Firewall and SmartDefense Administration Guide Version NGX R65 701682 March 13, 2007 © 2003-2007 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN- 1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS. Table of Contents 5 Contents Preface Who Should Use This Guide 16 Summary of Contents . 17 Section 1: Network Access 17 Section 2: Connectivity . 18 Section 3: SmartDefense . 19 Section 4: Application Intelligence . 19 Section 5: Web Security 21 Section 6: Appendices 21 Related Documentation 22 More Information . 25 Feedback 26 Network Access Chapter 1 Access Control The Need for Access Control . 30 Solution for Secure Access Control 31 Access Control at the Network Boundary . 31 The Rule Base 32 Example Access Control Rule . 33 Rule Base Elements 33 Implied Rules . 34 Preventing IP Spoofing 35 Multicast Access Control . 37 Cooperative Enforcement . 40 End Point Quarantine (EPQ) - Intel(r) AMT 42 Special Considerations for Access Control 44 Spoofing Protection . 44 Simplicity 44 Basic Rules 45 Rule Order . 45 Topology Considerations: DMZ . 45 X11 Service 46 Editing Implied Rules 46 Configuring Access Control . 47 Defining Access Control Rules 47 Defining a Basic Access Control Policy 47 Configuring Anti-Spoofing 49 Configuring Multicast Access Control 50 6 Configuring Cooperative Enforcement . 51 Configuring End Point Quarantine (EPQ) - Intel(r) AMT . 52 Activating EPQ . 52 Connection Authentication Data . 53 Quarantine Policy Data 54 Encrypting the Password 55 Malicious Activity Script and Alert 55 Logging Activity 57 To Quarantine a Machine Manually . 57 Chapter 2 Authentication The Need for Authentication . 60 The VPN-1 Solution for Authentication 61 Introduction to VPN-1 Authentication . 61 Authentication Schemes 62 Authentication Methods . 64 Configuring Authentication . 73 Creating Users and Groups . 73 Configuring User Authentication . 75 Configuring Session Authentication 76 Configuring Client Authentication . 81 Configuring Authentication Tracking . 87 Configuring a VPN-1 Gateway to use RADIUS 87 Granting User Access Using RADIUS Server Groups . 90 Associating a RADIUS Server with a VPN-1 Gateway 92 Configuring a VPN-1 Gateway to use SecurID 93 Configuring a VPN-1 Gateway to use TACACS+ 95 Configuring Policy for Groups of Windows Users . 96 Connectivity Chapter 3 Network Address Translation (NAT) The Need to Conceal IP Addresses 100 Check Point Solution for Network Address Translation . 101 Public and Private IP addresses . 101 NAT in VPN-1 102 Static NAT . 103 Hide NAT . 104 Automatic and Manual NAT Rules 105 Automatic Hide NAT for Internal Networks 106 Address Translation Rule Base . 107 Bidirectional NAT . 108 Understanding Automatically Generated Rules . 109 Port Translation 111 Table of Contents 7 NAT and Anti-Spoofing 111 Routing Issues 111 Disabling NAT in a VPN Tunnel 113 Planning Considerations for NAT . 114 Hide Versus Static 114 Automatic Versus Manual Rules . 114 Choosing the Hide Address in Hide NAT 115 Configuring NAT 116 General Steps for Configuring NAT . 116 Basic Configuration (Network Node with Hide NAT) . 117 Sample Configuration (Static and Hide NAT) . 118 Sample Configuration (Using Manual Rules for Port Translation) . 120 Configuring Automatic Hide NAT for Internal Networks . 121 Advanced NAT Configuration 122 Allowing Connections Between Translated Objects on Different Gateway Interfaces 122 Enabling Communication for Internal Networks with Overlapping IP Addresses 123 SmartCenter Behind NAT 127 IP Pool NAT . 131 Chapter 4 ISP Redundancy The Need for ISP Link Redundancy . 138 Solution for ISP Link Redundancy . 139 ISP Redundancy Overview . 139 ISP Redundancy Operational Modes . 140 Monitoring the ISP Links . 141 How ISP Redundancy Works 141 ISP Redundancy Script . 143 Manually Changing the Link Status (fw isp_link) 143 ISP Redundancy Deployments 144 ISP Redundancy and VPNs 147 Considerations for ISP Link Redundancy 149 Choosing the Deployment 149 Choosing the Redundancy Mode . 149 Configuring ISP Link Redundancy . 150 Introduction to ISP Link Redundancy Configuration . 150 Registering the Domain and Obtaining IP Addresses . 150 DNS Server Configuration for Incoming Connections 151 Dialup Link Setup for Incoming Connections . 152 SmartDashboard Configuration . 152 Configuring the Default Route for the ISP Redundancy Gateway 154 Chapter 5 ConnectControl - Server Load Balancing The Need for Server Load Balancing 158 ConnectControl Solution for Server Load Balancing . 159 Introduction to ConnectControl . 159 Load-Balancing Methods . 160 ConnectControl Packet Flow . 161 8 Logical Server Types . 161 Persistent Server Mode 164 Server Availability . 166 Load Measuring 166 Configuring ConnectControl 167 Chapter 6 Bridge Mode Introduction to Bridge Mode . 170 Limitations in Bridge Mode 171 Managing a Gateway in Bridge Mode 171 Configuring Bridge Mode 172 Bridging Interfaces . 172 Configuring Anti-Spoofing 172 Displaying the Bridge Configuration 173 SmartDefense Chapter 7 SmartDefense The Need for SmartDefense . 178 SmartDefense Solution . 180 Introducing SmartDefense . 180 Defending Against the Next Generation of Threats 181 Network and Transport Layers 182 Web Attack Protection . 182 How SmartDefense Works 183 Online Updates . 184 Categorizing SmartDefense Capabilities 184 SmartDefense Profiles . 186 Monitor-Only Mode . 187 Network Security . 188 Japanese Language Support for SmartDefense Protections . 188 SmartDefense Single Profile View 189 Denial of Service 190 IP and ICMP 191 TCP . 191 Fingerprint Scrambling 192 Successive Events . 192 DShield Storm Center 192 Port Scan . 193 Dynamic Ports 194 Application Intelligence 195 Mail 195 FTP . 195 Microsoft Networks . 195 Table of Contents 9 Peer-to-Peer . 196 Instant Messengers . 196 DNS 196 VoIP 196 SNMP 197 Web Intelligence 198 Web Intelligence Protections 198 Web Intelligence Technologies . 199 Web Intelligence and ClusterXL Gateway Clusters 199 Web Content Protections . 200 Customizable Error Page 200 Connectivity Versus Security Considerations 201 Web Security Performance Considerations . 203 Backward Compatibility Options for HTTP Protocol Inspection . 205 Web Intelligence License Enforcement 205 Understanding HTTP Sessions, Connections and URLs . 207 Configuring SmartDefense 210 Updating SmartDefense with the Latest Defenses 210 SmartDefense Services . 211 Download Updates 211 Advisories 212 Security Best Practices 213 Configuring SmartDefense Profiles 214 Creating Profiles . 214 Assign a Profile to the Gateway 214 View Protected Gateways by a Profile 215 SmartDefense StormCenter Module . 216 The Need for Cooperation in Intrusion Detection 216 Check Point Solution for Storm Center Integration 217 Planning Considerations 221 Configuring Storm Center Integration 222 Application Intelligence Chapter 8 Content Inspection Anti Virus Protection 228 Introduction to Integrated Anti Virus Protection . 228 Architecture . 229 Configuring Integrated Anti Virus Scanning 229 Database Updates . 230 Understanding Scan By Direction and Scan By IP 231 Scanning by Direction: Selecting Data to Scan . 235 File Type Recognition 237 Continuous Download 238 10 Logging and Monitoring . 239 File Size Limitations and Scanning . 240 VPN-1 UTM Edge Anti Virus 242 Web Filtering . 243 Introduction to Web Filtering . 243 Terminology . 244 Architecture . 244 Configuring Web Filtering 245 Chapter 9 Securing Voice Over IP (VoIP) The Need to Secure Voice Over IP . 248 Introduction to the Check Point Solution for Secure VoIP . 249 Control Signalling and Media Protocols 250 VoIP Handover . 251 When to Enforce Handover . 252 VoIP Application Intelligence 253 Introduction to VoIP Application Intelligence . 253 Restricting Handover Locations Using a VoIP Domain . 254 Controlling Signalling and Media Connections . 255 Preventing Denial of Service Attacks . 255 Protocol-Specific Application Intelligence . 256 VoIP Logging . 257 Protocol-Specific Security . 258 Securing SIP-Based VoIP 259 SIP Architectural Elements in the Security Rule Base 260 Supported SIP RFCs and Standards 261 Secured SIP Topologies and NAT Support . 262 Application Intelligence for SIP 264 Configuring SmartDefense Application Intelligence Settings for SIP . 265 Synchronizing User Information . 267 SIP Services . 267 Using SIP on a Non-Default Port 268 ClusterXL and Multicast Support for SIP . 268 Securing SIP-Based Instant Messenger Applications 268 Configuring SIP-Based VoIP . 269 Troubleshooting SIP . 278 Securing H.323-Based VoIP . 279 H.323 Architectural Elements in the Security Rule Base 279 Supported H.323 RFCs and Standards . 280 Secured H.323 Topologies and NAT Support . 280 Application Intelligence for H.323 . 283 SmartDefense Application Intelligence Settings for H.323 284 H.323 Services 286 Configuring H.323-Based VoIP 287 Securing MGCP-Based VoIP 303 The Need for MGCP 303 MGCP Protocol and Devices . 304 MGCP Network Security and Application Intelligence . 305 [...]... Administration Guide Explains SmartCenter Management solutions This guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints Firewall and SmartDefense Administration Guide Describes how to control and secure network access; establish network connectivity; use SmartDefense to protect against network and application... Started Guide Contains an overview of NGX R65 and step by step product installation and upgrade procedures This document also provides information about What’s New, Licenses, Minimum hardware and software requirements, etc Upgrade Guide Explains all available upgrade paths for Check Point products from VPN-1 /FireWall- 1 NG forward This guide is specifically geared towards upgrading to NGX R65 SmartCenter Administration. .. enterprise, including policy management and user support This guide assumes a basic understanding of the following: • • The underlying operating system • 16 System administration Internet protocols (for example, IP, TCP and UDP) Summary of Contents Summary of Contents This guide describes the firewall and SmartDefense components of VPN-1 It contains the following sections and chapters: Section 1: Network... distributes network traffic among a number of servers and thereby reduces the load on a single machine, improves network response time and ensures high availability Section 3: SmartDefense Section 3: SmartDefense This section provides an overview of SmartDefense This VPN-1 component enables customers to configure, enforce and update network and application attack defenses The DShield StormCenter is also described... Eventia Reporter Administration Guide Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense SecurePlatform™/ SecurePlatform Pro Administration Guide Explains how to install and configure SecurePlatform This guide will also... protections, refer to the SmartDefense HTML pages and the online help Chapter Description Chapter 7, “SmartDefense” Describes the SmartDefense component, which actively defends your network, even when the protection is not explicitly defined in the Security Rule Base SmartDefense unobtrusively analyzes activity across your network, tracking potentially threatening events and optionally sending notifications... client and server requirements Integrity Agent for Linux Installation and Configuration Guide Explains how to install and configure Integrity Agent for Linux Integrity XML Policy Reference Guide Provides the contents of Integrity client XML policy files Integrity Client Management Guide 24 Description Explains how to use of command line parameters to control Integrity client installer behavior and post-installation... provides a summary of VPN-1 command line interface commands Appendix Description Appendix A, “Security Before VPN-1 Activation” Describes the Boot Security and Initial Policy features, which are used when a computer does not yet have a VPN-1 security policy installed Appendix B, “Command Line Interface” Describes command line interface commands that relate to VPN-1 firewall components Preface 21 Related... Rule Base is a collection of rules that determine which communication traffic is permitted and which is blocked Rule parameters include the source and destination of the communication, the services and protocols that can be used and at what times, and tracking options Reviewing SmartView Tracker traffic logs and alerts is an crucial aspect of security management VPN-1 inspects packets in a sequential... This guide will also teach you how to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols Provider-1/SiteManager-1 Administration Guide Explains the Provider-1/SiteManager-1 security management solution This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate . SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense. Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,