Professional Documents
Culture Documents
Intelligence R55W
HFA_R55W_04
Release Notes
September 19, 2005
IMPORTANT
Check Point recommends that customers stay up-to-date with the latest
service packs, HFAs and versions of security products, as they contain
security enhancements and protection against new and changing attacks.
In This Section
Introduction page 1
Security Enhancements page 2
Supported Versions, Platforms and Builds page 2
Installation page 6
Uninstallation page 8
Resolved Issues in HFA_R55W_04 page 9
Issues Resolved in Previous HFAs page 10
Special Instructions page 14
Known Limitations page 17
Introduction
Thank you for using Check Point NG with Application Intelligence (R55W) Hotfix
Accumulator HFA_R55W_04. This Hotfix Accumulator is a recommended Hotfix, which
contains fixes for SVN Foundation, VPN-1/FireWall-1 and SecurePlatform. Check Point
highly recommends that customers stay up-to-date with the latest service packs, HFAs, and
versions of security products, as they contain security enhancements and protection against
new and changing attacks.
Make sure that you read this document carefully before installing NG with Application
Intelligence R55W, HFA_R55W_04 on your system. It is also recommended to read the
Check Point NG with Application Intelligence R55W User documentation.
This Hotfix Accumulator may also contains fixes that require the user to perform manual
modifications.
What’s New in this version
FireWall-1
• Services - TKEY and TSIG resource records are now supported.
• Acceleration - SecureXL templates for connections going to known web servers are
now enabled.
SecurePlatform
• pThe system clock is updated automically after daylight savings event. See Special
Instructions: R55W_04.
Security Enhancements
ICMP attacks against TCP - NISCC advisory (532967/ICMP) describes a potential attack
against TCP, which is based on Internet Control Message Protocol (ICMP), where if
exploited, this vulnerability could allow an attacker to initiate Denial of Service against
existing TCP connections. This may result in premature session termination. For more
information about the vulnerability, see the NISCC advisory.
While Check Point products are not vulnerable to this issue, other network devices may
require this protection. By upgrading to the latest HFAs offered by Check Point, you can
ensure that all vulnerable devices are properly secured. See Special Instructions: “ICMP
attacks against TCP” on page 14.
Supported Versions, Platforms and Builds
In This Section
Supported Versions
• The HFA_R55W_04 must be installed on top of NG with Application Intelligence
(R55W).
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 2
Supported Platforms
See note 2
64 bit only
Solaris 9 UltraSPARC
Server 2003
7.3
7.3
7.3
7.2
SecurePlatform
• SUNWter
• SUNWadmc
• SUNWadmfw
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 3
32 bit: 108434-01
64 bit: 108435-01
Solaris 9: the following patches (or newer) are required on Solaris 9 UltraSPARC
platforms:
patch numbers
112902-07
To verify that you have these patches installed use the command:
showrev -p | grep <patch number>
The patches can be downloaded from: http://sunsolve.sun.com. Install the 32-bit patches
before installing 64-bit patches.
3) Installation on Red Hat Linux 7.2 requires kernel version 2.4.9-31 which fixes critical
security issues in the Linux kernel. This kernel is not distributed with Red Hat Linux
7.2 by default. Download from:
http://ftp.redhat.com/pub/redhat/support/enterprise/isv/kernel-archive/7.2/2.4.9-31/
4) Installation on Red Hat Linux 7.3 requires kernel version 2.4.18-5. This kernel is not
distributed with Red Hat Linux 7.3 by default. The released version of the 2.4.18-5
kernel contains a remote denial of service vulnerability in the TCP/IP stack. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0244 to this issue. Further details are available at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0244
Check Point recommends installing a 2.4.18-5 kernel that contains a fix for this
vulnerability, this kernel is available for download at the following locations:
kernel sources:
http://www.checkpoint.com/support/downloads/bin/vpn_des/firewall1/r54/linux/2.4.18-5/kernel-
2.4.18-5.ckp.src.zip
i386:
kernel-2.4.18-5.ckp.i386.rpm
http://www.checkpoint.com/support/downloads/bin/vpn_des/firewall1/r54/linux/2.4.18-5/kernel-
2.4.18-5.ckp.i386.rpm
i586:
kernel-2.4.18-5.ckp.i586.rpm
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 4
http://www.checkpoint.com/support/downloads/bin/vpn_des/firewall1/r54/linux/2.4.18-5/kernel-
2.4.18-5.ckp.i586.rpm
kernel-smp-2.4.18-5.ckp.i586.rpm
http://www.checkpoint.com/support/downloads/bin/vpn_des/firewall1/r54/linux/2.4.18-5/kernel-smp-
2.4.18-5.ckp.i586.rpm
i686:
kernel-2.4.18-5.ckp.i686.rpm
http://www.checkpoint.com/support/downloads/bin/vpn_des/firewall1/r54/linux/2.4.18-5/kernel-
2.4.18-5.ckp.i686.rpm
kernel-smp-2.4.18-5.ckp.i686.rpm
http://www.checkpoint.com/support/downloads/bin/vpn_des/firewall1/r54/linux/2.4.18-5/kernel-smp-
2.4.18-5.ckp.i686.rpm
8) SmartUpdate supports managing licenses but does not support managing products from
a Nokia SmartCenter Server.
Supported Platform’s Language Testing
Check Point's SmartCenter and Gateway products are supported on all language versions of
our supported operating systems but are fully-tested only on the American English versions
of most operating systems. In the unlikely event that you encounter any incorrect software
behavior on alternate languages, open a service request with Check Point’s Technical
Support team:
http://support.checkpoint.com/kb
The rx Library
Version NG with Application Intelligence R55W uses the rx library. You can download the
library license agreement (LGPL) from:
http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.
pdf
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 5
Currently Supported Builds
HFA_R55W_04 consists of the following builds:
Installation
General Installation Considerations
• This HFA should be installed both on Security Gateways and SmartCenter Servers
• HFA_R55W_04 can safely be installed on:
• Security Gateways that are managed by SmartCenter Server or Provider-1 of version
NG with Application Intelligence R55 and R55W management add-on.
• Security Gateways and SmartCenter Servers (Standalone) of version NG with
Application Intelligence R55W General Availability (GA).
• In the R55 SmartCenter Server configuration with R55W add-on, there is NO need to
install this HFA. Instead, you should install the R55 HFA 12 (or above) to provide the
required fixes.
• Before installing HFA_R55W_04, make sure that version NG with Application
Intelligence (R55W) is installed and configured on your machine.
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 6
• Installing HFA_R55W_04 overrides any current support Hotfix that has been applied
to version NG with Application Intelligence (R55W).
• It is recommended to read the ClusterXL Guide prior to applying the HFA in a cluster
environment.
• It is recommended to manually backup the FWDIR and CPDIR directories of the SVN
Foundation and FireWall-1 products before installing HFA_R55W_04.
The directories can be accessed:
• Windows: cd %FWDIR% and cd %CPDIR%
In This Section
Windows page 7
IPSO, Solaris, Linux and SecurePlatform page 7
Remotely Installing Using SmartUpdate page 8
Windows
The package SHF_HFA_R55W.win32.zip format consists of the following components:
• Install_hfa.bat
• Files/cpshared_550011003_1.tgz
• Files/fw1_550011004_1.tgz
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 7
1 Extract the package to a temporary directory.
6 Select the target object and install the version NG with Application Intelligence
HFA_R55W_04 packages, starting with the SVN Foundation package, followed by the
Firewall package.
7 Installation of HFA_R55W_04 should be applied to a single package at a time. The
HFA_R55W_04 installation does not support the version NG with Application
Intelligence Upgrade All Products feature.
Uninstallation
Uninstallation on Different Platforms
In This Section
Windows page 9
IPSO, Solaris, Linux and SecurePlatform page 9
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 8
Windows
1 Stop the Firewall processes by executing cpstop. In a cluster configuration, execute
cphastop, as well.
2 From the Control Panel, open Add/Remove Programs and
• activate the line with Check Point VPN-1 Pro NG_AI_HFA_R55W_04.
• activate the line with Check Point SVN Foundation NG_AI_HFA_R55W_04.
3 Reboot the machine.
IPSO, Solaris, Linux and SecurePlatform
1 Stop the Firewall processes by executing cpstop. In a cluster configuration, execute
cphastop, as well.
2 Change the directory to the directory from which you installed the HFA.
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 9
TABLE 1-1 Resolved Issues: R55W_04
HFA_R55W_03 page 11
HFA_R55W_02 page 13
HFA_R55W_01 page 14
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 10
HFA_R55W_03
.
TABLE 1-2 Resolved Issues: R55W_03
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 11
TABLE 1-2 Resolved Issues: R55W_03
By doing so:
1. Connectivity (for TCP traffic using data payloads on SYN
packets) will only be partially restored
2. SynDefender will not be able to protect against floods of
SYN packets carrying data.
R55W_03-16 Firewall: SynDefender Gateway
When switching from SynDefender Relay mode to passive
gateway mode, corrections on Nokia are no longer dropped.
R55W_03-17 Firewall: SynDefender Gateway
SYNDefender supports TCP connection establishment with
FIN/ACK instead of ACK as the 3rd packet. This feature is
turned off by default. To turn it on, use fw ctl set int
fwconn_src_fin_establishment 1.
R55W_03-18 Firewall: TCP Sequence Verifier Gateway
In TCP streaming long packets are no longer cut.
R55W_03-19 Firewall: Security Servers Gateway
When CVP is not defined in the ftp resource, data is no
longer sent to the cvp server.
R55W_03-20 Firewall: Security Servers Gateway
Enhanced redirect mechanism for quick ufp.
R55W_03-21 Firewall: Security Servers Gateway
Improved Security Server stability.
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 12
TABLE 1-2 Resolved Issues: R55W_03
HFA_R55W_02
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 13
HFA_R55W_01
HFA_R55W_01 Description
R55W_01-1 FireWall-1
Fixed memory leak when the firewall module fetches a policy from the SmartCenter
server.
R55W_01-2 FireWall-1
Fixed a crash in the HTTP security server under certain conditions.
R55W_01-3 FireWall-1
HTTP protocol inspection has been enhanced.
R55W_01-4 SmartCenter server and VPN-1 module
Fixed a problem with the SecurePlatform web UI.
Special Instructions
In This Section
R55W_04 page 14
ICMP attacks against TCP page 14
R55W_03 page 16
R55W_02 page 16
R55W_04
The system clock is updated automically after daylight savings event, and not only after
reboot operation. To resolve this issue the system clock should be set to utc. Install
HFA_R55W_04 and in the file /etc/sysconfig/clock : change the utc field from false
to true.
ICMP attacks against TCP
NISCC advisory (532967/ICMP) describes a potential attack against TCP based on ICMP.
The practical application of this vulnerability is very remote (because an attacker must know
both IP addresses of a valid, currently connected pair of computers). However, if exploited,
this vulnerability could allow an attacker to create a Denial of Service condition against
existing TCP connections, resulting in premature session termination. For more
information about the vulnerability, see the NISCC advisory.
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 14
While Check Point products are not vulnerable to this issue, other network devices may
require this protection. By upgrading to the latest HFAs offered by Check Point, you can
ensure that all vulnerable devices are properly secured by simply enabling a certain kernel
global parameter. The enabling of this parameter allows VPN-1 Pro to drop ICMP error
packets that belong to established TCP connections.
Installation Instructions
Set the kernel global parameter fw_drop_icmp_errors_over_tcp to 1. There is no need to
install the Security Policy. For more information about setting the kernel global parameter,
refer to SecureKnowledge Solution: sk26202.
Advanced Configuration
When using the ICMP attacks against TCP defense, there are some miscellaneous advanced
configuration issues that can be set, such as: specifying exclusion lists, fragmentation
requirements and enhancing connectivity when using SCV:
• Specify an exclusion list. This is a list of ICMP types and codes that should not be
monitored by the defense.
• To define this list, add a table called allowed_icmp_over_tcp_types (and
allowed_icmpv6_over_tcp_types for ICMPv6) to user.def file, located under
$FWDIR/lib directory on the SmartCenter Server machine. The table should
contain <type, code> pairs of ICMP packets that should not be monitored by the
new defense.
Example: the following table specifies that ICMP "host unreachable" (type 3, code 1)
and "port unreachable" (type 3, code 3) will not be monitored by the new defense:
allowed_icmp_over_tcp_types = {
<3,1>,
<3,3>
};
• Once this table has been added and edited, make sure that you install the Security
Policy.
• By default, ICMP "fragmentation needed" packets (ICMPv4 type 3 code 4, ICMPv6
type 2 code 0), are not dropped. Bandwidth attacks based on ICMP "fragmentation
needed" packets are handled by the SmartDefense Small PMTU defense. It is possible;
however, to enforce the new defense on "fragmentation needed" packets as well, by
setting the kernel global parameter fw_drop_icmp_frag_error_over_tcp to 1.
• When using Secure Client Verification (SCV), in some cases the connectivity of traffic
that is generated by machines which are inspected by SCV may be affected. To avoid
connectivity hitches when using SCV, set the kernel global parameter
fw_allow_icmp_error_scv to 1.
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 15
R55W_03
R55W_03-13
The HTML weeding protection provides a strong defense against different client side
attacks. However, under some circumstances this defense can be circumvented using
Cascading Style Sheets (CSS).
To get the highest level of protection, use GUI DBEdit to add the field
http_weeding_block_css (Boolean type) to the Global Properties with the value TRUE.
R55W_03_24
Stripping of attachments that use unknown encoding. When the existing property
smtp_unknown_encoding is unset (value is 0), the mail dequeuer l also strips utf-7
attachments when detected. The flag continues to strip the other attachments it used to
strip previously.
Activate this defense via the Smart Dashboard GUI.
1) Select the SmartDefense Tab.
Under Application Intelligence > Mail > Mail Security Servers > Mail and Recipient content
selection deselect Allow unknown encoding property.
R55W_02
R55W_02-1 and R55W_03_26
Weeding defense improvements can be activated by setting the flag
http_weeding_block_css to true in the following places:
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 16
2 In $FWDIR/conf/objects_5_0.C, add the following line in bold:
.......
:http_weeding_allow_chunked (false)
:http_weeding_block_css (true)
:ica_cert_op_timeout (120000)
......
After adding the line in both places mentioned above, install the Policy.
Known Limitations
ClusterXL
1) When using T.120 connections on loadsharing clusters, you must add a rule manually
that allows these T.120 connections. For H.323 you must disable the flag Enable
dynamic T.120 in SmartDefense. Alternatively, you can use a sticky decision function
using IP addresses only and not port numbers.
Services
2) The services PIM, SWIPE, IP_Mobility and SUN_ND have the property Match on Any
checked by default. This causes the Cisco IOS DoS protection to work on those
protocols, even if the defense is disabled in SmartDefense. As a result, packets of those
IP protocols with TTL less than 4, are dropped.
To resolve this, remove the check from the service (in the Advanced window,) or
remove the protection for that specific service in SmartDefense >IP and ICMP >Block
Cisco IOS DoS.
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 17