First, Checkpoint introduction:
As one of the organizations and advocates of the Open Security Enterprise Interconnection Alliance (OPSEC), checkpoint company is committed to enterprise-level network security products research and development, according to IDC's recent statistics, its FIREWALL-1 firewall in the market share of more than 32%, "fortune" The top 100 of the largest enterprises in nearly 80% selected checkpoint FireWall-1 firewall.
Second, the FIREWALL-1 product composition:
CheckPoint FIREWALL-1 products include the following modules:
State detection Module (Inspection module): Provide access control, client authentication, session authentication, address translation and audit functions;
Firewall module (FireWall module): Contains a state detection module, in addition to provide user authentication, content security and multiple firewall synchronization functions;
Management Module (Management module): Provides centralized, graphical security management capabilities for one or more security policy execution points (systems that have a FireWall-1 installed, such as a status detection module, firewall module, or router security management module);
Connection control: Provides load balancing for multiple application servers that provide the same service;
Router Safety Management module (Router security Management): Provides security rules for router configuration, maintenance 3com,cisco,bay, etc. through firewall management;
Other modules, such as encryption modules.
Graphical user Interface (GUI): Is the embodiment of the function of the management module, including
Policy Editor: Maintain management Objects, establish security rules, and apply security rules to the security policy execution point;
Log Viewer: View the connection through the firewall, identify and block the attack;
System State Viewer: View the status of all protected objects.
FIREWALL-1 provides a single gateway and enterprise-class combination of two products:
Single Gateway Products: only firewall module (including State detection module), Management module and graphical user interface, and Firewall module and Management module must be installed on the same machine.
Enterprise-Class Products: it can have several basic modules and optional modules as well as graphical user interface, especially the firewall module and independent State detection module that may be configured more. Different modules of enterprise-class products can be installed on different machines.
Third, the state detection mechanism
FIREWALL-1 uses Checkpoint's state detection (Stateful inspection) patent technology to differentiate application types with different services, providing high security, high performance and high scalability for the network.
The FIREWALL-1 State detection module analyzes all packet communication layers and absorbs the relevant communication and application status information. The stateful inspection module is able to understand and learn protocols and applications to support a variety of up-to-date applications.
The state detection module intercepts, analyzes and processes all packets that attempt to pass through the firewall, ensuring the high security of the network and the integrity of the data. The communication state of the network and various applications is dynamically stored and updated into the dynamic state table, and the security policy is implemented in combination with predefined rules.
The state detection module can identify the service types of different applications, and can also analyze state information through previous communications and other applications. The status detection module verifies the IP address, port, and other required information to determine whether the packet meets the security policy.
The State detection module stores the associated information between the State and the state in the dynamic join table and is updated at any time, through which FIREWALL-1 can detect subsequent traffic.
Stateful detection technology is transparent to applications and does not require separate proxies for each service to be more secure, high-performance, scalable, and scalable, and can easily add users ' new applications to protected services.
The inspect language provided by FIREWALL-1, combined with FIREWALL-1 security rules, application recognition Knowledge, State association information and communication data, constitutes a powerful security system.
Inspect is an object-oriented scripting language that provides security rules for state detection modules. The rules made by the policy Editor are stored as a script file written in inspect, compiled to generate code and loaded onto a system with stateful inspection modules installed. The script file is an ASCII file that can be edited to meet user-specific security requirements.
Checkpoint is one of the organizations and advocates of the Open Security Enterprise Interconnection Alliance (OPSEC). OPSEC allows users to integrate and manage all network security products through an open, extensible framework.
OPSEC provides an open, scalable security framework for users by embedding FIREWALL-1 into existing network platforms such as UNIX, NT servers, routers, switches, and firewall products, or by seamlessly integrating other security products into FIREWALL-1.
More than 135 companies, including IBM, HP, Sun, Cisco and Bay, have joined the OPSEC Alliance.
Five, enterprise-class firewall security management
FIREWALL-1 allows the enterprise to define and execute a unified firewall central management security policy.
The enterprise's firewall security policy is stored in a rule library of the firewall Management module. There are some orderly rules stored in the rules library, each rule specifies the source address, destination address, service type (HTTP, FTP, Telnet, and so on), security measures for the connection (release, Reject, discard, or require authentication, etc.), actions to take (logging, alerting, etc.), And the security Policy execution point (the rule is enforced at a firewall gateway or on a router or other protected object).
The FIREWALL-1 administrator manages the rule base through a firewall management workstation, establishes and maintains security policies, and loads security rules onto a system loaded with a firewall or state detection module. Communications between these systems and management workstations must be authenticated before they are transmitted through an encrypted channel.
FIREWALL-1 Intuitive graphical user interface provides a powerful tool for centralized management and implementation of enterprise security policies.
Security Policy Editor: Maintaining protected objects, maintaining rule libraries, adding, editing, deleting rules, loading rules to systems with State detection modules installed.
Log Manager: Provides visual tracking, monitoring, and statistical information for all connections through a firewall gateway, providing real-time alerting and intrusion detection and blocking functions.
System State Viewer: Provides real-time system status, auditing, and alerting capabilities.
VI. distributed client/server architecture
FIREWALL-1 manages security policies through a distributed client/server architecture to ensure high performance, scalability, and centralized control.
The FIREWALL-1 consists of basic modules (firewall module, State detection module and Management module) and some optional modules. These modules can be configured as flexible client/server structures in a combination of different numbers and platforms.
The management module includes the graphical user interface and administrator-defined related management objects-rule base, network object, service, user, etc. Firewall modules, status detection modules, and other optional modules are used to enforce security policies, and systems that have these modules installed are called protected objects (Firewalled system), also known as Security Policy enforcement points (secure enforcement point).
The FIREWALL-1 client/server architecture is fully integrated, with only one unified security policy and one rule base, with a single firewall management workstation that manages multiple systems loaded with firewall modules, state detection modules, or optional modules.
VII. Certification (authentication)
Remote users and dial-up users can access internal resources after FireWall-1 authentication.
FIREWALL-1 can authenticate users who attempt to access the internal server without modifying the local server or the client application. FIREWALL-1 's authentication services are integrated in its security policy, centrally managed through the graphical user interface, monitoring and tracking authentication sessions through the log manager.
FIREWALL-1 offers three methods of authentication:
User authentication: User based transparent authentication for specific services, limited to FTP, TELNET, HTTP, HTTPS, RLOGIN, authentication.
Client Authentication (client Authentication): Based on IP authentication, there is no direct restriction on protocol access. Client authentication is not transparent, it requires users to log on to the firewall authentication IP and user identity before allowing access to the application server. The client does not need to add any additional software or make modifications. When the user through the user authentication or session authentication, also has passed the client authentication.
Session authentication: Provides transparent authentication based on the service session, regardless of IP. Session-authenticated clients must have a session-authentication agent installed, and must be individually authenticated when accessing different services.
FIREWALL-1 provides a variety of authentication mechanisms for users to choose from: S/key,firewall-1 password,os password,ldap,secureid,radius,tacacs.
Viii. address Translation (NAT)
The FIREWALL-1 supports three different address translation modes:
Static Source Address translation: When a packet inside a packet through the firewall out, its source address (generally an internal reservation) to a legitimate address. Static source address translation and static destination address translation are usually used in conjunction with.
Static Destination Address translation: When an external packet enters the intranet through a firewall, the destination address (the legal address) is converted to an internally used address (typically an internal reserved address).
Dynamic address translation (also known as hidden mode): To convert an internal network address to a legitimate address, to solve the enterprise's legal IP address is too few problems, while hiding the structure of internal networks, improve network security performance.
Ix. Security of content
FIREWALL-1 's Content Security Service protects the network from a variety of threats, including viruses, Jave, and ActiveX code attacks. Content security services can be done by defining specific resource objects and making rules similar to those of other security policies. Content security is integrated with other security features of FIREWALL-1 and is centrally managed through a graphical user interface. OPSEC provides an application development interface (API) to integrate third party content filtering systems.
FIREWALL-1 's content security services include:
The use of Third-party anti-virus server, through the firewall rules configuration, scan through the firewall files, clean computer virus;
According to the security policy, when accessing the Web resources, the Java Applet,activex such as small program and Java,script code are stripped from the HTTP page;
User-defined filter conditions, filter URL;
Control FTP operation, filtering FTP transmission of the contents of the file;
SMTP content security (hide internal addresses, stripping specific types of attachments, etc.);
Can be set to record or alarm when an exception is found;
Centrally managed, configured, and maintained through the console.
X. Connection control
The FIREWALL-1 connection control module provides load balancing, which provides load sharing between multiple application servers that provide the same service, and the application server does not require that they be placed behind a firewall. Users can choose a different load balancing algorithm:
Server load--This method provides a load-balancing algorithm for servers, and requires a load-measuring engine to be installed on the application server side;
Round Trip--firewall-1 uses the ping command to measure the time between the firewall and the application server, and chooses the shortest time to respond to the user's request.
Round Robin--firewall-1 simply specifies the next application server response according to the situation in its record table;
RANDOM--FIREWALL-1 randomly select Application Server response;
DOMAIN--FIREWALL-1 Specifies the most recent application server response in accordance with the recent principle of domain name.
Xi. Router Security Management
Centralized security management for enterprise-wide routers can be provided through the FIREWALL-1 Management station:
The router's filtering and configuration are generated through the graphical user interface;
Introducing and maintaining the access control list of routers;
Log router events (requires router support logging);
Perform security policies that are developed through the graphical user interface on the router.
FIREWALL-1 can centrally manage the following routers:
Bay Networks routers, version 7.x-12.x
Cisco routers, IOS version 9-11
Cisco PIX firewall,version 3.0, 4.0
3Com NetBuilder, Version 9.x
Microsoft RAS (Steelhead) routers for Windows NT Server 4.x
12, CheckPoint FIREWALL-1 working environment
CheckPoint FIREWALL-1 Firewall supports the following working platforms and operating system environment
||SUN sparc-based Systems
|HP Pa-risc & 800
|IBM RS 6000, Power PC
|Intel X86 & Pentium
|Solaris2.5 and higher, X86
|IBM AIX 4.2.1/4.3.0
|X11 R5/open Look (Open Windows3) or x/motif
||20MB (50Mb for IBM AIX)