What’s New in Check Point® Enterprise Suite NGX (R60A) …VSX page 30 QoS page 36 UserAuthority page 36 InterSpect page 36 Express CI R60A page 37. New Features — Unified Software

What’s Newin Check Point® Enterprise Suite

NGX (R60A)9/8/05

In This Document

The latest version of the “What’s New” documentation is available online at http://www.checkpoint.com/techsupport/downloads.jsp.

Unified Software Package page 2

Firewall page 3

VPN page 14

SecuRemote/SecureClient page 18

Integrity page 21

SSL Network Extender page 21

SmartCenter page 22

VPN-1 Edge page 23

SmartView Monitor page 24

Eventia Reporter page 25

SmartUpdate page 26

SmartLSM page 27

SecurePlatform page 27

ClusterXL page 29

Performance Pack page 29

VSX page 30

QoS page 36

UserAuthority page 36

InterSpect page 36

Express CI R60A page 37

Copyright © 2005 Check Point Software Technologies, Ltd. All rights reserved.

http://www.checkpoint.com/techsupport/downloads.jsp

New Features — Unified Software Package

Unified Software PackageIn previous versions, each product had its own software package (for example, Check Point SVN Foundation - cpshared_R55_<Build_Num>_<platform>.tgz). NGX (R60) binds a number of products into a unified software package to simplify the installation process. The following products are included in the package fw1_R60_<BuildNum>_<platform>.tgz, where <BuildNum> represents the package version and <platform> represents the relevant operating system:

• Check Point SVN Foundation

• VPN-1 Pro

• SecureClient Policy Server

• SmartView Monitor

• QoS (previously FloodGate-1)

Software packages not included in this list are distributed in their own packages located on the product CD.

What’s New in Check Point NGX R60A Last Update — 9/8/05 2

New Features — Firewall

Firewall

In This Section

Web Intelligence

1 New web protections have been added to prevent:

• Directory Listing

• LDAP Injection

• Display of web server error messages in the browser, a feature known as Error Concealment

2 Specific behavioral patterns to be blocked by the Cross-Site Scripting, SQL Injection and Command Injection defenses in Web Intelligence can now be defined by the user.

3 Malicious code protector is now supported on SPARC processors.

4 It is now possible to make all protections on specific web servers run in monitor only mode, while on other servers the protection will be active.

5 Different HTTP method schemes can now be set for each web server.

6 Server-based Security Policy configuration is enhanced, and completely integrated into SmartDefense. The result is an easy and granular defense configuration that retains the global view that is present in SmartDefense.

Monitor-only Mode

7 Many of the new features have a monitor-only mode where features are activated in a mode that issues logs but does not block traffic. This usability element is helpful in the transition phase, when features are applied for the first time at a customer's site, and will be helpful in discovering configuration problems in the deployment stage. With a single click the defaults of each protection can be restored. Monitor-only mode also supports audit-only deployments.

Web Intelligence page 3

Voice over IP (VoIP) page 6

Network Security page 7

DNS Security page 8

Check Point Active Streaming page 10

Application Intelligence for Additional Protocols page 10

Malicious Activity Prevention page 12

General page 13



SQL Injection

8 VPN-1 Pro rejects HTTP requests containing SQL commands inside the URL or body. An attacker can use flaws in the web application to inject malicious commands that will be run directly in the application database and cause damage or information disclosure. This defense has three levels of protection: low, medium and high. The definitions for these three levels are conveniently displayed as you slide the change bar to select a different mode in SmartDashboard.

Shell Command Injection

9 VPN-1 Pro rejects HTTP requests containing shell commands inside the URL or body. An attacker can use flaws in the scripting engine to inject malicious commands that will be run directly on the host. This defense has three levels of protection: low, medium and high. The definitions for these three levels are conveniently displayed as you slide the change bar to select a different mode in SmartDashboard.

Cross Site Scripting

10 VPN-1 Pro rejects HTTP requests sent using the POST command that contain scripting code. Attackers can use scripting commands inside URLs and forms to steal an innocent user's identity. This form of stealing is particularly insidious because the administrator and the user do not know they are being tricked. VPN-1 Pro also understands the encoded data sent as part of the URL, which is an alternative way of submitting information. The scripting code is not stripped from the request, but rather the whole request is rejected. The defense has three levels of protection: low, medium and high.

Directory Traversal Attacks

11 Directory traversal attacks allow hackers to access files and directories that should be out of their reach. In many attacks, this leads to running executable code on the web server with one simple URL. Most of the attacks are based on the ".." notation within a file system. VPN-1 Pro blocks requests in which the URL contains an illegal directory request. For example, http://www.server.com/first/second/../../.. is illegal because it goes deeper than the root directory. http://www.server.com/first/second/../ is legal because it is equivalent to http://www.server.com/first/. VPN-1 Pro supports the same capability for URLs that are encoded with Unicode and % encoding.

HTTP Format Sizes

12 The sizes of different elements in HTTP request/response are not limited; this can used to perform DOS attack on a web server. In addition, many buffer-overflow attacks require a considerably large buffer to be sent to the web server. It is good security



practice to limit these buffers. This reduces the chance for buffer overruns and limits the size of code that can be inserted using the overflow. This defense provides the ability to impose a limit on the following elements:

• Maximum URL length

• Maximum Header length

• Maximum number of headers

• Specific header length, by giving a regular expression to describe the header name and value.

The maximum allowed length is adjustable using SmartDefense.

Blocking Non-ASCII Characters Request

13 VPN-1 Pro blocks non-ASCII characters (32-127) in the HTTP request/response headers. Other than the fact that the HTTP RFC does not allow binary characters anywhere in the HTTP headers, blocking them is good security practice because executables and buffer-overrun exploits usually need binary characters. The defense can be turned on using SmartDefense, in the Request\Response Headers section of the ASCII Only Request window.

Allowed HTTP Methods

14 The HTTP RFC allows a restricted set of standard HTTP methods (GET, PUT, HEAD, POST). Many of the non-standard methods have a very bad security record and so, by default, they are blocked. WebDAV methods are blocked by default but can be added either as a group or individually. Other methods, blocked by default can be added individually too.

Header Rejection

15 A web server or application parses not only the URL, but also the rest of the HTTP header data. Wrong parsing can lead to buffer overrun attacks and other vulnerabilities. Such attacks, while RFC compliant, can be blocked using signatures that are defined using regular expressions.

HTTP Header Spoofing

16 One of the first steps an attacker takes before attacking a web site is to fingerprint it. The attacker analyzes the web server's response in order gather as much information as possible about it. Some information in the response is redundant; this defense removes such information by either removing the relevant header or changing its value. The relevant headers can be added using regular expressions for name and value, each header can be stripped (removed), or replaced from SmartDefense.



Voice over IP (VoIP)

17 Supported SIP RFCs and Standards

• 3372 (SIP-T)

• 3311 (Update message)

• SIP over TCP

18 Supported SIP Advanced Features

• Call forwarding capabilities

• Forward on busy

• Forward on no answer

• Find me, Follow me

• Forward unconditional

• Registration timeout configuration

• Third party registration

• Proxy failover

• DoS Protection. A maximum number of new VoIP sessions that can be initiated per minute from a specific IP address can be set. This feature is not enforced for Proxies or IP addresses on the White List.

19 Supported H.323 RFCs and Standards

• H.323 V.2, V.3, V.4

• H.234 V.3, V.5, V.7

• H.225 V.2, V.3, V.4

20 Supported H.323 Network Configurations when NAT is in use

• Gatekeepers, Gateways and PBX can be installed using Static NAT in the external network, internal network or DMZ.

• Incoming calls to Hide NAT are supported.

• H.323-PSTN gateways can be installed anywhere using either Static or Hide NAT.

21 Advanced H.323 features

• FastStart and NAT support.

• H.245 Tunneling and NAT support.

• DoS Protection. A maximum number of new VoIP sessions that can be initiated per minute from a specific IP address can be set.

22 MGCP service - Support for the MGCP protocol, including:

• Dynamic management of RTP sessions (open data connection dynamically)

• Analysis and enforcement of message states



• Verification of existence and correctness of call parameters

• Keep call state for each call

• Enforcement of call hand-over

• Logging of call information, and reporting of security vulnerabilities

Sample Attack or vulnerability - call denial-of-service, call hijacking, fooling a billing service

Getting Here - Configure a VoIP domain, and then using SmartDashboard select SmartDefense > Application Intelligence > VoIP > MGCP. Use the MGCP services in the Security rule base.

23 Advanced MGCP features: DoS Protection. A maximum number of new VoIP sessions that can be initiated per minute from a specific IP address can be set.

24 Skinny Client Control Protocol (SCCP) - VPN-1 supports the SCCP protocol, including:

• Dynamic management of RTP sessions (open data connection dynamically)

• Analysis and enforcement of message states

• Verification of existence and correctness of call parameters

• Keep call state for each call

• Enforcement of hand-over domains

• Logs call information, report security vulnerabilities

Sample Attack or vulnerability - Call denial-of-service, call hijacking, fooling a billing service

Getting Here - Configure a VoIP domain, and then using SmartDashboard select SmartDefense > Application Intelligence > VoIP > SCCP. Use the SCCP service in the Security rule base.

25 Advanced SCCP features: DoS Protection. A maximum number of new VoIP sessions that can be initiated per minute from a specific IP address can be set.

Network Security

Port Scanning

26 Port Scanning detects scanning attempts in real-time (during packet processing). Scans are detected whether they are perpetrated by a single host or several (distributed scans). The feature detects two types of scans:

• scans aimed at detecting all services that a given computer runs (host port scan), and

• scans aimed at detecting the computers in a given network running a certain service (sweep scan).



This feature is useful in detecting worms such as Welchia that scan networks in order to spread themselves.

Sample Attack or vulnerability - Welchia worm

Getting Here - In SmartDashboard select SmartDefense > Network Security > Port Scan

Detections

DShield Storm Center

27 Automatic integration in the rule base with the SANS Storm Center. SANS monitors the top malicious sources in the Internet. This feature allows both the updating of SANS with malicious hosts detected by VPN-1 Pro and the ability to block hosts known to be malicious by SANS automatically. This offers protection from Distributed Denial of Service (DDOS) at the Firewall and further "upstream" by other Check Point customers.

Sample Attack or vulnerability - Code Red or any DDOS attack.

Getting Here - In SmartDashboard, select SmartDefense > Network Security > DShield

Storm Center > Report to DShield

DNS Security

DNS Verification

28 VPN-1 enforces the DNS protocol on DNS UDP and TCP traffic ensuring that the traffic that crosses the Firewall is valid DNS traffic.

The RFC-defined header-size, domain and FQDN (Fully Qualified Domain Name) syntax are enforced. This protects clients and servers from buffer overruns.

VPN-1 enforces the proper content of the header (Z flag, QR bit, OPCODE), Resource Records counters and formats. This includes:

• enforcing a domain's proper syntax on queries and responses,

• enforcing proper format of the TYPE values, and

• enforcing format of Inverse Queries.

In addition, VPN-1 verifies that every response matches a certain request by the session ID.



UDP Protocol Enforcement

29 DNS protocol inspection (supporting RFCs 1034/1035 (General), 1996 (Notify), 2136 (update), 2317 (classless delegation), 2535 (DNS security extensions), 2671 (EDNS0), draft-ietf-dnsext-axfr-clarify-05. Enforcement on lengths, counters, header flags, proper domain format, Resource Record formats, response matching a previous request, bound checking, type and domain logging.

Sample Attack or vulnerability - Trojan Horses, DNS cache poisoning

Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS

> Protocol Enforcement, and enable UDP Protocol Enforcement.

TCP Protocol Enforcement

30 Inspect DNS over TCP - In addition to the UDP capabilities mentioned above, inspect TCP zone transfer traffic.

Sample Attack or vulnerability - Trojan Horses, DNS cache poisoning


> Protocol Enforcement, and enable TCP Protocol Enforcement.

Defense Against Cache Poisoning

31 ID scrambling- Some DNS implementation use trivial transaction ID and source ports that are easy to predict for their DNS queries, this allows hackers to craft spoofed response packets that will poison the DNS server's cache. VPN-1 tracks each request, and randomizes the transaction ID and source port of outgoing queries using strong cryptographic algorithms. Replies are validated to have matching query entries.

Sample Attack or vulnerability - DNS cache poisoning


> Cache Poisoning > Scrambling.

32 Birthday-Attack Defense- An attacker sends many simultaneous queries to the attacked server, triggering it to issue many queries to external servers, which the attacker then spoofs the replies for. If a spoofed reply matches one of the server's requests, the result may be poisoning the server's cache; because of the birthday paradox, the chances of a spoofed reply to match a server request are high. This defense prevents external queries to internal DNS servers if the DNS server is not authoritative for the queried domain.

Sample Attack or vulnerability - DNS birthday attack


> Cache Poisoning > Drop Inbound Requests.

33 Excessive ID Mismatch Detection - DNS cache poisoning attacks (especially the "Birthday Attack") usually have a by-product of many mismatching DNS replies in a short time. An excessive number of DNS replies that do not have a matching query can indicate a cache-poisoning attack. VPN-1 generates a special alert when thresholds of



mismatched replies in a specified duration of time are surpassed. These thresholds are configurable (default is 50 over 5 seconds) and administrators can be notified in a variety of manners (log, email, SMTP Trap or one of three User Defined Actions).

Sample Attack or vulnerability - DNS cache poisoning


> Cache Poisoning > Mismatched Replies.

Domains Block List

34 Damaging or malicious traffic can sometimes be characterized by the DNS domain it is trying to reach. In VPN-1 you can now maintain a block-list of DNS domains. Queries regarding the domains in the block-list are blocked. This method is effective for blocking traffic to this domain when the destination IP address hosts additional sites besides the prohibited one. This important advantage over blocking traffic to this domain in the Security rule-base grants safe domains access while keeping the unsafe ones out.

Sample Attack or vulnerability - Undesired traffic to a site characterized by its domain.


> Domains block-list.

Check Point Active Streaming

35 The new Active Streaming technology enhances the streaming capabilities that already exist in VPN-1 to new levels of inspection. Check Point Active Streaming reassembles TCP segments, enabling inspection of complete protocol units before any of them reach the client or server.

Application Intelligence for Additional Protocols

36 POP3 and IMAP - VPN-1 can verify that the username entered for reading mail using POP3 or IMAP is similar to the username entered for VPN authentication and/or for UserAuthority authentication. In addition, protocol validation including blocking of binary data will be made on the username, and on other protocol elements.

Sample Attack or vulnerability - Restrict a user from reading another user's mail.

Getting Here - In order to configure username verification, define the gateway object as a Mail Server, then edit the Mail Server page of the object, and enable the property Verify username with VPN tunnel user.

37 Block Peer to Peer Applications - Peer to peer applications use their own proprietary protocols, which use arbitrary port numbers, and therefore are hard to block using standard methods (such as via the Security rule base). These applications can cause a



variety of problems. VPN-1 can block the common peer to peer applications, including Kazaa, eDonkey, Gnutella, and gives administrators the opportunity to exclude specific ports and network objects from peer to peer detection.

Sample Attack or vulnerability - Exposing private data, exposing the network to viruses and Trojan horses, wasting CPU time, exploiting storage and bandwidth resources, wasting employees' time and raising legal issues (piracy and intellectual property rights).

Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > Peer

to Peer

38 DCE-RPC - DCE-RPC is a protocol for calling a procedure on a remote machine as if it were a local procedure call. The protocol uses a Universal Unique Identifier (UUID) to connect remote machine Interfaces. Many DCE-RPC attacks are based on malformed or objectionable DCE-RPC traffic.

VPN-1's DCE-RPC packet verification will prevent DOS attacks and exploits. VPN-1 addresses this protocol validation by authorizing DCE-RPC UUIDs and opening high ports dynamically only if the UUID is allowed and the protocol flow is not violated.

Sample Attack or vulnerability - Blaster Worm, Spike

Getting Here - Enabled by default in VPN-1’s DCE-RPC enforcement.

39 DCOM Protocol Validation - Recent attacks against DCOM are based on malformed DCOM traffic on port 135. VPN-1 will allow DCOM communication, allow traffic for UUIDs needed by DCOM, but prevent the Blaster and other attacks

Sample Attack or vulnerability - The Blaster attack creates buffer overflow on DCOM server on port 135

Getting Here - Enabled by default in VPN-1’s DCE-RPC enforcement.

40 SNMP Version Enforcement - SNMPv3 is much more secure than earlier versions. VPN-1 will verify that all SNMP traffic is from version 3. The default is set to allow all SNMP traffic but if you switch to SNMPv3, all traffic from earlier versions is blocked.

Sample Attack or vulnerability - SNMPv2 trivial communities; data is not encrypted, poor authentication mechanisms.

Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence >

SNMP and enable Allow only SNMPv3 traffic.



41 Communities Block-list - Common network devices have default well-known community strings. These communities are often not disabled, and thus expose a vulnerability by leaving an easy way to create unauthorized SNMP access to the machine. VPN-1 enforces an SNMP domain block-list, blocking SNMPv2 and earlier connections that use these trivial community strings.

Sample Attack or vulnerability - SNMPv2 trivial communities

Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence >

SNMP and enable Drop requests with default community strings for SNMPv1 and SNMPv2.

42 MS-SQL - An administrator can now block the Slammer worm on the SQL monitoring UDP protocol by looking for pre-defined patterns.

Sample Attack or vulnerability - Slammer worm

Getting Here - In SmartDashboard, include the service MSSQL_Resolver in any access rule in the Security rule base.

Malicious Activity Prevention

43 Malicious Code Protector - Most HTTP worms and exploits take advantage of buffer overflow vulnerability. This vulnerability is generally a result of mishandling of input length. An attacker can exploit this vulnerability by sending an enlarged buffer which is copied on top of the smaller buffer by the application, thus creating a memory corruption. This memory corruption might lead to any of the following:

• a brutal application termination

• a denial of service attack

• in the event of a well crafted attack - malicious code execution

Malicious Code Protection is a Check Point patent-pending technology that blocks hackers from sending malicious code to target servers and applications. It can detect malicious executable code within communications by identifying not only the existence of executable code in a data stream but its potential for malicious behavior. Malicious Code Protection is a kernel-based protection delivering wire-speed performance. Its core functions are:

• Monitor communication for potential executable code

• Confirm the presence of executable code

• Identify if the code is malicious



• Block malicious executable code from reaching target host

It is important to understand that this defense does not rely upon pattern detection, which means it can stop both known and unknown attacks.

Sample Attack or vulnerability - Some common worms: Nimda, CodeRed, and many exploits such as IIS WebDAV exploits.

Getting Here - In SmartDashboard, select Web Intelligence > Malicious Code > Malicious

Code Protector.

General

44 DCE-RPC can now communicate over ports other than 135.

45 Multicast traffic can now be allowed or blocked for each multicast group. Configuration is per interface. For example, define a new object called multicast address range, and use it when defining the network topology on the interface.

46 IPv6 security is now supported on the Linux platform.

47 NAT hide can now be defined for PPTP clients.

48 Authentication capabilities have been enhanced to better protect against brute force attacks.

49 It is now possible to disable the logging of anti-spoofing activity of local interfaces and clusters.

50 Individual interfaces can now be configured to accept or block traffic from specific multicast groups.

51 ISP redundancy on the Nokia platform is now supported.

52 ISP Redundancy DNS features can now be configured using SmartDashboard.

53 The SmartDefense service now protects IPv6 networks.

54 SmartDefense update can now traverse web proxy with authentication.

55 It is now possible to define a name for each security rule. The rule name will appear in the logs created by that rule and will persist across policy changes.

56 Enhanced SmartDefense updates infrastructure with improved inspection capabilities.


New Features — VPN

VPN

In This Section

VPN Routing

1 To tighten security and enhance granularity of the VPN security policy, enforcement of VPN rules by the direction of a connection is now possible.

For example, it is possible to define in the VPN column:

2 OSPF/BGP over VPN is enabled with VPN-1 gateway on SecurePlatform and IPSO. Every VPN tunnel is represented as a virtual adapter, enabling encapsulation of OSPF and BGP traffic. These virtual adapters can be used to establish integrated dynamic routing configurations with the routing domains in the protected networks. In effect this new technology enables unification of all the VPN-protected networks to a unified dynamically adaptable network.

VPN Routing page 14

VPN Tunnel Management page 15

Multiple Entry Point (MEP) and VPN Load Distribution page 15

VPN-1 Clusters page 16

PKI, PKCS page 16

NAT with VPN page 16

VPN-1 Diagnostics (Logging, Monitoring, Planning) page 16

Connectivity page 16

Office Mode page 17

L2TP Clients page 17

Multicast page 17

Route Injection Mechanism (RIM) page 17

Source Destination

Community A Community B

Community A Any

Local domain Community A

Local domain Remote Access Community



3 Support of Back-up links and On-Demand links is enabled by multiple VPN links between VPN-1 gateways. Multiple VPN links are available when a single VPN-1 gateway is connected to multiple network infrastructures (e.g., multiple ISPs). Two VPN gateways may have several paths of communication that they can use to reach each other. Also new are Link Selection mechanisms, which provide additional methods to resolve a gateway’s IP address, such as defining a fixed IP address to always be used, and defining a DNS name to be resolved, which is most useful for gateways with dynamically allocated IP addresses.

4 GRE is now supported over IPsec in order to interoperate with devices that support dynamic routing over the VPN only with GRE.

5 Wire mode VPN is now available: Internal (safe) VPN connectivity is supported by reducing security checks on VPN traffic.

6 On Linux, SecurePlatform, and SecurePlatform Pro, encrypted packets will now be rerouted again after they are encrypted (and the destination was changed to the gateway IP address). (This behavior already takes place on Nokia platforms.)

VPN Tunnel Management

7 VPN tunnels may now be defined on VPN-1 gateways. The functionality is accessed using the command line interface to the gateway. This extends the interface to external management tools for Check Point gateways.

8 VPN links can now be configured to be “always on.” This feature enables:

• VPN link (tunnel) monitoring - link-properties, link-state, traffic through the link and more.

• Better support of sensitive applications for link setup delays.

• Configuration of Route Injection Mechanism when using MEP.

• Alert upon tunnel failure

9 SmartView Monitor can now monitor VPN tunnels. SmartViews of VPN tunnel properties and status, both for site to site and for remote access VPN, are now available.

Multiple Entry Point (MEP) and VPN Load Distribution

10 For site to site VPN, Explicit MEP configuration is now available at the center of a star community. There are several methods to connect to the MEP gateway, including explicit priority among entry points (which is independent of the VPN domain definition of entry points). For Remote Access VPN, the old MEP configuration still exists.



VPN-1 Clusters

11 By enabling the new Sticky Decision Function, ClusterXL Load Sharing now supports:

• VPN routing of third party gateways that require stickiness

• SecureClient Visitor mode

• SSL Network Extender clients

• L2TP and Nokia clientsSupport for these features requires certain additional configuration. Consult the ClusterXL guide for more details.

PKI, PKCS

12 Internal CA diagnostics are now available through SmartView Monitor.

13 Internal CA enhancements include:

• Certificate enrollment using PKCS10 is available.

• Generate certificate - as PKCS12 (used in CAPI token)

• Additional, configurable level of administration privileges

14 Certificate enrollment to a VPN-1 module using SCEP and CMP protocols is now available.

15 Online Certificate Status Protocol (OCSP) is now supported.

16 An existing CA certificate can now be replaced with a newer one in a VPN-1 system, provided that the new certificate has the exact same pair of keys as the certificate that it is replacing.

NAT with VPN

17 SecureClient now supports NAT-T.

VPN-1 Diagnostics (Logging, Monitoring, Planning)

18 The usability of VPN activity logs has been enhanced.

Connectivity

19 SecuRemote/SecureClient can now resolve the address of the remote gateway by using one of the following link selection methods:

• Main IP / Single IP

• Topology calculation



• RDP probing, which allows the possibility of configuring the primary interface and manual IP list for probing.

20 The encryption domain of the gateway can now be defined differently for site-to-site VPN, and for remote access VPN.

21 Third party DAIP gateways and externally managed DAIP gateways are now supported with certificate authentication.

Office Mode

22 Office Mode assignment can now be used to access other gateways in the site.

23 A RADIUS server can now be used for Office Mode IP assignment.

L2TP Clients

24 Legacy authentication schemes, such as Check Point password, OS password, RADIUS, LDAP, TACACS, etc., are now supported for L2TP clients.

Multicast

25 Through the use of VPN Virtual interfaces, multicast traffic can now be encrypted and passed through VPN tunnels.

Route Injection Mechanism (RIM)

26 RIM is now supported both with and without MEP. It can be configured under the Tunnel Management page on the community.


New Features — SecuRemote/SecureClient

SecuRemote/SecureClient

In This Section

NAT with VPN

1 SecureClient now supports NAT-T.

User Experience

2 SecuRemote/SecureClient user interface now supports the following languages: English, French, Italian, German and Spanish.

3 The Hotspot Registration feature now limits the number of unsuccessful registration attempts and disables registration IP addresses once the client connects.

Connectivity

4 In MEP configuration, the client MEP decision can be disabled, in which case the client connects to the gateway specified in the profile.

5 In an MEP configuration, a backup gateway can be specified in a centrally managed connection profile. If so specified, and the primary gateways are unreachable, the SecuRemote/SecureClient connects to the specified backup gateway and does not perform an MEP decision.

6 The encryption domain of the gateway can now be defined differently for site-to-site VPN, and for remote access VPN.

7 SecuRemote/SecureClient can now resolve the address of the remote gateway by using one of the following link selection methods:

• Main IP / Single IP

NAT with VPN page 18

User Experience page 18

Connectivity page 18

Office Mode page 19

Desktop Security page 19

Secure Configuration Verification (SCV) page 19

Windows - XP-specific Issues page 20

Miscellaneous page 20

SecureClient Software Distribution Sever (SDS) page 20



• Topology calculation

• RDP probing, which allows the possibility of configuring the primary interface and manual IP list for probing.

Office Mode

8 Office Mode assignment can now be used to access other gateways in the site.

9 A RADIUS server can now be used for Office Mode IP assignment.

10 VPN-1 Pro gateway DHCP requests can contain various client attributes that allow DHCP clients to differentiate themselves. The attributes are pre-configured on the client side operating system, and can be used by different DHCP servers in the process of distributing IP addresses. VPN-1 Pro gateway DHCP requests can contain the following attributes:

• Host Name

• Fully Qualified Domain Name (FQDN)

• Vendor Class

• User Class

Desktop Security

11 When policy expiration is enabled and SecureClient is connected, it will attempt to update policy every expire_time/2. If it fails to update the policy, SecureClient will not revert to the default policy.

12 Desktop security rules now support RADIUS groups.

13 Policy server logon is by default set to the Policy Server on the gateway to which you connect. Centrally managed profiles can be configured to direct logons to a different Policy Server. Perform the following:

1 Specify the Policy Server in the profile.

2 Use the dbedit database tool to set the property use_profile_ps_configuration to true.

Secure Configuration Verification (SCV)

14 When enforcing Secure Configuration Verification on simplified mode VPN (VPN-1 communities), specific hosts and services may be defined as exceptions to the rule (e.g., to allow anti-virus updates, even if the client machine is not verified).



15 SecuRemote (which does not support SCV) can be regarded as verified when SCV is enforced. To enable it set scv_allow_sr_clients to true in userc.c, (by default it this value is set to false). This global flag can be overridden by the administrator by setting the matching flag in the topology, using the dbedit tool.

16 OS Monitor is now supported on Windows 2003 Server.

17 The operator greater than (>) is supported in signature file comparison in AntiVirus monitor.

18 ZoneAlarm Pro antivirus signatures version validation is supported for AntiVirus monitor.

19 The following enhancements for SCV monitors are now available:

• You can now check keys under HKCU, HKU and HKLM in the Registry Monitor

• While in Secure Domain Logon (SDL), each check under the Registry Monitor, OS Monitor and Browser Monitor can be disabled.

Windows - XP-specific Issues

20 Improved integration with Windows XP SP2 Firewall.

Miscellaneous

21 The following R56 local attributes can now be centrally managed:

• Hotspot registration configuration

• Disconnect_when_in_enc_domain • Simplified_client_route_all_traffic

22 SecureClient now reports the following parameters to User Monitor:

• OS version, Client version and build

• last known SCV failure reason

23 Secure Domain Logon (SDL) by default will not be part of the Windows logon procedure when the client machine is part of the encryption domain. To force SDL when inside the encryption domain, use the Windows Registry editor to set SdlIgnoreEncDomain to 0 (DWORD) in HKLM\Software\CheckPoint\SecuRemote.

24 VPN-1 Pro now enforces the amount of licensed remote access connections, this include the amount of SecuRemote allowed according to the gateway size plus the amount of SecureClient licenses.

SecureClient Software Distribution Sever (SDS)

25 The SDS server and the SDS agent are no longer part of the SecureClient product.


New Features — Integrity

Integrity1 Integrity Product Family achieves Total Access Protection for all PCs that connect to

your network. Check Point Integrity endpoint security products ensure that both employee and guest users' PCs are secure before they're granted network access. By stopping worms, spyware, and hacker attacks, Integrity maintains business continuity, supports regulatory compliance, and protects you against financial loss due to endpoint attacks.

2 Integrity client and server software secures all networked PCs by centrally managing proactive defenses and enforcing policy compliance.

3 Integrity for Linux offers enterprises easy-to-manage endpoint security for the growing number of Linux workstations, providing sophisticated attack protections coupled with centralized policy deployment and reporting.

4 Integrity SecureClient unites the complementary strengths of VPN-1 SecureClient and Integrity to deliver the most advanced remote access, endpoint security, and access policy enforcement.

5 Integrity Clientless Security mitigates risks posed by employee and guest endpoints accessing enterprise resources via the Web. It delivers spyware disablement, ensures session confidentiality, and enforces network access policy.

6 Integrity Desktop delivers preemptive protection against the latest worms, viruses, spyware, and hacker attacks.

SSL Network Extender1 The SSL Network Extender is now centrally managed, and can be configured on

SmartDashboard.

2 SSL Network Extender now supports SecureID’s New Pin Mode and password changes for RADIUS and LDAP authentication servers.

3 SSL Network Extender now supports ICS.

4 SSL Network Extender clients are supported on ClusterXL gateways in Load Sharing mode when the Sticky Decision Function is enabled.

5 SSL Network Extender now supports IntegrityTM Clientless Security (ICS) version 3.0, including IntegrityTM Secure Browser (ISB).

6 The SSL Network Extender end-user interface can now be customized, as well as localized for the following languages (user-selectable):

• English

• French


New Features — SmartCenter

• Italian

• German

• Spanish

• Japanese

• Traditional Chinese

• Simplified Chinese

• Portuguese (Brazilian)

• Hebrew

SmartCenter

Cloning Network Objects

1 Networks and Host Nodes can now be “cloned” with a right click. The newly created object has field values in common with the original object.

SmartGroups

2 Groups can be viewed hierarchically in the Objects Tree. Additionally, a new feature in SmartDashboard allows you to configure group conventions. When you do so, SmartDashboard makes suggestions to assign newly created objects to groups based on their name, color or network location.

Tooltips

3 Details about a network object or service, such as IP/port, version, and comment, are now visible within SmartDashboard rule bases without opening the object or service.

Unique Rule Identifier

4 A new feature in SmartView Tracker allows you to open SmartDashboard to the rule that a certain connection matched on. Also, an enhanced rule filter provides the ability to search within SmartView Tracker for other connections that matched on that rule, either by rule number or unique rule ID. A new feature in SmartDashboard allows you to view all logs generated for a certain rule.

Improved Manageability of Administrators

5 In this release, cpconfig allows the definition of just one administrator. Others can be added through SmartDashboard. All cpconfig administrators can be converted to administrators in SmartDashboard by using the $FWDIR/bin/cp_admin_convert tool.


New Features — VPN-1 Edge

Mandatory Session Description

6 SmartDashboard users can now be compelled to enter a session ID describing the changes they have made. This provides a better ability to track database changes in the audit logs.

GUI Client Disconnect

7 When logging into a SmartCenter Server, an administrator can now disconnect other users who are logged in and locking the database.

Central Management for Connectra

8 Connectra devices are now part of Check Point’s centralized SMART management, integrating security, monitoring, logging, reporting, updating and intelligent information processing in a single interface.

Web-Based Access to SmartCenter — SmartPortal

9 SmartPortal is a web-based management tool providing a centralized view of security policies, network and security activity status, and administrator information. This web-based access to SmartCenter extends the visibility of security policies to groups outside of the IT security team and enables collaborative management of SmartCenter administrators.

VPN-1 Edge1 VPN-1 Pro now supports VPN-1 Edge behind NAT devices. This can implemented by

using NAT traversal (port 4500), which encapsulates the IKE/IPSEC in UDP packets, between the VPN-1 Edge device and the VPN-1 Pro.

2 Enhanced VPN-1 Edge configuration in SmartDashboard, including:

• time of log generation and forwarding

• time at which the VPN-1 Edge device is updated with new configuration settings

• content filtering (CVP and UFP)

• Unrestricted mode (connections from centrally managed peers that do not undergo access control or NAT)

3 VPN-1 Edge (with firmware 4.5 or higher) is now integrated with Eventia Reporter.

4 Excluded Services are now supported with VPN Communities that contain SofaWare entities.

5 VPN-1 Edge Web UI can now be launched from within SmartDashboard, as follows:


New Features — SmartView Monitor

• Select a VPN-1 Edge object in the Objects tree, right click and choose Manage

Device in the displayed menu.

• In the VPN-1 Edge Object’s General Properties page, click Configure Edge Using

Web Interface.

6 VPN Enhancements: VPN-1 Edge now supports different IKE methods, rules with communities in the VPN column, Multiple Entry Point (MEP) enhancements, shared secrets, excluded services, as well as Link selection.

7 Content filtering for VPN-1 Edge can now be centrally managed from SmartCenter. This can be done using the Content filtering section of the VPN-1 Edge page of the Global Properties, or the Content Filtering page of the VPN-1 Edge object. The configuration includes specifying OPSEC UFP, CVP & SMTP servers, and determining which Edge devices use UFP/CVP.

8 NAT rules can now be configured and installed on VPN-1 Edge gateways. NAT rules can either be manual, by placing a VPN-1 Edge gateway in a NATed rule in the Install

On column, or automatic by choosing a VPN-1 Edge gateway as the Install on gateway in the network object’s NAT page.

9 A High Availability (HA) deployment can now be configured for VPN-1 Edge devices using SmartCenter. Configuring HA for VPN-1 Edge is done in the VPN page of the VPN-1 Edge Gateway Object’s Properties window. Select Use Backup Gateways and specify the (VPN-1 Edge) gateway that will function as the backup gateway.

10 A configuration script can now be added to the VPN-1 Edge object window. This script is downloaded to the VPN-1 Edge device. It controls various features and settings, (for example QoS settings, Wireless Settings).

SmartView Monitor1 SmartView Monitor has become a new monitoring application that combines the

functionality of the following applications:

• SmartView Status

• SmartView Monitor

• User Monitor In addition it has new capabilities. The GUI is an MDI (Multi-document interface) application that allows users to see side-by-side multiple views of traffic in different aspects.

2 It is now possible to monitor the following elements in SmartView Monitor Traffic Monitoring:

• Traffic by top or specific tunnels

• Traffic by top or specific interfaces


New Features — Eventia Reporter

• Packet size distribution

• Traffic by top individual connections

• Connection direction filter

3 Tunnel Monitoring is a new feature that allows the user to view the current gateway to gateway tunnels in the organization. The user can define filters to present specific tunnels, as well as display tunnel state and other properties. The user can also reset a tunnel and drill down to view its traffic.

4 SmartView Monitor now has new ways of presenting traffic monitoring:

• Traffic data can now be presented in a pie graph or in a table.

• After drilling down into data, a back button is now available to undo drill downs.

• Exporting to HTML is now possible.

• Inbound and outbound traffic can now be viewed side by side

5 The various SmartView Status applications have been replaced with Gateway views. SmartView Monitor now presents a table view that displays all gateways and configurable status columns. In addition there is a detail view that allows browser-like drill down.

Eventia Reporter1 Eventia Reporter Add-On and Eventia Reporter Server can now be installed on a

Solaris 64-bit platform.

2 Eventia Reporter is faster than previous versions.

• Report generation - a report based on 20 GB of logs can be generated in little over an hour.

• Log consolidation – the log consolidator can process 32 GB per day (without DNS).

3 Eventia Reporter now provides more flexible and meaningful report content.• Clearer Reports

Unnecessary details and sections have been removed from the reports. By default, graphs are only created for time/date reports so as to achieve a smaller output.

• Internal filters

Internal filters are displayed for better report comprehension and flexibility. A user can now filter reports based on communication direction, firewall action, VPN-1 fields, email sender/recipient, etc.

4 Consolidator and database management controls have moved from the SmartDashboard and are now integrated in the Reporter Client.


New Features — SmartUpdate

5 When the database grows too large, the Reporter can automatically archive or delete the oldest records. Database maintenance can be defined in terms of database space or record age.

6 Provider-1 now supports log-based reports.

7 Eventia Reporter can now create reports for VPN-1 VSX for all versions including and later than NG with Application Intelligence. Connection to an R60A management server is required.

8 Improved Security Rule support:

• Rule name support: users can now tag rules with names. Names will be displayed in reports and can be used in filters.

• UUID support for rules can be used to track rule usage regardless of their location in the Rule Base.

• Rule Base Activity: the Rule Bases Analysis report includes a section that shows all rules in a policy and their usage.

• Support for Rule Base policies in reports.

SmartUpdate1 Packages can now be distributed to remote devices and then installed at a later date.

This is beneficial in a number of ways:

• The risk of a loss of connectivity during installation is minimized, as the package is delivered to the remote device before the remote install command is issued.

• Upgrade performance is improved, as packages can be transferred in parallel to multiple devices.

• The process is now more efficient, as it can more easily be performed after hours, when the load on the network is less.

• Downtime due to upgrade is reduced.

2 SmartUpdate can now upgrade remote devices to versions earlier than that of the management server. Earlier versions supported are R54, R55, R55W, and R55P, and their respective HFAs.

3 The Upgrade All option in SmartUpdate allows Nokia platforms to be upgraded to any IPSO OS version. To do so, the desired Nokia IPSO OS package must first be added to the SmartUpdate Package Repository and set as the default package, followed by selecting the Upgrade All option.

4 SmartUpdate supports an automatic revert from an unsuccessful upgrade when upgrading SecurePlatform gateways. SmartUpdate creates the image backup before the upgrade starts. Should the Upgrade not complete successfully, the SecurePlatform machine will revert to the backed up image.


New Features — SmartLSM

5 SmartUpdate supports the CPInfo utility. The CPInfo utility runs on remote gateways and/or the SmartCenter server, and collects information about that machine into a single text file. This text file is fetched and accessible from the GUI machine.

6 The SmartUpdate command line tool can make a snapshot of the SecurePlatform machine. A list of currently available snapshots on a machine can be compiled and used to revert a machine to one of the snapshots.

SmartLSM1 When defining VPN Domain for VPN-1 Express/Pro or VPN-1 Edge ROBO

Gateways, the user should use the new Topology table available in the SmartLSM GUI (or the parallel capabilities of LSMcli). It is possible to define the VPN Domain for ROBO Gateway in one of the following ways:

• Use the external IP address of the Gateway only

• VPN Domain includes all of the networks behind the Gateway's internal interfaces (based on topology)

• VPN Domain consists of manually defined IP address ranges.

2 Controlling the settings of internal interfaces of VPN-1 Edge ROBO Gateways is now supported from the centralized SmartLSM management. The following settings can be controlled and enforced on the VPN-1 Edge ROBO Gateway:

• Interface is enabled/disabled

• Interface IP address and netmask

• NAT Hide of the network behind the interface is enabled/disabled

• DHCP server on the interface is enabled/disabled

• Range of IP addresses distributed by the DHCP server

• DHCP server serves as a relay to another external DHCP server

3 It is now possible to launch VPN-1 Edge Portal Web GUI when using context menus of items representing VPN-1 Edge gateways and VPN-1 Edge ROBO Gateways in the SmartLSM main view.

SecurePlatform

Installation

1 SecurePlatform can be installed in two flavors: the regular flavor, and the “SecurePlatform Pro” flavor. SecurePlatform Pro is an enhanced version of SecurePlatform. SecurePlatform Pro adds advanced networking and management capabilities to SecurePlatform such as:

• Dynamic routing


New Features — SecurePlatform

• RADIUS authentication for SecurePlatform administrators

To install “SecurePlatform Pro” select “SecurePlatform Pro” option during the installation.

To convert regular SecurePlatform to SecurePlatform Pro, from the expert mode command line run: “pro enable”.

For information regarding advanced routing, see the “Check Point Advanced Routing Suite” guide.

2 In this release, the SecurePlatform installation allows adding new hardware drivers for mass storage and networking devices, during the installation phase.

3 There is a change in behavior from R55 and earlier SecurePlatform versions. When no key is pressed after the SecurePlatform installation has begun, the installation will be aborted, and the system boots from the hard disk.

General

4 Speed/Duplex settings of Ethernet interfaces can be controlled using the eth_set utility in the command line, or by using the WebUI. The interface settings configured via the WebUI, or via the command line utility will survive reboot and become persistent.

5 The patch add command now supports scp as one of the options, allowing convenient and secure transfer of patch files to SecurePlatform.

6 VPN-1 log files are not included in the backup operation by default.

7 The display of time zones in the command line was changed from the POSIX convention to the commonly accepted convention. For example, for a region located two hours to the east of the GMT region, the time zone will show GMT+2 and not GMT-2, as in earlier versions.

8 During the installation of SecurePlatform, one interface is selected as the management interface. The IP address of this interface cannot be set to 0.0.0.0, as this will disrupt operation of the product. The commands sysconfig and ifconfig enforce this limitation in this release. If a specific interface must receive the IP address 0, a different interface must first be configured to be the management interface, and then the IP address 0.0.0.0 can assigned to the specific interface.

9 SecurePlatform now supports platforms using dual AMD Opteron CPUs in 32 bit mode.

Note - SecurePlatform Pro requires a separate license that must be installed on the SmartCenter Server that manages the SecurePlatform Pro enforcement modules.


New Features — ClusterXL

User Experience

10 Starting with this release, Netscape 7.1 is supported for use with the administration WebUI. This allows using the WebUI from non-Windows systems.

ClusterXL

Configuration

1 ClusterXL has a new (and optional) packet distribution scheme for Load Sharing which is supported with the two Load Sharing modes: Multicast and Unicast. In the new distribution scheme (called “Sticky Decision Function”), a connection that started on a certain cluster member will continue to pass only through that member. The Sticky Decision Function is not supported with Performance Pack or with an Acceleration device.

VPN-1 Clusters

2 ClusterXL Load Sharing now supports SecureClient visitor mode and SSL extender clients when the Sticky Decision Function is enabled.

3 Third party peers can now open VPN tunnels on ClusterXL in Load Sharing mode with the Sticky Decision Function enabled.

4 ClusterXL Load Sharing now supports VPN routing configuration, in which both sides of the connection are encrypted for peer gateways of third parties, such as Cisco, which requires stickiness. This support is limited to when the Sticky Decision Function is enabled, and requires certain additional configuration. Consult the ClusterXL guide for more details.

Supported Features

5 Dynamic routing is now supported in SecurePlatform clusters.

6 Multicast data traffic is supported on ClusterXL in High Availability mode, and in Load Sharing mode under certain conditions. Refer to the Release Notes for more details.

Performance Pack1 BGE interface is now supported on Solaris.

2 SmartView Monitor is now supported by Performance Pack.

3 Dynamic Routing changes are now supported by Performance Pack on SecurePlatform.


New Features — VSX

VSX

In This Section:

Manageable Versions

1 SmartCenter Server can now manage the following versions of VSX:

• VSX 2.0.1

• VSX NG AI

• VSX NG AI Release 2

• VSX NGX

2 For more information on these releases, please see the documentation at http://www.checkpoint.com/support/technical/documents/index.html.

Single IP Address for Management

In previous versions (VSX 2.0.1, VSX NG AI) the VSX installation process created a default Virtual System called the Management Virtual System (MVS). Instead of the MVS, the VSX gateway object now:

• Handles provisioning and configuration of Virtual Systems and Virtual Routers.

• Manages Gateway State Synchronization when working with clusters.

Manageable Versions page 30

Single IP Address for Management page 30

Adding New Members to a Cluster page 31

Upgrading Cluster Members page 31

Backward Compatibility Support page 31

Simplified VSX GUI page 32

Virtual Switch page 32

Virtual System in Bridge Mode page 33

Unnumbered Interface Support page 33

Full Dynamic Routing Capability page 33

VSX Extensions for ClusterXL page 34

NAT Routes page 34

SPLAT Add-Ons & Enhancements page 35


http://www.checkpoint.com/support/technical/documents/index.html


• Provides a single IP for communication with the management entity (Provider-1, SmartCenter, LDAP Server, Radius, TACACS, SNMP). All management communication between the VSX gateway and management entity takes place via single IP address. The TCP connection is terminated at the VSX gateway, and does not continue to the Virtual Device. In a cluster environment, each cluster is managed by a single IP address. Members of the cluster are automatically assigned IP addresses.

Single IP Address for Cluster Management

In a VSX cluster, only the cluster members require an IP address. This reduces the overall number of IP addresses required to manage the cluster. For example, a VSX system with one hundred Virtual Systems on four cluster members requires only four IP addresses for management, one for each cluster member. The Virtual systems within any cluster member are managed by internally assigned IP addresses.

Adding New Members to a Cluster

In versions previous to VSX NGX, you could not add or remove members from an existing cluster. In NGX, using the command line reconfigure option, new members can be added or removed from an existing cluster. The “Add/remove new members” wizard updates the database with the configuration of the new member. The reconfigure option then pushes the configuration to the new module.

Upgrading Cluster Members

The reconfigure command is also used to upgrade members of a cluster. Once the member module has been upgraded, the configuration of the (pre-upgrade) module, contained in the Management Server database, is pushed back to the new (upgraded) module.

Recovering Fallen Modules

The reconfigure script is also used to recover fallen modules. For example, after a hard disk failure. Once the hard disk has been replaced, a new module installed, and SIC established with the management server, the reconfigure script returns the modules previous configuration (stored in the management database) back to the module.

Backward Compatibility Support

Full backward compatibility. From the current NGX release, you can create and manage VSX 2.0.1 and VSX_NG_AI objects.



Simplified VSX GUI

During the creation of a VSX gateway a Virtual System creation template page appears:FIGURE 0-1 Creation templates

This page provides two networking templates for Virtual Systems:

• Each Virtual System can have its own external and internal interfaces

• All virtual systems have their own internal interface but share a single external interface

The third alternative is not to use one of the templates, but customize each Virtual System according to your VSX deployment.

Choosing a Management Model

The choice of Virtual System creation template also decides the management model for the VSX deployment: whether or not there will be an interface dedicated to the management of the VSX system. Choosing “Template 1”, as shown in FIGURE 0-1, means eth0 (by default) will be reserved exclusively for VSX management traffic. The VSX deployment will have a dedicated management interface (DMI). Choosing “Template 2” results in a non-DMI management model.

Virtual Switch

In previous VSX releases, the only way to share an interface between multiple Virtual Systems, or to connect between Virtual Systems, was through a Virtual Router. The new Virtual Switch allows multiple Virtual Systems to share an interface.

A Virtual Switch provides layer 2 connectivity between Virtual Systems and connectivity to a shared interface. As with a physical switch, each Virtual Switch maintains a forwarding table with a list of MAC addresses and their associated ports. The forwarding decision is made by inspecting the MAC destination address of each incoming packet.



When sharing a physical interface via a Virtual Switch there is no need:

• To allocate an additional subnet for IP addresses of Virtual Systems connected to the switch.

• To manually configure the routing on the routers adjacent to the shared interface.

Virtual System in Bridge Mode

When deploying a VSX gateway on an existing network, the need for changing network addresses and routes should be avoided. By providing a Virtual System that implements native layer-2 bridging instead of IP routing, a VSX gateway can be deployed without requiring changes to the existing IP (layer-3) infrastructure - for example on a network set up for dynamic routing. A Virtual System in bridge mode is used to forward traffic at layer 2 between the physical networks.

A typical network connection in such a scenario will involve a 802.1q VLAN switch on either side of the VSX gateway. The interfaces of the bridge do not require IP addresses. The Virtual System in bridge mode remain transparent to the existing IP network.

A Virtual System in Bridge mode:

• Has the same Firewall security capabilities of a Virtual System except for VPN and NAT (NAT modifies layer-3 information)

• Enables easier configuration of Virtual Systems since no IP addresses or specific routing information is required.

• Does not segment an existing network.

Unnumbered Interface Support

To reduce the amount of IP addresses required in a VSX deployment, Virtual Systems within a VSX gateway now support unnumbered interfaces. This is possible where the Virtual System does not require an IP address. For example, when the interface on the Virtual System is connected to a Virtual Router (and Hide NAT or VPN features are not enabled) the interface can be configured as unnumbered.

Full Dynamic Routing Capability

Dynamic Routing (DR) is performed locally on the gateway. The user needs to switch dynamic routing on manually in the properties page of the VSX gateway. Also context aware CLI command vrf - connect is available which determines to which Virtual System or Virtual Router the dynamic routing applies. First switch DR on through the management GUI and then through the CLI specify for which VS and VRs it dynamic routing applies.



Supported Dynamic Protocols

Unicast:

• OSPF

• RIP

• BGP

Multicast:

• IGMP

• PIM-SM

• PIM-DM

VSX Extensions for ClusterXL

In a clusterXL environment, Virtual Systems running in bridge mode are now able to fail-over to their peer in the cluster. Providing that the Virtual System is connected to a distinct physical interface or VLAN interface, only the Virtual System fails-over, not the member.

The cphaprob diagnostic command has been extended to display additional data when the fail-over per Virtual System feature is enabled.

NAT Routes

A Virtual System is capable of Network Address Translation (NAT) the same as a physical Firewall. When a Virtual System is connected to a Virtual Router and the Virtual System performs Static or Hide NAT to a host on a given network, NATed routes have to be forwarded to the Virtual Routers.

The NATed address can be:

• Manually added to the Virtual Router

• Defined on the Virtual System

Hide or Static NAT addresses configured on the Virtual System are automatically forwarded to the Virtual Router to which the Virtual System is directly connected. NATed addresses can be:

• A single IP (for Static NAT)

• A range of addresses (Hide NAT)

• Complete subnets (Hide NAT)



SPLAT Add-Ons & Enhancements

Enhanced CLI

Check Point Dynamic Routing utilizes industry standard commands for configuration. The basic features of the CLI include the following:

• Command line editing and completion

• Context-sensitive help

• Command history

• Disabling/Enabling CLI Tracing

Additional commands have been added for:

• NTP

• DHCP Relay

• Bridge support

NTP

VSX NGX supports the Network Time Protocol (NTP) that is used to synchronize computer clock times in a network of computers. The NTP client initiates a time request exchange with the time server. As a result of this exchange, the client is able to calculate the link delay, its local offset, and adjust its local clock to match the clock at the server's computer.

DHCP Relay

The sysconfig command now allows the configuration of DHCP Clients and DHCP Servers on different networks.

Ethernet Bridge Utility

A new bridge utility has been added to set up, maintain, and inspect the ethernet bridge configuration in the SPLAT kernel. An ethernet bridge is a device used to connect different ethernets together using the MAC hardware address. Each of the ethernets being connected corresponds to one physical interface in the bridge. These individual physical ethernets constitute a large logical ethernet which is the bridge network interface. With the bridge support utility, the ethernet bridge configuration in the kernel can be maintained and inspected.


New Features — QoS

Internal Cluster IP Addresses

In a VSX cluster, the ifconfig command now hides the internal cluster addresses, i.e. the addresses of the physical interfaces on each cluster member that are reserved for internal VSX and ClusterXL communication, allocated addresses from a reserved IP range (IP:192.168.196.0/Netmask:255.255.252.0). The command ifconfig only displays the cluster IP address.

New Monitoring Classes for Status Information

For SNMP users, additional status information can be obtained from enforcement modules by taking advantage of additional VSX monitoring classes in the Check Point MIB. For more information see the guide to the Check Point MIB at:


QoS1 The license for QoS Express should be installed on the SmartCenter server instead of

on the Enforcement module. QoS supports licenses for 1, 3 or 5 modules. These licenses should be added via SmartUpdate and then attached to the SmartCenter Gateway Object.

2 QoS is now supported by and can run on the same Enforcement Module that runs Web Intelligence.

UserAuthority1 UserAuthority now supports outbound identity-based access control for non-TCP

connections.

2 User credentials can now be fetched using UserAuthority Servers on other SIC domains.

InterSpectSmartcenter Server can now manage the following versions of InterSpect:

• InterSpect 1.5

• InterSpect 2.0

• InterSpect NGX



New Features — Express CI R60A

Express CI R60A

In This Section:

Anti Virus Protection

When Anti Virus scanning is enabled, traffic for the selected protocols is trapped in the kernel and forwarded to the security server. The security server forwards the data stream to the Anti Virus engine. The data is allowed or blocked based on the response of the Anti Virus engine.

Anti Virus scanning is applied only to traffic that has been allowed by the Security Policy.

Express CI R60A Anti Virus makes CVP resource configuration obsolete. In cases where both Anti Virus and CVP are used, only Anti Virus will work.

Signature Updates

Automatic updates of the virus signature can be scheduled at any chosen interval. Manual updates of virus signatures can be initiated at any time.

The following two signature update mechanisms are available. For both mechanisms, the default update interval is 120 minutes:

• Signature redistribution on SmartCenter, by which updates are downloaded only by the SmartCenter Server from the default Check Point signature distribution server, and then redistributed by the SmartCenter Server to all Check Point Express CI R60A gateways. This method is useful when Internet access is not available for all gateways or when it is required that the download only occur once for all the gateways. The gateways communicate only with the SmartCenter, using Secure internal Communication (SIC).

Anti Virus Protection page 37

Signature Updates page 37

Continuous Download page 38

Scanning Files page 38

SMTP page 39

POP3 page 39

FTP page 39

HTTP page 39

File Type Recognition page 40

Logging and Monitoring page 40

Scan Failure page 40



• Default signature distribution server, by which updates are downloaded directly to the Check Point Express CI R60A gateways. This method will likely result in faster update times, because the gateways get the update from the Check Point signature distribution server as soon as it becomes available. This mechanism is only available for automatic updates. It is not available for manual updates.

Continuous Download

The Anti Virus engine acts as a proxy which caches the scanned file before delivering it to the client only for files that need to be scanned.

When large files are being scanned, if the whole file is checked before being made available, the user may experience an unacceptably long delay before the file is delivered. A similar problem may arise when using client applications with short timeout periods (certain FTP clients for example) to download large files. If the whole file is cached and scanned before being delivered, the client applications may time out while waiting.

To address this, Continuous Download trickles information to the client while the Anti Virus scanning is taking place. If a virus is found during the scan, the file delivery to the client is terminated.

It is possible to specify file types for which Continuous Download will not take place. Some file types (such as Adobe Acrobat PDF files and Microsoft PowerPoint) can open on a client computer before the whole file has been downloaded. If Continuous Download is allowed for those file types, and a virus is present in the opened part of the file, it could infect the client computer.

Scanning Files

There are two ways to specify the files to be scanned: Scan By direction and Scan by IP. In both cases, Anti Virus scanning is performed only on traffic that is allowed by the Security Rule Base

Scan By Direction

Specifies whether to scan files passing to or from the external, internal and/or DMZ networks.

This method (the default) is an intuitive way of specifying which files will be scanned without having to specify hosts or networks.

Note - SMTP and POP3 support Continuous Download per the entire email message.



Use this method if you wish to scan all traffic in a given direction. It is possible to specify exceptions, that is, locations to or from which files will not be scanned.

Scan By IP Address

Scan by IP address allows you to define very precisely which traffic to scan. For example, if all incoming traffic from external networks reaches the DMZ, Scan by IP allows you to specify that only traffic to the FTP, SMTP, HTTP and POP3 servers will be scanned, whereas Scan by Direction scans all traffic to the DMZ.

When choosing to Scan by IP address, you use a Rule Base to specify the source and destination of the data to scan. For FTP, for each rule, you can choose to scan either the GET or PUT methods, or both. For HTTP, for each rule, you can choose to scan either the HTTP Request, or the HTTP Response, or both.

SMTP

For SMTP, Scan by Direction and by IP are essentially the same. Content Inspection for SMTP, sends the files (data) in the same direction as the connection. SMTP is used for sending mail. Protocols that are used for receiving email (such as POP3 and IMAP) are not scanned when SMTP is selected.

POP3

Conent Inspection for POP3, sends the files (data) in the opposite direction of the connection. POP3 is used for retrieving mail.

FTP

When the FTP GET command is used, files are transferred in the opposite direction to the connection. When the FTP PUT command is used, files are transferred in the same direction as the connection. The Scan files by direction option allows you to scan files, without having to consider the direction of the connection.

HTTP

When choosing to scan by IP, the Source and Destination of the connection are specified, and also whether the Request, Response or both will be scanned. This makes it possible to specify what will be scanned in a very precise way.

Note - Scan By Direction works only when Check Point Express CI R60A is connected as a gateway, and is placed inline between the external and the Internal/DMZ networks. It does not work when Check Point Express CI R60A is connected as a node, in Proxy mode.

In addition, Scan By Direction only works when the Gateway topology is correctly defined.



File Type Recognition

Check Point Express CI R60A has a built-in File Type recognition engine, which positively identifies the types of files passed as part of the connection. This also enables you to define a per-type policy for handling files of a given type.

It is possible to specify “safe” file types that will be allowed to pass through the Check Point Express CI R60A Gateway without being scanned for viruses. It is also possible to configure file types that will be scanned or blocked. The following actions can be configured for each file type:

• Scan performs Anti Virus scanning for files of this type, according to the settings in the different services pages. By default, all unrecognized file types are scanned.

• Block does not allow files of this type. There are file types that are preset to be blocked according to SmartDefense advisories.

• Pass allows files of this type to pass though the Check Point Express CI R60A gateway without being scanned for viruses. Files of this type are considered safe.

File types can be considered safe because they are not known to contain viruses. For example, some picture and video files are considered safe. Other formats can be considered safe because they are relatively hard to tamper with. What is considered safe can change according to published threats, and depends on how the administrator balances security versus performance considerations.

Check Point Express CI R60A reliably identifies binary file types by examining the file type signatures (magic numbers). Check Point Express CI R60A does not rely on the file extension (such as *.GIF) which can be spoofed. It also does not use the MIME headers (such as image/gif) in HTTP and mail protocols, which can also be spoofed.

Logging and Monitoring

Logging information about the Anti Virus scan is sent to the SmartCenter Server, and can be viewed using SmartView Tracker. Information about the results is shown in the logs.

In addition, there are logs for signature updates, new update checks and download results.

Monitoring Anti Virus status is performed with SmartView Status. The Anti Virus status will appear under the Firewall-1 product. This status contains information about the currently installed Signature file and the Anti Virus engine version. The Anti Virus status also includes statistics about scanned files and found viruses.

Scan Failure

The default settings in the Anti Virus window have been configured to prevent the Anti Virus engine from overloading. It is recommended that you use the default settings provided.



If the Anti Virus engine becomes overloaded you can use the options in the Anti Virus window to determine:

• whether you would like to take the chance of allowing files that have not been scanned to pass. This option will leave you open to virus attacks.

• whether you would like to block all files. If you select to block all files a connectivity problem may arise.


Documents

What’s New in Check Point® Enterprise Suite NGX (R60A) …VSX page 30 QoS page 36 UserAuthority page 36 InterSpect page 36 Express CI R60A page 37. New Features — Unified Software