SofaWare Security Management Architecture 1.0 - Check

Draft - Confidential Page 1/25

SofaWare Security Management Architecture 1.0

Revision 1.3

SofaWare Technologies, 2002

www.sofaware.com


Copyright © SofaWare Technologies, Ltd, 2001. All Rights Reserved. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws.


Table Of Contents Overview........................................................................................................................................................................... 4

SofaWare Managed Security Service (MSS) .......................................................................................................... 4 Design Goals ................................................................................................................................................................ 4

SofaWare MSS Architecture Overview....................................................................................................................... 5 The Enforcement Module............................................................................................................................................... 6

The Firewall Engine ............................................................................................................................................... 7 NAT & DHCP Modules ........................................................................................................................................ 7 VPN Module (Optional) ........................................................................................................................................ 7 Local Management Module .................................................................................................................................. 8 Remote Management Module ............................................................................................................................... 8

SofaWare Managed Security Service........................................................................................................................... 9 Overview.................................................................................................................................................................. 9 SMS (SofaWare M anagement Server) ................................................................................................................ 9 GPM (Gateway Provisioning Module) .............................................................................................................10 Tiered Services ......................................................................................................................................................10 Security Policy Updates.......................................................................................................................................10 User Interface Updates.........................................................................................................................................11 LBM (Load Balancing Module).........................................................................................................................11 UFM (URL Filtering Module)............................................................................................................................11 CVM (Content Vectoring Module)....................................................................................................................13 ELM (Event Logging Module)...........................................................................................................................13 LSM (LDAP Support Module)...........................................................................................................................14 SMAPI (SofaWare Management API)..............................................................................................................15 Infranet Integration Module ................................................................................................................................15 SPP (Self- Provisioning Portal) ..........................................................................................................................15 SMC (SofaWare Management Center) .............................................................................................................16

Glossary...........................................................................................................................................................................17


Overview

SofaWare Managed Security Service (MSS) Home users, small businesses and teleworkers all look to their Service Provider, Managed Service Provider (MSP) or corporat e administrator to meet their security requirements (we will henceforth refer to the entity providing the managed security service as ‘xSP’). With SofaWare Managed Security Service (MSS), the xSP can provide these users with the protection they need: managed personal firewalls embedded in the broadband access device or residential gateway.

The SofaWare Managed Security Service provides a scalable method of configuring and controlling a virtually unlimited number of Gateways running Safe@Home or Safe@Office, from the xSP’s NOC. Management can be seamlessly integrated with a service provider customer and billing systems, with Check Point management infrastructure, and with OPSEC compliant third party applications.

This document presents an in-depth technical description of the SofaWare Managed Security Service architecture.

Design Goals

The SofaWare Managed Security Service design objectives: Cost Efficiency: optimized for extremely low cost per subscriber. Scalability: scales to millions of managed devices . Availability: includes carrier -grade fail-over and load balancing capabilities. Integration: adapts to the existing infrastructure and strategy of the service provider.


SofaWare MSS Architecture Overview

SofaWare's patent-pending technology is based on a distributed architecture, where each home or office is protected by an enforcement module embedded a residential gateway. The enforcement module is centrally managed by the xSP.

Operational Support

OPSEC Services

Directory Servers

Self Provisioning

Center

Residential

Gateways

BillingIntegration

Management

Servers

ManagementCenter

UFP

URL Filtering

CVP

Content

Vectoring

ELA

Event

Logging

Figure 1: SofaWare MSS Architecture Overview


The Enforcement Module

The Safe@Home or Safe@Office Residential Gateway (GW) is an embedded firewall for broadband access devices, such as cable modems, DSL modems and broadband routers. This firewall is based on Check Point’s industry -leading FireWall-1 Stateful Inspection engine.

A Safe@Home or Safe@Office gateway consists of the following components:

o The hardware platform

o Safe@Home or Safe@Office core firewall

o Network Address Translation (NAT) module

o Local Management Module

o Remote Management Module

o DHCP Module

o VPN Module (optional)

o NAT Module

Safe@Home Core

LocalManagement

Module

RemoteManagement

Module

HardwarePlatform

A

Hardware Adaptation Layer

EnforcementModule

NATOption

VPNOption

DHCPModule

HardwarePlatform

B

HardwarePlatform

C

Figure 2 Safe@Home or Safe@Office Residential Gateway Architecture

Gateways can be configured either in standalone mode, or managed remotely by the xSP. In addition, the gateway includes an embedded Web-based configuration portal, which allows the customer to manage some aspects of his own residential gateway. The SofaWare MSS distributed architecture, consisting of Management Servers at the xSP and a large number of Safe@Home or Safe@O ffice Residential Gateways that enforce the Security Policy, can scale to a virtually unlimited number of subscribers, while maintaining very low cost of ownership per subscriber. The Safe@Home and Safe@Office software is supported on different hardware types (such as cable modems, DSL modems, broadband routers) from different manufacturers.


The Firewall Engine

Stateful Inspection Technology delivers full enterprise-class firewall capabilities, ensuring the highest level of network security. The Enforcement Module analyzes all packet communication layers, and extracts the relevant communication and application state information. The Enforcement Module understands and can learn any protocol and application. By employing this flexible, extensible technology, Safe@Home meets the dynamic security requirements of today's internet.

The Stateful Inspection architecture utilizes a unique, patented INSPECT Engine which enforces the security policy on the gateway on which it resides. The INSPECT Engine looks at all communication layers and extracts only the relevant data, enabling highly efficient operation, support for a large number of protocols and applications, and easy extensibility to new applications and services.

The INSPECT Engine is programmable using Check Point's powerful INSPECT Language. This provides important system extensibility, allowing service providers, to incorporate support for new applications, services, and protocols, without requiring new software to be loaded to the gateways.

For most new applications, including most custom applications developed by end users, the communication-related behavior of the new application can be incorporated simply by modifying one of the built-in script templates via the graphical user interface. Even the most complex applications can be added quickly and easily via the INSPECT Language. NAT & DHCP Modules

The Safe@Home Enforcement Module can optionally support Network Address Translation (NAT) and NAPT (Network Port Address Translation), which allow multiple devices to share a single public IP address.

The NAT implementation is based on the industry leading Check Point FireWall-1 NAT module, which supports a very large number of protocols and applications, including complex protocols, such as FTP , H.323, and RPC.

In addition, the NAT engine can be quickly enhanced to support additional protocols, by modifying the INSPECT scripts.

NAT works in conjunction with the DHCP module. The DHCP module includes an embedded DHCP (Dynamic Host Configuration Protocol) client and DHCP server.

When the NAT Option is enabled, the DHCP client is used to assign the gateway a public address from the service provider pool. Then, The DHCP server is used to automatically assign private IP addresses to the devices in the internal network.

Note For more information on NAT, refer to RFC 3022, Traditional IP Network Address Translator.

VPN Module (Optional)

Virtual Private Networks (VPNs) provide a powerful means of protecting the privacy and integrity of business communications. Many organizations have deployed site-to-site VPNs as a viable alternative to expensive leased lines when connecting private networks. Enterprises are now looking to VPNs to provide secure connectivity to the growing number of remote and mobile users.

SofaWare’s VPN solution utilizes the core technology of Check Point’s comprehensive VPN-1™ product family, and enables both remote and local users to securely access sensitive enterprise


resources. The VPN client transparently encrypts and authenticates critical data to protect against eavesdropping and malicious data tampering, so remote users can securely connect to the enterprise network even over dial-up lines.

SofaWare’s VPN solution can leverage hardware acceleration implementations to speed up the encryption and key exchange process. Local Management Module

The user is provided with some simple management capabilities through the Local Configuration Portal — a lightweight Web server embedded in the residential gateway.

The user is not required to install any new software to access the configuration portal; only a standard Web browser is required.

The local management “connectivity pack” ensures that the Web interface is easily accessible by the user. The user is not required to remember the IP address of the gateway, but rather can use an easily-remembered names such as http://my.firewall. Regardless of network (and subnet) configuration or current status of Internet connectivity, Safe@Home (or Safe@Office) intercepts the request and to returns the correct Web page.

This Web interface can be easily customized and branded by the xSP at any stage. The user can download a new “skin,” or look-and-feel, at any stage, greatly simplifying localization.

Figure 3: Security Settings page Figure 4: Security Services page Remote Management Module

The Remote Management Module has two functions:

o It enables the residential gateway to be remotely managed by SofaWare Secuirty Management Platform (SMP).

o It enables the user to subscribe to value-added services, such as security policy updates, family filters, and Anti-Virus.

The Remote Management Module connects to the xSP SofaWare Management Servers (SMS).


SofaWare Managed Security Service Overview The SofaWare Security Management Platform (SMP) consists of several modules, as depicted in figure 5.

SMAPISofaWare

Management API (C++, Java)

SMSSofaWare

Management Server

LSMLDAP Support Module

ELMEvent

LoggingModule

CVMContent

VectoringModule

UFMURL

FilteringModule

InfranetIntegration

Module

SPCSelf

ProvisioningCenter

SMCSofaWare

ManagementCenter

GPMGateway

ProvisioningModule

Figure 5: MSS Back-End Architecture

SMS (SofaWare Management Server)

SofaWare Management Server (SMS) is a modular platform that enables a service provider or an enterprise to deliver managed security services to its broadband subscribers or employees, through their residential gateways.

SMS provisions the residential gateways with a Security Policy, user interface, configuration updates and (in some cases) with firmware updates.

In addition, the SMS can provide add-on services:

o Event Logging — using SofaWare ELM (Event Logging Module)

o Content Filtering— using SofaWare UFM (URL Filtering Module)

o Content Vectoring — using SofaWare CVM (Content Vectoring Module).

The Management Server communicates with the gateways using SWTP (SofaWare Transport Protocol), a highly scalable, UDP -based protocol.


GPM (Gateway Provisioning Module)

SofaWare’s Gateway Provisioning Module (GPM) is the core module of the SofaWare Management Server. It is reponsible for distributioning configuration data and Security Policy updates to gateways from a central configuration repository. GPM provides :

o Tiered services

o Security Policy updates

o User Interface updates

o Firmware updates Tiered Services

The gateway provisioning module provides an infrastructure for the “Tiering” of services. A Service Provider or enterprise can define distinct groups of subscribers with different Security Policies and services.

GPM is a powerful platform for offering future services as they become available, and is an essential feature for cost-effectively managing a large number of subscribers.

The service provider or corporate compiles a list of all service plans. Within each plan, the services and policies are available to these clients are defined. Each package is defined as a set of features which a specific customer is entitled to use.

Consider the following service plan list:

Table 1 Service Plan example

Plan Name Features Price

Gold Includes dynamic Policy updates, NAT support, Security Policy Customizing support, URL Filtering and Anti-Virus functionality

1000

Silver Includes Policy updates and NAT support 100

Bronze Includes Policy updates only 10

If the xSP modifies a specific plan, all the members of this plan will be automatically updated. For example, if the xSP decides to add the NAT feature to all Bronze subscribers, the gateways of all Bronze subscribers will be automatically configured to implement the NAT feature. Security Policy Updates

The Service Provider or enteprise can dynamically update the Security Policy without performing a software upgrade, by using the INSPECT engine. The INSPECT engine allows the Service Provider to extend the firewall with support for new applications and attack signatures, without going through the costly process of firmware upgrades, enabling timely responses to security issues as they arise.

Traditional policy management solutions require the Service Provider to create a customized policy for each individual customer. This approach is not scalable and extremely expensive to manage. The approach used by SofaWare MSS is much more scalable and cost- effective: SofaWare allows the Service Provider to define a small number of generic policies. In the provisioning process, each user is assigned to one of these basic policies.

Consider the following, hypothetical scenario:


Security Policies

Plan Name Features

Standard a basic Security Policy

Office adds support for common business applications

Gamer adds support for playing common network games through the firewall

To complement the generic policies, SofaWare allows individual users to customize their own Security Policies. This feature can be enabled or disabled on a per-user basis. User Interface Updates

The User Interface can be downloaded by the Management Server to the residential gateway.

The xSP can dynamically update the HTML files used by the gateway's embedded Web server, without performing a software upgrade. This allows customizing and branding of the user interface by a Service Provider or enterprise, as well as allowing multi-language support. LBM (Load Balancing Module)

The Management Servers support automatic, symmetrical load balancing and fail -over, using the Load Balancing Module (LBM), allowing unparalleled scalability and fault-tolerance.

Management Servers are configured in server groups. All the Management Servers in the server group constantly synchronize load information. When a Management Server becomes overloaded, it redirects part of its clients to another server in the group, which is not as loaded.

When the residential gateway detects that the overloaded Management Server is not responding, it switches to another server. Several logical server groups can may be defined. For example, a large service provider can choose to assign different management server groups to different regions. All the gateways in a specific area would be instructed to use the regional group of servers. UFM (URL Filtering Module)

The SofaWare UFM (URL Filtering Module) enables xSP to offer their customer a managed URL filtering service. This can allow the a home user to protect his or her family from accessing objectionable Web sites or increase productivity in an enterprise environment.

OPSEC UFP OPSEC UFP is an OPSEC API that enables integration of third-party application to categorize and control access to specific URL addresses. The UFP API has been adopted by a wide variety of content security vendors. Each customer can select from a list of categories which should be blocked.

OPEN PLATFORM FOR SECURITY (OPSEC) An open, industry-wide alliance driven by Check Point that ensures interoperabili ty between security products. Interoperability is achieved through a combination of published APIs, industry-standard protocols, and a high-level scripting language. OPSEC encourages partnerships in the areas of infrastructure (network products and services), framework (security products), and passport (applications developers).


Today the OPSEC platform boasts the broadest operating system and network infrastructure support, and over two hundred and fifty partners have adopted its security integration interface

The URL filtering mechanism operates as follows:

1. The residential gateway examines every HTTP request and extracts the requested URL.

2. The gateway sends a categorization request to the Management Server for the URL. 3. The Management Server fetches the categories from OPSEC UFP-compliant URL

filtering server. 4. The category is sent back to the gateway.

5. The gateway decides whether access to this site should be denied or permitted, according to the user’s preferences.

6. If access to the site is denied, the gateway generates its own HTTP response, which prompts the user that access has been denied, and allows the user to enter a password in order to override the ‘filtered’ mode.

7. To minimize the performance impact of the URL filtering process, the gateway maintains a cache with a list of recently accessed URLs.

Customer Premises

Customer PC

Public Internet

Web Server

Service Provider Premises

SMSSofaWare

Management Server

URLFilteringServer

AccessDenied

Safe@HomeResidential

Firewall

Figure 6: SofaWare UFP Architecture

Figure 7: Access Denied Page


CVM (Content Vectoring Module)

The SofaWare Content Vectoring Module (CVM) allows the service provider to build “transparent proxies” that automatically divert selected traffic through a content filtering server, without requiring any configuration on the client side.

The CVM module can use any OPSEC CVP (Content Vectoring Protocol) compliant content filtering server.

OPSEC CVP OPSEC CVP is an OPSEC API that enables integration of third-party content security applications, such as Anti-Virus software, with Check Point security products. The CVP API has been adopted by a wide variety of security vendors.

SofaWare CVM can be used to implement a transparent email Anti-Virus mechanism.

The solution is completely transparent to the customer, who does not need to change his or her mail reader configuration or install any software on the PC.

The Anti-Virus mechanism operates as follows:

1. The residential gateway encounters a POP3 email connection.

2. The residential gateway transparently diverts to connection to an OPSEC CVP-compliant anti-virus server.

3. The CVP server checks the mail for malicious content.

4. If a virus is detected, it is removed, and replaced by a warning message.

Service Provider Premises

Public Internet

Customer Premises

Virtual

SMSSofaWare

Management Server

Customer PC

Mail Server

Anti VirusServer

Safe@HomeResidential

Firewall

Diverted TCP Connection

Figure 3 Using CVM for Anti-Virus

ELM (Event Logging Module)

SofaWare has several built-in mechanisms to inform and alert the user of potential or actual hazards.

SofaWare Event Logging Module (ELM) is a remote logging mechanism that enables the enforcement module to send security reports to the Management Server. The reports include attempted attacks, configuration changes, and system errors.


Using the ELM module, the SofaWare management collects log information from the residential gateways, and saves them to a central log database.

The logging mechanism is an essential tool for system troubleshooting. In conjunction with an OPSEC-compliant Intrusion Detection System (IDS), it is possible to perform real-time attack detection and prevention.

Using an IDS, it is possible to isolate hacker activities and automatically launch an appropriate response, such as alerting an administrator or reconfi guring the network to disconnect an offending customer.

For ultimate scalability, logging can be enabled or disabled on a per-user basis, and even for specific rules in the security policy.

The service provider can interactively query the log database using the log viewer tool, or use the OPSEC LEA API (Log Export API) in order to access the log data programmatically, in real-time.

Safe@HomeGateway

Central Log Module (CLM)

SMSSofaWare

Management Server

Hacker

SWTPAttack

LogViewer

ELA

IDSIntrusionDetectionSystems

LEALog Export

API

Figure 4 – ELM Architecture

LSM (LDAP Support Module)

SofaWare SMP requires the use of a directory server for storing customer provisioning details, security policies, and user interfaces files.

Using SofaWare LDAP Support Module (LSM), the service provider can connect the system to any LDAP compliant directory server.

For high availability configurations, it is recommended to use an LDAP server with replication support, such as Sun iPlanet Directory Server.


SMAPI (SofaWare Management API)

The SofaWare architecture is extensible. It is possible to plug in third-party Call Center, Provisioning and Billing software.

The integration is done by using SofaWare Management API (SMAPI), a simple, open API, which is supported both in Java and C++.

SofaWare also provides professional integration services . Infranet Integration Module

SofaWare Infranet Integration Module allows integration between SofaWare Managed Security Service and the Infranet platform from Portal Software.

SPP (Self- Provisioning Portal)

SofaWare Self-Provisioning Portal (SPP) is an extensible Web -based application that enables customers to perform on-line customization of their current services, select security policies, as well as purchase additional services. SPP interfaces with the customer and billing systems, and through them, to the SofaWare management servers.

In addition, the look-and-feel of the portal can be customized by the service provider or enterprise.


SMC (SofaWare Management Center)

SofaWare Management Center (SMC) is the Web-based application controlling the various components of the SofaWare Security Management Platform. It enables system administrators and Customer Service Representatives (CSR) to perform administrative tasks, such as adding and removing customers, changing security settings, reconfiguring the management servers, and more.

An emphasis has been put on making administration as simple as scaleable as possible. This is why users are typically handled by groups and not individually. This way a very large deployment can be accomodated easily.

If desired, SofaWare SMC can be integrated with a service provider existing OSS infrastructure.

Figure 5: SMC: Management Server Configuration

Figure 6: SMC: Plan Definitions

Figure 7: SMC: Searching For Customers

Figure 8: SMC: Editing Customer Details


Glossary A

Antivirus A program that detects viruses and takes apppropriate action.

C

Content Vectoring Protocol (CVP) An *OPSEC API that enables integration of third-party content security applications such as antivirus software into Safe@Home Residential Gateways. The CVP API has been adopted by a wide variety of security vendors.

F firewall A combination of hardware and software resources positioned between the local (trusted) network and the Internet. The firewall ensures that all communication between an organization’s network and the Internet

G gateway A device positioned between two networks through which all communications between the networks must pass. A gateway is a natural choice for enforcing a security policy and providing encryption and authentication services.

H header The portion of a packet, preceding the actual data, containing source and destination addresses, checksums and other fields. A header is analogous to the envelope of a letter sent by ordinary mail. In order to deliver the message (letter), it is only necessary to act on the information (address) in the header (envelope).

A communication can have several layers of headers. For example, a mail message includes an application layer header specifying, the message originator, date and time. At the lower layers, the packets in which the mail message is transmitted carry IP headers and TCP headers.

High Availability A configuration in which redundant components take over the tas ks of failed components, to maintain constant availability of a system despite failures.

host A computer connected to a network.

I


INSPECT Check Point’s high-level scripting language for defining a *Security Policy. An INSPECT script is compiled into machine code and loaded into an *Inspection Module for execution.

INSPECT Script The ASCII file generated from the *Security Policy by the Policy Editor is known as an Inspection Script. An Inspection Script can also be written using a text editor.

Inspection Code Inspection Code compiled from an Inspection Script and loaded into a Safe@Home FireWall Module for enforcement.

Inspection Module A Check Point security application embedded in the broadband access device or residential gateway, between the data link and network layers, that enforces a *Security Policy.

Internet A public network connecting many thousands of computer networks in a three-level hierarchy including backbone networks (for example, NSFNET, MILNET), mid -level networks and stub networks. The Internet utilizes multiple communication protocols (especially TCP/IP) to create a worldwide communications medium.

Internet Engineering Task Force (IETF) The principle body engaged in the development of new Internet standard specifications. IETF identifies solutions to technical problems and makes recommendations to the Internet Engineering Steering Group (IESG) regarding the standardization of protocols and protocol usage in the Internet, and facilitates the transfer of technology developed by the Internet Research Task Force (IRTF) to the wider Internet community. IETF also provides a forum for the exchange of information between vendors, users and researchers interested in improving various aspects of the Internet. The IETF meets three times a year and is comprised entirely of volunteers.

Internet Protocol (IP) The network layer for the TCP/IP protocol suite. IP is a connectionless, best-effort packet switching protocol designed to provide the most efficient delivery of packets across the Internet.

Internet Protocol Security Standard (IPSec) An encryption and authentication scheme supporting multiple encryption and authentication algorithms.

Internet Security Association Key Management Protocol (ISAKMP) A standard protocol for authentication and key exchange that is now known as IKE.

intranet An internal private network, managed according to Internet protocols, but accessible only inside the organization.

IP see “ Internet Protocol (IP)”

IPSec see “ Internet Protocol Security Standard (IPSec)”

IP address The 32-bit address defined by the Internet Protocol to uniquely identify Internet hosts and servers. A typical IP Address, shown here in conventional IP “dot” notation, consists of the following parts:


FIGURE1 IP Address

The first bits of the Class ID specify a network’s class. Most local networks are of class C (Class ID byte = 110XXXXX; Class ID ? 192 in IP dot notation). Class C networks can have up to 254 hosts. Larger networks can be either class B or Class A.

The Net ID identifies the network. Because an IP address consists of both a network identifier (NetID) and a host identifier (HostID), it does not identify a host, but rather a network connection (interface). If a host or gateway is connected to several networks, it will have several IP addresses.

By convention, host ID 0 refers to the network itself; that is, a network’s address ends in zeros. This scheme enables IP addresses to specify networks as well as hosts. A host identifier of all 1s is reserved for broadcast.

IP spoofing A technique whereby an intruder attempts to gain access by altering a packet’s IP address to make it appear as though the packet originated in a part of the network with higher access privileges (for example, the IP address of a workstation in the local network). This form of attack is only possible if a network’s internal IP addresses have been exposed.

ISAKMP see “ Internet Security Association Key Management Protocol (ISAKMP)”

J Java A platform-independent programming environment developed by Sun Microsystems and supported by numerous vendors, including Microsoft. Java presents a security risk because Java applets run on the client and can be used to gain illicit access to its files.

Java Stripping The ability to prevent *Java code from being executed on the client by removing all Java tags from HTML pages as they are downloaded.

K Kerberos An authentication service developed by the Project Athena team at MIT. Kerberos uses secret keys for encryption and authentication. Unlike a public key authentication system, it does not produce digital signatures; Kerberos was designed to authenticate requests for network resources rather than to authenticate authorship of documents. Thus, Kerberos does not provide for third-party verification of documents.

key Information used to encrypt and decrypt data. There are two kinds of keys: *secret keys and *public keys.

key management A mechanism for distributing encryption keys in a public key scheme. Key management is performed by a


*Management Station and includes key generation, certification (although this can also be performed by an external *Cert ificate Authority) and key distribution. Key management can either be manual or automated.

L LAN see “ Local Area Network (LAN)”

layered communication model The conceptual division of communication tasks into a “layered model.” The fundamental characteristic of the layered model is that each layer processes the same object processed by the corresponding layer at the other end of the communication.

leased line A dedicated telecommunications access line that is “leased” from a vendor, and thus always available, in contrast to a *dial-up line. The physical medium can be copper or fiber optic, providing a wide range of line speeds.

Lightweight Directory Access Protocol (LDAP) A mechanism for Internet clients to access and manage a database of directory services over a TCP/IP connection. A simplification of the X.500 directory access protocol, LDAP is gaining significant support from major Internet vendors.

LDAP Directory Server A server that uses LDAP (Lightweight Directory Access Protocol) to maintain a directory database, that is a database of information that changes infrequently but is frequently accessed, for example, a telephone directory.

load balancing The ability to distribute processing loads among multiple servers to improve performance and reduce access times. Load balancing is often transparent to the user and improves Internet security by reducing the risks associated with certain attacks and by applying greater resources to the task of monitoring and filtering network traffic. A variety of algorithms can be used to determine how best to distribute traffic over these servers.

Local Area Network (LAN) A data network intended to serve an area of only a few square kilometers or less (more typically, an individual organization). LANs consist of software and equipment such as cabling, hubs, switches and routers, enabling communication between computers and the sharing of local resources such as printers, databases, and file and video servers.

Logging and Event API (Error! Bookmark not defined.LEA) An *OPSEC API that enables an application to securely receive and process both real-time and historical logging and auditing events generated by SofaWare MSS. LEA can be used by a variety of applications to complement firewall management.

M MAC address The physical hardware address of a device connected to a network.

Managed Internet Security Services Bundled security services, including secure *Internet, *intranet and *extranet, provided by an *ISP. Typically, the ISP handles management and support for the security services, which can be implemented as part of the Internet service implementation or customized to client needs.


Master In Safe@Home, the station to which logs and alerts are directed.

The Master also maintains the most recent Inspection Code for each of the FireWalled systems it controls. If a FireWalled system loses its Inspection Code for any reason, it can retrieve an up-to-date copy from the Master. In practice, the Master and Management Station are usually on the same system, but Failover Masters can be defined.

N network address The network portion of an IP address. Depending on the class of network; this can comprise the first one to three bytes of an IP address, with the remainder being the host or server address.

netmask For a standard standard Class A, B, or C network, the netmask has no meaning. An explanation of the use of net masks with nonstandard network classes follows.

The standard IP addressing scheme can be extended by the use of net masks. For simple, unextended Class C networks, the net mask is 255.255.255.0; that is,

11111111 11111111 11111111 00000000

in binary notation. The 1s in the mask (the first 24 bits) indicate the bits that identify the network and the 0s (last 8 bits) indicate the bits that identify the host. By changing the interpretation of the IP address slightly, it is possible to extend the addressing scheme. If we “borrow” some of the bits from the HostID for the NetID portion of the address, we can extend the IP address to include subnets within one NetID. For instance, the net mask 255.255.255.192 (last byte is 11000000) indicates that 26 bits are being used for the network ID and only 6 bits for the HostID.


Network Address Translation Translating an internal network’s real IP addresses to “false” IP addresses, either to prevent exposing the real addresses or to enable hosts with “invalid” addresses to communicate on the Internet, thus avoiding the need to change a network’s IP addresses (a formidable, error-prone task).

NOC Network Operating Center

O Open Platform for Secure Enterprise Connectivity (OPSEC) An open, industry-wide alliance, driven by Check Point Software Technologies, to ensure interoperability at the policy level between security products. Interoperability is achieved through a combination of published APIs, industry-standard protocols, and a high-level scripting language. OPSEC encourages partnerships in the areas of infrastructure (network products and services), framework (security products), and passport (applications developers).

OPSEC see “ Open Platform for Secure Enterprise Connectivity (OPSEC)”

P packet A unit of data as sent across a network.

packet filter A type of *firewall that examines only the network layer, typically implemented by *routers. This type of firewall cannot support dynamic protocols and cannot apply application intelligence to the data stream.

password A short string of characters, knowledge of which is required to gain access to some resource. Passwords are considered unreliable security devices because they are relatively easy to guess at, and people tend not to take strict precautions against their disclosure. See also “ token”.

protocol A formal description of message formats and the rules required to accomplish some task.

protocol stack A synonym (in practice if not in theory) for the *communication layers as supported by an operating system.

public network Any computer network, such as the Internet, that offers long-distance inter-networking using open, publicly accessible telecommunications services, in contrast to a *WAN or *LAN.

R

Rule Base An ordered set of rules that defines a Safe@Home *Security Policy. A rule describes a communication in terms of it s source, destination and service, and specifies whether the communication should be accepted or rejected, as well as whether it is to be logged. Each communication is tested against the Rule Base; if it does not match any of the rules, it is dropped.


S Security Policy A Security Policy is defined in terms of firewalls, services, users, and the rules that govern the interactions between them. Once these have been specified, an *Inspection Script is generated and then installed on the firewalled hosts or gateways. These gateways can enforce the Security Policy on a per-user basis, enabling verification not only of the communication’s source, destination and service, but the authenticity of the user as well. A user-based Security Policy also allows control based on content. For example, mail to or from certain addresses can be rejected or redirected, access can be denied to specific URLs, and antivirus checking of transferred files can be performed.

Service Provider A provider of access to the Internet. In some cases, these providers own the network infrastructure, while other lease network capacity from a third party.

SP see “ Service Provider”

Stateful Inspection A technology developed and patented by Check Point that provides the highest level of security currently available. A stateful *Inspection Module accesses and analyzes all the data derived from all communication layers. This state and context data is stored and updated dynamically, providing virtual session information for tracking connectionless protocols.

Cumulative data from the communication and application states, network configuration and security rules are all used to decide on an appropriate action, either accepting, rejecting or encrypting the communication.

Any traffic not explicitly allowed by the *Security Policy is dropped.

Technology Comparison

firewall capability routers proxies Stateful Inspection communication information Partial Partial Yes communication-derived state No Partial Yes application-derived state No Yes Yes information manipulation Partial Yes Yes

T


TELNET (Telecommunicatio ns Network Protocol) A remote terminal protocol enabling any terminal to login to another host.

TCP see “ Transmission Control Protocol”

TCP/IP see “ Transmission Control Protocol over Internet Protocol (Error! Bookmark not defined.TCP/IP)”

token A *password that can be used only once, typically generated as needed by a hardware device. Tokens are considered to be secure because even if one is revealed, it cannot be misused because it is no longer valid after its first use.

Transmission Control Protocol An connection-oriented and stream-oriented Internet standard transport layer protocol, in contrast to the connectionless UDP protocol.

Transmission Control Protocol over Internet Protocol (Error! Bookmark not defined.TCP/IP) The common name for the suite of UNIX -based protocols developed by the U.S. Department of Defense in the 1970s. TCP/IP is the primary language of the Internet.

U URL An identifdier that uniquly identifies a Web-based resourse, such as a Web page, for example, “www.sofaware.com”.

URL Filtering Protocol (UFP) An *OPSEC API that enables the integration of third -party application to categorize and control access to specific URL addresses.


V Virtual Private Network (VPN) A network with some public segments in which data passing over its public segments is encrypted to achieve secure communications. A VPN is significantly less expensive and more flexible than a dedicated private network.

virus A program that replicates itself on computer systems by incorporating itself into other programs which are shared among computer systems. Once in the new host, a virus can damage data in the host’s memory, display unwanted messages, crash the host or, in some cases, simply lie dormant until a specified event occurs (for example, the turning of a new year).

VPN see “ Virtual Private Network (VPN)”

W WAN see “ Wide Area Network (WAN)”

Web Server A network device that stores and serves up any kind of data file, including text, graphic images, video, or audio. Its stored information can be accessed via the Internet using standard protocols, most often *HTTP.

Wide Area Network (WAN) A (usually private) geographically large network. A WAN is typically constructed to span numerous locations within a single city.

World Wide Web (WWW) A hypertext -based information service providing access to multimedia, complex documents and databases via the Internet. Web application programs can access many other Internet services as well, including Gopher, Us enet news, file transfer, remote connectivity and even special access to data on the local network.

WWW see “ World Wide Web (WWW)”

Documents

SofaWare Security Management Architecture 1.0 - Check