Professional Documents
Culture Documents
Checkpoint-Firewall PDF
Checkpoint-Firewall PDF
Checkpoint-Firewall PDF
Contents
Security requirements ……………………………………………………… 3
Stateful Inspection technology
Check Point FireWall-1®: Extensible Stateful Inspection
The INSPECTTM Engine
Stateful Inspection vs. traditional firewall architectures ………………… 6
Firewall technologies and FTP examples:
• Packet filters
• Application-layer gateways
• Stateful Inspection
Broad application support ………………………………………………… 8
Securing connectionless protocols such as UDP
Securing dynamically allocated port connections such as RPC
Performance
The industry standard for enterprise-class network security solutions
SECURITY REQUIREMENTS
In order to provide robust security, a firewall must track and control the flow
of communication passing through it. To reach control decisions for TCP/IP
based services (e.g., whether to accept, reject, authenticate, encrypt and/or log
communication attempts), a firewall must obtain, store, retrieve and manipulate
information derived from all communication layers and from other applications.
With Stateful Inspection, packets are intercepted at the network layer for best
performance (as in packet filters), but then data derived from all communication
layers is accessed and analyzed for improved security (compared to layers 4–7
in application-layer gateways). Stateful Inspection then introduces a higher
level of security by incorporating communication- and application-derived
state and context information which is stored and updated dynamically. This
provides cumulative data against which subsequent communication attempts
can be evaluated. It also delivers the ability to create virtual session information
for tracking connectionless protocols (for example, RPC and UDP-based
applications), something no other firewall technology can accomplish.
|
Check Point Software Technologies, Ltd. 3
Check Point Stateful Inspection Technology
|
4 Check Point Software Technologies, Ltd.
The industry standard for enterprise-class network security solutions
Packet
Application Application-Layer Gateways Stateful Inspection
Filters
Communcation
Partial Partial Yes
Information
Communication-
No Partial Yes
derived states
Application-derived
No Yes Yes
state
Information
Partial Yes Yes
Manipulation
Because the INSPECT Engine has access to the ‘raw message’, it can inspect
all the information in the message, including information relating to all the higher
communication layers, as well as the message data itself (the communication-
and application-derived state and context). The INSPECT Engine examines
IP addresses, port numbers, and any other information required in order to
determine whether packets should be accepted, in accordance with the
defined security policy.
The INSPECT Engine’s ability to look inside a packet enables it to allow certain
commands within an application while disallowing others. For example, the
INSPECT Engine can allow an ICMP ping while disallowing redirects, or allow
SNMP gets while disallowing sets, and so on. The INSPECT Engine can store
and retrieve values in tables (providing dynamic context) and perform logical
or arithmetic operations on data in any part of the packet. In addition to the
operations compiled from the security policy, the user can write his or her
own expressions.
|
Check Point Software Technologies, Ltd. 5
Check Point Stateful Inspection Technology
Entire Range
of Upper Ports Open
Application Application
Presentation Presentation
Session Session
Holes for
Transport Transport Hackers
Network Network Server
Data Link Data Link Data Link
Physical Physical Physical 3
R O U T E R
P RO S CONS 2
• Application Independence • Low Security IP FILTERS
• High Performance • No Screening Above 1 Client
• Scalability Network Layer (No 'state' or
application-context information)
APPLICATION-LAYER GATEWAYS
Application gateways improve on security by examining In using an FTP proxy, the application gateway
all application layers, bringing context information into duplicates the number of sessions, acting as a proxied
the decision process. However, they do this by breaking broker between the client and the server. Although this
the client/server model. Every client/server communi- approach overcomes the limitation of IP filtering by
cation requires two connections: one from the client bringing application-layer awareness to the decision
to the firewall and one from the firewall to the server. process, it does so with an unacceptable performance
In addition, each proxy requires a different application penalty. In addition, each service needs its own proxy,
process, or daemon, making scalability and support so the number of available services and their scalability
for new applications a problem. is limited. Finally, this approach exposes the operating
system to external threats.
|
6 Check Point Software Technologies, Ltd.
The industry standard for enterprise-class network security solutions
FTP
Application
Application Presentation Application
Presentation Session Presentation 3
Session Transport Session 2
Transport Network Transport Server
Network Network 1
Data Link Data Link Data Link
Physical Physical Physical
I N S P E C T E N G I N E
P RO S INSPECT ENGINE
• Good Security
• Full Application-layer Client
• High Performance Dynamic
• Extensibility State Tables
• Transparency
|
Check Point Software Technologies, Ltd. 7
Check Point Stateful Inspection Technology
Application
Presentation FTP Telnet SMTP Other
Session
Transport TCP UDP
Network IP
Data Link
Ethernet FDDI x.25 Other
Physical
TCP/IP services mapped to 7-layer OSI model.
|
8 Check Point Software Technologies, Ltd.
The industry standard for enterprise-class network security solutions
PERFORMANCE
The simple and effective design of FireWall-1’s INSPECT Engine achieves
optimum performance as follows:
• Running inside the operating-system kernel imposes negligible overhead
in processing. No context switching is required, and low-latency operation
is achieved.
• Advanced memory management techniques, such as caching and hash tables,
are used to unify multiple object instances and to efficiently access data.
• Generic and simple inspection mechanisms are combined with a packet
inspection optimizer to ensure optimal utilization of modern CPU and
OS designs.
|
Check Point Software Technologies, Ltd. 9
ABOUT CHECK POINT SOFTWARE TECHNOLOGIES
Check Point Software Technologies (www.checkpoint.com) is the worldwide
leader in securing the Internet. It is the confirmed market leader of both the
worldwide VPN and firewall markets. Through its Next Generation product line,
the company delivers a broad range of intelligent Perimeter, Internal and Web
security solutions that protect business communications and resources for
corporate networks and applications, remote employees, branch offices, and
partner extranets. The company’s Zone Labs (www.zonelabs.com) division is one
of the most trusted brands in Internet security, creating award-winning endpoint
security solutions that protect millions of PCs from hackers, spyware, and data
theft. Extending the power of the Check Point solution is its Open Platform
for Security (OPSEC), the industry’s framework and alliance for integration and
interoperability with “best-of-breed” solutions from over 350 leading companies.
Check Point solutions are sold, integrated and serviced by a network of more than
2,300 Check Point partners in 92 countries.
Worldwide Headquarters
3A Jabotinsky Street, 24th Floor
Ramat Gan 52520, Israel
Tel: 972-3-753 4555
Fax: 972-3-575 9256
e-mail: info@CheckPoint.com
U.S. Headquarters
800 Bridge Parkway
Redwood City, CA 94065
Tel: 800-429-4391 ; 650-628-2000
Fax: 650-654-4233
URL: http://www.checkpoint.com
©2005 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence,
Check Point Express, the Check Point logo, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa,
Cooperative Security Alliance, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer,
FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC,
Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform,
SecuRemote, SecureServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,
SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter,
SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, TrueVector, UAM, User-to-Address Mapping,
UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1
SecureServer, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo, are trademarks
or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein
are trademarks or registered trademarks of their respective owners. The products described in this document are protected
by U.S. Patent No. 5,606,668, 5,835,726 and 6,496,935 and may be protected by other U.S. Patents, foreign patents, or
pending applications.