues 339
`Supported Protocols and Interfaces 341
`Inspecting 342
` 342
`Administrative Issues 343
`Performance 344
`
`Table of Contents 7
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`8
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`Preface
`
`•
`
`Who Should Use this User Guide
`This User Guide is written for system administrators who are responsible for
`maintaining network security. It assumes you have a basic understanding and a working
`knowledge of:
`system administration
`•
`the Unix or Windows operating system
`the Windows GUI
`Internet protocols (IP, TCP, UDP etc.)
`
`•
`
`•
`
`Summary of Contents
`Chapter 1, “SmartDefense,” describes Check point’s SmartDefense feature, which
`actively protects an organization from known and unknown network attacks by using
`intelligent security technology.
`
`Chapter 7, “Boot Security,” describes how Check Point implements security
`immediately upon boot, even before VPN-1/FireWall-1 fully loads.
`
`Chapter 2, “Network Address Translation (NAT),” describes VPN-1/FireWall-1’s
`Network Address Translation feature.
`
`Chapter 3, “Authentication,” describes VPN-1/FireWall-1’s Authentication features.
`
`Chapter 4, “Security Servers and Content Security,” describes how to implement
`content security using Check Point Security Servers.
`
`Chapter 9, “ConnectControl — Server Load Balancing,” describes VPN-1/FireWall-1
`ConnectControl and Connection Accounting.
`
`Chapter 6, “VoIP (Voice Over IP),” describes Check Point protection for Voice Over
`IP connections.
`
`9
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`Chapter 5, “ClusterXL,” describes State Synchronization, High Availability
`(redundancy) and Load Sharing features for VPN/FIreWall Modules in a gatway
`cluster.
`
`Chapter 8, “SNMP and Network Management Tools,” describes how
`VPN-1/FireWall-1 interacts with network management tools.
`
`Chapter 10, “FAQ (Frequently Asked Questions),” is a compilation of Frequently
`Asked Questions about VPN-1/FireWall-1.
`
`Check Point Documentation
`User Guides are available for each product in Portable Document Format (PDF) in the
`Check Point Enterprise Suite. The Adobe Acrobat Reader is required to view PDF
`files and is also available on the Check Point Enterprise Suite CD-ROM. Alternatively,
`you can download the Acrobat Reader from the Adobe Web site
`(http://www.adobe.com).
`
`The following User Guides are available for Check Point Enterprise Suite products.
`
`1) Check Point Getting Started Guide — This book is an introduction to Check Point
`products.
`
`2) Check Point SmartCenter Guide — This book describes the Check Point
`Management GUI, which is used to manage VPN-1/FireWall-1 and other Check
`Point products.
`
`3) Check Point FireWall-1 — This book describes Check Point VPN-1/FireWall-1.
`
`4) Check Point Virtual Private Networks — This book describes the Check Point
`VPN-1/FireWall-1 encryption features.
`
`5) Check Point Desktop Client Guide — This book describes Check Point security as
`implemented by SecuRemote and SecureClient.
`
`6) Check Point FloodGate-1 — This book describes Check Point FloodGate-1, which
`enables administrators to manage the quality of service on their networks.
`
`7) Check Point Real Time Monitor — This book describes the Check Point Real Time
`Monitor, which enables administrators to monitor quality of service on their
`network links, as well as Service Level Agreement compliance.
`
`8) Check Point Provider-1 — This book describes Check Point
`Provider-1/SiteManager-1, which enables service providers and managers of large
`networks to provide Check Point products-based services to large numbers of
`subscribers.
`
`10
`
`Check Point FireWall-1 • September 2002
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`9) Check Point Reporting Module — This book describes the Check Point Reporting
`Module, which enables administrators to manage databases of Check Point log-
`based information.
`
`10) Check Point UserAuthority — This book describes Check Point UserAuthority,
`which enables third-party and Web applications to leverage Check Point’s
`sophisticated authentication and authorization technologies.
`
`11) Check Point User Management — This book describes Check Point LDAP-based user
`management.
`
`Note - For additional technical information about Check Point products, consult Check
`Point’s SecureKnowledge database at http://support.checkpoint.com/kb/
`
`11
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`What Typographic Changes Mean
`The following table describes the typographic changes used in this book.
`
`TABLE P-1 Typographic Conventions
`
`Typeface or
`Symbol
`
`AaBbCc123
`
`AaBbCc123
`
`AaBbCc123
`
`AaBbCc123
`
`Meaning
`
`Example
`
`The names of commands, files,
`and directories; on-screen
`computer output
`
`Edit your .login file.
`Use ls -a to list all files.
`machine_name% You have mail.
`
`What you type, when contrasted
`with on-screen computer output
`
`machine_name% su
`Password:
`
`Command-line placeholder:
`replace with a real name or value
`
`Book titles, new words or terms,
`or words to be emphasized
`
`To delete a file, type rm filename.
`
`Read Chapter 6 in User’s Guide. These
`are called class options.
`You must be root to do this.
`
`Save
`
`Text that appears on an object in
`a window
`
`Click the Save button.
`
`TABLE P-2 Command-line Usage Conventions
`
` Symbol
`
`Meaning
`
`Example
`
`[]
`
`Optional variable
`
` <>
`
`Compulsory variable
`
` |
`
`Use one of the alternatives
`
`fw ver [-k] [-f filename]
`Use either or both of the -k and the
`-f filename options.
`
`fw converthosts <input_file> [output_file]
`input_file is compulsory.
`output_file is optional
`
`cplic import <Module IP | object
`name>
`Use either the Module IP or the object
`name option
`
`Note - This note draws the reader’s attention to important information.
`
`12
`
`Check Point FireWall-1 • September 2002
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`Warning - This warning cautions the reader about an important point.
`
`Tip - This is a helpful suggestion.
`
`Shell Prompts in Command Examples
`The following table shows the default system prompt and superuser prompt for the C
`shell, Bourne shell, Korn shell and DOS.
`
`TABLE P-3 Shell Prompts
`
`Shell
`
`C shell prompt
`C shell superuser prompt
`Bourne shell and Korn shell
`prompt
`Bourne shell and Korn shell
`superuser prompt
`DOS
`
`Prompt
`
`machine_name%
`machine_name#
`
`$
`
`#
`
`current-directory>
`
`Network Topology Examples
`Network topology examples usually show a gateway’s name as a city name (for
`example, Paris or London) and the names of hosts behind each gateway as names of
`popular sites in those cities (for example, Eiffel and BigBen).
`
`13
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`14
`
`Check Point FireWall-1 • September 2002
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`C HA PT ER 1
`
`SmartDefense
`
`In This Chapter
`
`Overview
`Configuring SmartDefense
`Anti Spoofing Configuration
`Denial of Service
`IP and ICMP
`TCP
`DNS
`FTP
`HTTP
`SMTP Security Server
`Successive Events
`SYN Attacks and SYNDefender
`
`page 15
`page 16
`page 17
`page 18
`page 22
`page 26
`page 33
`page 34
`page 42
`page 48
`page 52
`page 58
`
`Overview
`Check Point SmartDefense creates a new category of Active Defense products that is
`unique to Check Point. It reactively protect organizations from known and unknown
`network attacks by using intelligent security technology. It frees the administrator from
`the need to understand technical attack details, making it possible concentrate on the
`task of defining the Access Control policy. SmartDefense requires a separate license.
`
`SmartDefense blocks attacks by type and class using Check Point’s Stateful Inspection
`technology and provides a single, centralized console to deliver real-time information
`on attacks as well as attack detection, blocking, logging, auditing and alerting.
`
`15
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`Configuring SmartDefense
`
`Check Point SmartDefense features:
`• Centralized, Type Based, Attack Prevention — Provides a single place of control for
`blocking known and unknown attacks using new attack type classification
`technology.
`• On-Line Updates & Web Worms Prevention — Enables on-line updates from
`Check Point's SmartDefense attack center to prevent new types of attacks, including
`new web worms patterns.
`• Real-time Attack Information — Using Check Point's on-line attack information
`center, security administrators can get updated information on each attack type.
`
`DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks, which are
`among the most common and damaging types of Internet attacks, are caused by
`attempts to flood networks or servers with mock traffic to prevent legitimate traffic
`from flowing through. SmartDefense actively detects and protects against these and
`other types of attacks, providing network resiliency to ensure mission critical resources
`are not affected while defending against an attack. SmartDefense mitigates risk and
`damage from DoS and DDoS attacks.
`
`Configuring SmartDefense
`To configure SmartDefense, click the SmartDefense button in the toolbar (FIGURE 1-
`1).
`FIGURE 1-1 SmartDefense button
`
`In the SmartDefense Settings window (FIGURE 1-2), configure the parameters for
`each of the attacks.
`
`Note - In many of the SmartDefense windows, a detailed description of the attack and the
`defense is displayed in the window.
`
`16
`
`Check Point FireWall-1 • September 2002
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`FIGURE 1-2 SmartDefense Settings window
`
`Update SmartDefense — Subscribers can click Update SmartDefense to obtain updated
`information about all attacks, as well as updated and new defenses against worms (see
`“General HTTP Worm Catcher” on page 43).
`
`Open Log Manager — Open the Log Viewer to view SmartDefense-related events.
`
`Anti Spoofing Configuration
`This page indicates how anti spoofing is configured on the gateways. You can change
`the settings by reconfiguring the individual gateways.
`
`Chapter 1
`
`SmartDefense
`
`17
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`FIGURE 1-3 Anti Spoofing Configuration page
`
`Denial of Service
`
`Denial of Service
`In contrast to an attack whose purpose is to penetrate the target system, the purpose of
`a Denial of Service attack is to overwhelm the target with spurious data to the point
`where it is no longer able to respond to legitimate service requests.
`
`A Denial of Service (DoS) attack floods a network with so many additional requests
`that regular traffic is either slowed or completely interrupted for some period. A
`distributed denial of service (DDoS) attack uses multiple computers throughout the
`network that it has previously infected. The computers work together to send out
`bogus messages, thereby increasing the amount of spurious traffic.
`
`Specify which of the attacks to defend against by checking the check box next to the
`attack’s name in the tree (FIGURE 1-4).
`
`18
`
`Check Point FireWall-1 • September 2002
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`FIGURE 1-4 Denial of Service page
`
`Accumulate successive events — Scan the VPN-1/FireWall-1 Log for evidence of
`Denial of Service attacks and take the action specified in Action when an attack is
`detected.
`
`If Accumulate successive events is not checked, you will still be protected from the
`attacks selected in the tree on the left.
`
`Action — Select the action to take if an attack is detected.
`
`Click Advanced to display the Advanced Configuration window (FIGURE 1-5).
`
`Chapter 1
`
`SmartDefense
`
`19
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`FIGURE 1-5 Denial of Service — Advanced Configuration window
`
`Denial of Service
`
`If, during the interval specified by Time interval, an event occurs Attempts number
`times, then an attack is considered to have occurred. This interval is monitored in
`segments of length specified by Resolution.
`
`Teardrop
`FIGURE 1-6 Denial of Service — Teardrop page
`
`Track — Select the action to take if an attack is detected.
`
`20
`
`Check Point FireWall-1 • September 2002
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`Ping of Death
`FIGURE 1-7 Denial of Service — Ping of Death page
`
`Ping of Death
`
`Track — Select the action to take if an attack is detected.
`
`Chapter 1
`
`SmartDefense
`
`21
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`LAND
`
`Denial of Service — LAND page
`
`IP and ICMP
`
`Track — Select the action to take if an attack is detected.
`
`IP and ICMP
`VPN-1/FireWall-1 handles ICMP with its Stateful Inspection method, so ICMP
`connections are fully inspected and different protocols types are identified, inspected,
`monitored and managed according to the packet flow security definitions. For each
`examined ICMP packet VPN-1/FireWall-1 identifies its protocol type, protocol header
`analysis and protocol flags analysis and verification.
`
`22
`
`Check Point FireWall-1 • September 2002
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`FIGURE 1-8 IP and ICMP page
`
`LAND
`
`Chapter 1
`
`SmartDefense
`
`23
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`Fragment Sanity Check
`FIGURE 1-9 Fragment Sanity Check page
`
`IP and ICMP
`
`Track — Select the action to take if an attack is detected.
`
`24
`
`Check Point FireWall-1 • September 2002
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`Packet Sanity
`
`Packet Sanity
`
`FIGURE 1-10Packet Sanity page
`
`Track — Select the action to take if an attack is detected.
`
`Enable relaxed UDP length verification — Select this option ignore cases where
`inconsistencies in the UDP length calculation methods used by different applications may result
`in spurious errors.
`
`Chapter 1
`
`SmartDefense
`
`25
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`Max Ping Size
`
`TCP
`
`FIGURE 1-11Max Ping Size page
`
`Track — Select the action to take if an attack is detected.
`
`Ping Size — Specify the maximum acceptable size of a PING packet.
`
`TCP
`
`VPN-1/FireWall-1 is able to identify the basic IP based protocols and analyze a packet
`in order to verify that it contains allowed options only.
`
`In order to verify that packets are legitimate, the following tests are conducted:
`protocol type verification
`•
`protocol header analysis
`protocol flags analysis and verification
`
`•
`
`•
`
`26
`
`Check Point FireWall-1 • September 2002
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`FIGURE 1-12TCP page
`
`SYN Attack
`
`Specify which of the attacks to defend against by checking the check box next to the
`attack’s name in the tree.
`
`SYN Attack
`
`For a detailed description of SYN attacks and SYNDefender, see “SYN Attacks and
`SYNDefender” on page 58.
`
`Chapter 1
`
`SmartDefense
`
`27
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`FIGURE 1-13SYN Attack.
`
`TCP
`
`Override module’s SYNDefender configuration — Select this option to specify that the
`settings on this page override the SYNDefender settings specified for individual
`Modules.
`
`SYN attack defense can be specified in two ways:
`• on a per-Module basis
`• in the SmartDefense SYN Attack page (FIGURE 1-13)
`
`Activate SYN Attack protection — If Override module’s SYNDefender configuration is
`checked, then you can activate protection for all Modules. Click Configure to specify
`the parameters of the protection method in the SYN Attack window (FIGURE 1-14).
`
`Early Versions SYNDefender configuration — Check this option to open the window
`(FIGURE 1-15) to configure SYNDefender protection for earlier version Modules.
`
`28
`
`Check Point FireWall-1 • September 2002
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`SYN Attack window (All Modules)
`FIGURE 1-14SYN Attack window
`
`SYN Attack
`
`Track — Select the action to take if an attack is detected.
`
`Track Level — Select one of the following:
`• Attacks only — The action specified under Track will be taken only when an
`attack is detected and when it is over.
`• Individual SYNs — The action specified under Track will be taken for each
`SYN packet.
`
`Timeout — Specifies how long SmartDefense waits for an acknowledgment before
`concluding that the connection is a SYN attack.
`
`Attack threshold — If more than Attack threshold unacknowledged SYN packets are
`detected at any one time, then SmartDefense will conclude that a SYN attack is taking
`place.
`
`Protect external interface only — Protect against SYN attacks only on the external
`interface.
`
`Chapter 1
`
`SmartDefense
`
`29
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`SYN Attack window (Earlier Versions)
`FIGURE 1-15SYN Attack window
`
`TCP
`
`Method — Choose one of the following:
`• None — SYNDefender is not deployed.
`
`If you choose this option, your network will not be protected from SYN attacks.
`• SYN Gateway — Deploy the SYN Gateway method.
`• Passive SYN Gateway — Deploy the Passive SYN Gateway method.
`
`Timeout — Specifies how long SYNDefender waits for an acknowledgment before
`concluding that the connection is a SYN attack.
`
`Maximum Sessions — Specifies the maximum number of protected sessions.
`
`This parameter is relevant only if Passive SYN Gateway is selected under Method. If
`SYN Relay is selected, all sessions are protected.
`
`This parameter specifies the number of entries in an internal connection table
`maintained by SYNDefender. If the table is full, SYNDefender will not examine new
`connections.
`
`Display Warning Messages — If set, SYNDefender will print console messages
`regarding its status.
`
`Small PMTU
`
`When a connection between two hosts is established, the sides involved exchange their
`TCP maximum segment size (MSS) values. The smaller of the two MSS values is used
`for the connection. The MSS for a system is usually the MTU (Maximum Transfer
`Unit) at the link layer minus 40 bytes for the IP and TCP headers.
`
`30
`
`Check Point FireWall-1 • September 2002
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`Small PMTU
`
`When TCP segments are destined to a non-local network, the Don’t Fragment bit is set
`in the IP header. Any router or media along the path may have an MTU that differs
`from that of the two hosts. If a media is encountered with an MTU that is too small for
`the IP datagram being routed, the router will attempt to fragment the datagram
`accordingly. Upon attempting to do so, it will find that the Don’t Fragment bit in the IP
`header is set. At this point, the router should inform the sending host with an ICMP
`destination unreachable message that the datagram cannot be forwarded further without
`fragmentation.
`
`When a network router receives a packet larger than the Maximum Transfer Unit
`(MTU) of the next network segment, and that packet’s IP layer Don’t Fragment bit is
`flagged, the router should send an ICMP destination unreachable message back to the
`sending host. When this does not happen, packets can be dropped, causing a variety of
`errors that will vary with the application that is communicating over the failed link.
`FIGURE 1-16Small PMTU page
`
`Track — Select the appropriate tracking option.
`
`Chapter 1
`
`SmartDefense
`
`31
`
`Juniper Ex. 1045-p. 1
`Juniper v Huawei
`
`

`

`TCP
`
`Minimal MTU size — Define the minimal allowed MTU. An exceedingly small value
`will not prevent an attack, while an unnecessarily la