Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
What’s Newin Check Point® Enterprise Suite
NGX (R60A)9/8/05
In This Document
The latest version of the “What’s New” documentation is available online at http://www.checkpoint.com/techsupport/downloads.jsp.
Unified Software Package page 2
Firewall page 3
VPN page 14
SecuRemote/SecureClient page 18
Integrity page 21
SSL Network Extender page 21
SmartCenter page 22
VPN-1 Edge page 23
SmartView Monitor page 24
Eventia Reporter page 25
SmartUpdate page 26
SmartLSM page 27
SecurePlatform page 27
ClusterXL page 29
Performance Pack page 29
VSX page 30
QoS page 36
UserAuthority page 36
InterSpect page 36
Express CI R60A page 37
Copyright © 2005 Check Point Software Technologies, Ltd. All rights reserved.
New Features — Unified Software Package
Unified Software PackageIn previous versions, each product had its own software package (for example, Check Point SVN Foundation - cpshared_R55_<Build_Num>_<platform>.tgz). NGX (R60) binds a number of products into a unified software package to simplify the installation process. The following products are included in the package fw1_R60_<BuildNum>_<platform>.tgz, where <BuildNum> represents the package version and <platform> represents the relevant operating system:
• Check Point SVN Foundation
• VPN-1 Pro
• SecureClient Policy Server
• SmartView Monitor
• QoS (previously FloodGate-1)
Software packages not included in this list are distributed in their own packages located on the product CD.
What’s New in Check Point NGX R60A Last Update — 9/8/05 2
New Features — Firewall
Firewall
In This Section
Web Intelligence
1 New web protections have been added to prevent:
• Directory Listing
• LDAP Injection
• Display of web server error messages in the browser, a feature known as Error Concealment
2 Specific behavioral patterns to be blocked by the Cross-Site Scripting, SQL Injection and Command Injection defenses in Web Intelligence can now be defined by the user.
3 Malicious code protector is now supported on SPARC processors.
4 It is now possible to make all protections on specific web servers run in monitor only mode, while on other servers the protection will be active.
5 Different HTTP method schemes can now be set for each web server.
6 Server-based Security Policy configuration is enhanced, and completely integrated into SmartDefense. The result is an easy and granular defense configuration that retains the global view that is present in SmartDefense.
Monitor-only Mode
7 Many of the new features have a monitor-only mode where features are activated in a mode that issues logs but does not block traffic. This usability element is helpful in the transition phase, when features are applied for the first time at a customer's site, and will be helpful in discovering configuration problems in the deployment stage. With a single click the defaults of each protection can be restored. Monitor-only mode also supports audit-only deployments.
Web Intelligence page 3
Voice over IP (VoIP) page 6
Network Security page 7
DNS Security page 8
Check Point Active Streaming page 10
Application Intelligence for Additional Protocols page 10
Malicious Activity Prevention page 12
General page 13
What’s New in Check Point NGX R60A Last Update — 9/8/05 3
New Features — Firewall
SQL Injection
8 VPN-1 Pro rejects HTTP requests containing SQL commands inside the URL or body. An attacker can use flaws in the web application to inject malicious commands that will be run directly in the application database and cause damage or information disclosure. This defense has three levels of protection: low, medium and high. The definitions for these three levels are conveniently displayed as you slide the change bar to select a different mode in SmartDashboard.
Shell Command Injection
9 VPN-1 Pro rejects HTTP requests containing shell commands inside the URL or body. An attacker can use flaws in the scripting engine to inject malicious commands that will be run directly on the host. This defense has three levels of protection: low, medium and high. The definitions for these three levels are conveniently displayed as you slide the change bar to select a different mode in SmartDashboard.
Cross Site Scripting
10 VPN-1 Pro rejects HTTP requests sent using the POST command that contain scripting code. Attackers can use scripting commands inside URLs and forms to steal an innocent user's identity. This form of stealing is particularly insidious because the administrator and the user do not know they are being tricked. VPN-1 Pro also understands the encoded data sent as part of the URL, which is an alternative way of submitting information. The scripting code is not stripped from the request, but rather the whole request is rejected. The defense has three levels of protection: low, medium and high.
Directory Traversal Attacks
11 Directory traversal attacks allow hackers to access files and directories that should be out of their reach. In many attacks, this leads to running executable code on the web server with one simple URL. Most of the attacks are based on the ".." notation within a file system. VPN-1 Pro blocks requests in which the URL contains an illegal directory request. For example, http://www.server.com/first/second/../../.. is illegal because it goes deeper than the root directory. http://www.server.com/first/second/../ is legal because it is equivalent to http://www.server.com/first/. VPN-1 Pro supports the same capability for URLs that are encoded with Unicode and % encoding.
HTTP Format Sizes
12 The sizes of different elements in HTTP request/response are not limited; this can used to perform DOS attack on a web server. In addition, many buffer-overflow attacks require a considerably large buffer to be sent to the web server. It is good security
What’s New in Check Point NGX R60A Last Update — 9/8/05 4
New Features — Firewall
practice to limit these buffers. This reduces the chance for buffer overruns and limits the size of code that can be inserted using the overflow. This defense provides the ability to impose a limit on the following elements:
• Maximum URL length
• Maximum Header length
• Maximum number of headers
• Specific header length, by giving a regular expression to describe the header name and value.
The maximum allowed length is adjustable using SmartDefense.
Blocking Non-ASCII Characters Request
13 VPN-1 Pro blocks non-ASCII characters (32-127) in the HTTP request/response headers. Other than the fact that the HTTP RFC does not allow binary characters anywhere in the HTTP headers, blocking them is good security practice because executables and buffer-overrun exploits usually need binary characters. The defense can be turned on using SmartDefense, in the Request\Response Headers section of the ASCII Only Request window.
Allowed HTTP Methods
14 The HTTP RFC allows a restricted set of standard HTTP methods (GET, PUT, HEAD, POST). Many of the non-standard methods have a very bad security record and so, by default, they are blocked. WebDAV methods are blocked by default but can be added either as a group or individually. Other methods, blocked by default can be added individually too.
Header Rejection
15 A web server or application parses not only the URL, but also the rest of the HTTP header data. Wrong parsing can lead to buffer overrun attacks and other vulnerabilities. Such attacks, while RFC compliant, can be blocked using signatures that are defined using regular expressions.
HTTP Header Spoofing
16 One of the first steps an attacker takes before attacking a web site is to fingerprint it. The attacker analyzes the web server's response in order gather as much information as possible about it. Some information in the response is redundant; this defense removes such information by either removing the relevant header or changing its value. The relevant headers can be added using regular expressions for name and value, each header can be stripped (removed), or replaced from SmartDefense.
What’s New in Check Point NGX R60A Last Update — 9/8/05 5
New Features — Firewall
Voice over IP (VoIP)
17 Supported SIP RFCs and Standards
• 3372 (SIP-T)
• 3311 (Update message)
• SIP over TCP
18 Supported SIP Advanced Features
• Call forwarding capabilities
• Forward on busy
• Forward on no answer
• Find me, Follow me
• Forward unconditional
• Registration timeout configuration
• Third party registration
• Proxy failover
• DoS Protection. A maximum number of new VoIP sessions that can be initiated per minute from a specific IP address can be set. This feature is not enforced for Proxies or IP addresses on the White List.
19 Supported H.323 RFCs and Standards
• H.323 V.2, V.3, V.4
• H.234 V.3, V.5, V.7
• H.225 V.2, V.3, V.4
20 Supported H.323 Network Configurations when NAT is in use
• Gatekeepers, Gateways and PBX can be installed using Static NAT in the external network, internal network or DMZ.
• Incoming calls to Hide NAT are supported.
• H.323-PSTN gateways can be installed anywhere using either Static or Hide NAT.
21 Advanced H.323 features
• FastStart and NAT support.
• H.245 Tunneling and NAT support.
• DoS Protection. A maximum number of new VoIP sessions that can be initiated per minute from a specific IP address can be set.
22 MGCP service - Support for the MGCP protocol, including:
• Dynamic management of RTP sessions (open data connection dynamically)
• Analysis and enforcement of message states
What’s New in Check Point NGX R60A Last Update — 9/8/05 6
New Features — Firewall
• Verification of existence and correctness of call parameters
• Keep call state for each call
• Enforcement of call hand-over
• Logging of call information, and reporting of security vulnerabilities
Sample Attack or vulnerability - call denial-of-service, call hijacking, fooling a billing service
Getting Here - Configure a VoIP domain, and then using SmartDashboard select SmartDefense > Application Intelligence > VoIP > MGCP. Use the MGCP services in the Security rule base.
23 Advanced MGCP features: DoS Protection. A maximum number of new VoIP sessions that can be initiated per minute from a specific IP address can be set.
24 Skinny Client Control Protocol (SCCP) - VPN-1 supports the SCCP protocol, including:
• Dynamic management of RTP sessions (open data connection dynamically)
• Analysis and enforcement of message states
• Verification of existence and correctness of call parameters
• Keep call state for each call
• Enforcement of hand-over domains
• Logs call information, report security vulnerabilities
Sample Attack or vulnerability - Call denial-of-service, call hijacking, fooling a billing service
Getting Here - Configure a VoIP domain, and then using SmartDashboard select SmartDefense > Application Intelligence > VoIP > SCCP. Use the SCCP service in the Security rule base.
25 Advanced SCCP features: DoS Protection. A maximum number of new VoIP sessions that can be initiated per minute from a specific IP address can be set.
Network Security
Port Scanning
26 Port Scanning detects scanning attempts in real-time (during packet processing). Scans are detected whether they are perpetrated by a single host or several (distributed scans). The feature detects two types of scans:
• scans aimed at detecting all services that a given computer runs (host port scan), and
• scans aimed at detecting the computers in a given network running a certain service (sweep scan).
What’s New in Check Point NGX R60A Last Update — 9/8/05 7
New Features — Firewall
This feature is useful in detecting worms such as Welchia that scan networks in order to spread themselves.
Sample Attack or vulnerability - Welchia worm
Getting Here - In SmartDashboard select SmartDefense > Network Security > Port Scan
Detections
DShield Storm Center
27 Automatic integration in the rule base with the SANS Storm Center. SANS monitors the top malicious sources in the Internet. This feature allows both the updating of SANS with malicious hosts detected by VPN-1 Pro and the ability to block hosts known to be malicious by SANS automatically. This offers protection from Distributed Denial of Service (DDOS) at the Firewall and further "upstream" by other Check Point customers.
Sample Attack or vulnerability - Code Red or any DDOS attack.
Getting Here - In SmartDashboard, select SmartDefense > Network Security > DShield
Storm Center > Report to DShield
DNS Security
DNS Verification
28 VPN-1 enforces the DNS protocol on DNS UDP and TCP traffic ensuring that the traffic that crosses the Firewall is valid DNS traffic.
The RFC-defined header-size, domain and FQDN (Fully Qualified Domain Name) syntax are enforced. This protects clients and servers from buffer overruns.
VPN-1 enforces the proper content of the header (Z flag, QR bit, OPCODE), Resource Records counters and formats. This includes:
• enforcing a domain's proper syntax on queries and responses,
• enforcing proper format of the TYPE values, and
• enforcing format of Inverse Queries.
In addition, VPN-1 verifies that every response matches a certain request by the session ID.
What’s New in Check Point NGX R60A Last Update — 9/8/05 8
New Features — Firewall
UDP Protocol Enforcement
29 DNS protocol inspection (supporting RFCs 1034/1035 (General), 1996 (Notify), 2136 (update), 2317 (classless delegation), 2535 (DNS security extensions), 2671 (EDNS0), draft-ietf-dnsext-axfr-clarify-05. Enforcement on lengths, counters, header flags, proper domain format, Resource Record formats, response matching a previous request, bound checking, type and domain logging.
Sample Attack or vulnerability - Trojan Horses, DNS cache poisoning
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS
> Protocol Enforcement, and enable UDP Protocol Enforcement.
TCP Protocol Enforcement
30 Inspect DNS over TCP - In addition to the UDP capabilities mentioned above, inspect TCP zone transfer traffic.
Sample Attack or vulnerability - Trojan Horses, DNS cache poisoning
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS
> Protocol Enforcement, and enable TCP Protocol Enforcement.
Defense Against Cache Poisoning
31 ID scrambling- Some DNS implementation use trivial transaction ID and source ports that are easy to predict for their DNS queries, this allows hackers to craft spoofed response packets that will poison the DNS server's cache. VPN-1 tracks each request, and randomizes the transaction ID and source port of outgoing queries using strong cryptographic algorithms. Replies are validated to have matching query entries.
Sample Attack or vulnerability - DNS cache poisoning
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS
> Cache Poisoning > Scrambling.
32 Birthday-Attack Defense- An attacker sends many simultaneous queries to the attacked server, triggering it to issue many queries to external servers, which the attacker then spoofs the replies for. If a spoofed reply matches one of the server's requests, the result may be poisoning the server's cache; because of the birthday paradox, the chances of a spoofed reply to match a server request are high. This defense prevents external queries to internal DNS servers if the DNS server is not authoritative for the queried domain.
Sample Attack or vulnerability - DNS birthday attack
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS
> Cache Poisoning > Drop Inbound Requests.
33 Excessive ID Mismatch Detection - DNS cache poisoning attacks (especially the "Birthday Attack") usually have a by-product of many mismatching DNS replies in a short time. An excessive number of DNS replies that do not have a matching query can indicate a cache-poisoning attack. VPN-1 generates a special alert when thresholds of
What’s New in Check Point NGX R60A Last Update — 9/8/05 9
New Features — Firewall
mismatched replies in a specified duration of time are surpassed. These thresholds are configurable (default is 50 over 5 seconds) and administrators can be notified in a variety of manners (log, email, SMTP Trap or one of three User Defined Actions).
Sample Attack or vulnerability - DNS cache poisoning
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS
> Cache Poisoning > Mismatched Replies.
Domains Block List
34 Damaging or malicious traffic can sometimes be characterized by the DNS domain it is trying to reach. In VPN-1 you can now maintain a block-list of DNS domains. Queries regarding the domains in the block-list are blocked. This method is effective for blocking traffic to this domain when the destination IP address hosts additional sites besides the prohibited one. This important advantage over blocking traffic to this domain in the Security rule-base grants safe domains access while keeping the unsafe ones out.
Sample Attack or vulnerability - Undesired traffic to a site characterized by its domain.
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS
> Domains block-list.
Check Point Active Streaming
35 The new Active Streaming technology enhances the streaming capabilities that already exist in VPN-1 to new levels of inspection. Check Point Active Streaming reassembles TCP segments, enabling inspection of complete protocol units before any of them reach the client or server.
Application Intelligence for Additional Protocols
36 POP3 and IMAP - VPN-1 can verify that the username entered for reading mail using POP3 or IMAP is similar to the username entered for VPN authentication and/or for UserAuthority authentication. In addition, protocol validation including blocking of binary data will be made on the username, and on other protocol elements.
Sample Attack or vulnerability - Restrict a user from reading another user's mail.
Getting Here - In order to configure username verification, define the gateway object as a Mail Server, then edit the Mail Server page of the object, and enable the property Verify username with VPN tunnel user.
37 Block Peer to Peer Applications - Peer to peer applications use their own proprietary protocols, which use arbitrary port numbers, and therefore are hard to block using standard methods (such as via the Security rule base). These applications can cause a
What’s New in Check Point NGX R60A Last Update — 9/8/05 10
New Features — Firewall
variety of problems. VPN-1 can block the common peer to peer applications, including Kazaa, eDonkey, Gnutella, and gives administrators the opportunity to exclude specific ports and network objects from peer to peer detection.
Sample Attack or vulnerability - Exposing private data, exposing the network to viruses and Trojan horses, wasting CPU time, exploiting storage and bandwidth resources, wasting employees' time and raising legal issues (piracy and intellectual property rights).
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > Peer
to Peer
38 DCE-RPC - DCE-RPC is a protocol for calling a procedure on a remote machine as if it were a local procedure call. The protocol uses a Universal Unique Identifier (UUID) to connect remote machine Interfaces. Many DCE-RPC attacks are based on malformed or objectionable DCE-RPC traffic.
VPN-1's DCE-RPC packet verification will prevent DOS attacks and exploits. VPN-1 addresses this protocol validation by authorizing DCE-RPC UUIDs and opening high ports dynamically only if the UUID is allowed and the protocol flow is not violated.
Sample Attack or vulnerability - Blaster Worm, Spike
Getting Here - Enabled by default in VPN-1’s DCE-RPC enforcement.
39 DCOM Protocol Validation - Recent attacks against DCOM are based on malformed DCOM traffic on port 135. VPN-1 will allow DCOM communication, allow traffic for UUIDs needed by DCOM, but prevent the Blaster and other attacks
Sample Attack or vulnerability - The Blaster attack creates buffer overflow on DCOM server on port 135
Getting Here - Enabled by default in VPN-1’s DCE-RPC enforcement.
40 SNMP Version Enforcement - SNMPv3 is much more secure than earlier versions. VPN-1 will verify that all SNMP traffic is from version 3. The default is set to allow all SNMP traffic but if you switch to SNMPv3, all traffic from earlier versions is blocked.
Sample Attack or vulnerability - SNMPv2 trivial communities; data is not encrypted, poor authentication mechanisms.
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence >
SNMP and enable Allow only SNMPv3 traffic.
What’s New in Check Point NGX R60A Last Update — 9/8/05 11
New Features — Firewall
41 Communities Block-list - Common network devices have default well-known community strings. These communities are often not disabled, and thus expose a vulnerability by leaving an easy way to create unauthorized SNMP access to the machine. VPN-1 enforces an SNMP domain block-list, blocking SNMPv2 and earlier connections that use these trivial community strings.
Sample Attack or vulnerability - SNMPv2 trivial communities
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence >
SNMP and enable Drop requests with default community strings for SNMPv1 and SNMPv2.
42 MS-SQL - An administrator can now block the Slammer worm on the SQL monitoring UDP protocol by looking for pre-defined patterns.
Sample Attack or vulnerability - Slammer worm
Getting Here - In SmartDashboard, include the service MSSQL_Resolver in any access rule in the Security rule base.
Malicious Activity Prevention
43 Malicious Code Protector - Most HTTP worms and exploits take advantage of buffer overflow vulnerability. This vulnerability is generally a result of mishandling of input length. An attacker can exploit this vulnerability by sending an enlarged buffer which is copied on top of the smaller buffer by the application, thus creating a memory corruption. This memory corruption might lead to any of the following:
• a brutal application termination
• a denial of service attack
• in the event of a well crafted attack - malicious code execution
Malicious Code Protection is a Check Point patent-pending technology that blocks hackers from sending malicious code to target servers and applications. It can detect malicious executable code within communications by identifying not only the existence of executable code in a data stream but its potential for malicious behavior. Malicious Code Protection is a kernel-based protection delivering wire-speed performance. Its core functions are:
• Monitor communication for potential executable code
• Confirm the presence of executable code
• Identify if the code is malicious
What’s New in Check Point NGX R60A Last Update — 9/8/05 12
New Features — Firewall
• Block malicious executable code from reaching target host
It is important to understand that this defense does not rely upon pattern detection, which means it can stop both known and unknown attacks.
Sample Attack or vulnerability - Some common worms: Nimda, CodeRed, and many exploits such as IIS WebDAV exploits.
Getting Here - In SmartDashboard, select Web Intelligence > Malicious Code > Malicious
Code Protector.
General
44 DCE-RPC can now communicate over ports other than 135.
45 Multicast traffic can now be allowed or blocked for each multicast group. Configuration is per interface. For example, define a new object called multicast address range, and use it when defining the network topology on the interface.
46 IPv6 security is now supported on the Linux platform.
47 NAT hide can now be defined for PPTP clients.
48 Authentication capabilities have been enhanced to better protect against brute force attacks.
49 It is now possible to disable the logging of anti-spoofing activity of local interfaces and clusters.
50 Individual interfaces can now be configured to accept or block traffic from specific multicast groups.
51 ISP redundancy on the Nokia platform is now supported.
52 ISP Redundancy DNS features can now be configured using SmartDashboard.
53 The SmartDefense service now protects IPv6 networks.
54 SmartDefense update can now traverse web proxy with authentication.
55 It is now possible to define a name for each security rule. The rule name will appear in the logs created by that rule and will persist across policy changes.
56 Enhanced SmartDefense updates infrastructure with improved inspection capabilities.
What’s New in Check Point NGX R60A Last Update — 9/8/05 13
New Features — VPN
VPN
In This Section
VPN Routing
1 To tighten security and enhance granularity of the VPN security policy, enforcement of VPN rules by the direction of a connection is now possible.
For example, it is possible to define in the VPN column:
2 OSPF/BGP over VPN is enabled with VPN-1 gateway on SecurePlatform and IPSO. Every VPN tunnel is represented as a virtual adapter, enabling encapsulation of OSPF and BGP traffic. These virtual adapters can be used to establish integrated dynamic routing configurations with the routing domains in the protected networks. In effect this new technology enables unification of all the VPN-protected networks to a unified dynamically adaptable network.
VPN Routing page 14
VPN Tunnel Management page 15
Multiple Entry Point (MEP) and VPN Load Distribution page 15
VPN-1 Clusters page 16
PKI, PKCS page 16
NAT with VPN page 16
VPN-1 Diagnostics (Logging, Monitoring, Planning) page 16
Connectivity page 16
Office Mode page 17
L2TP Clients page 17
Multicast page 17
Route Injection Mechanism (RIM) page 17
Source Destination
Community A Community B
Community A Any
Local domain Community A
Local domain Remote Access Community
What’s New in Check Point NGX R60A Last Update — 9/8/05 14
New Features — VPN
3 Support of Back-up links and On-Demand links is enabled by multiple VPN links between VPN-1 gateways. Multiple VPN links are available when a single VPN-1 gateway is connected to multiple network infrastructures (e.g., multiple ISPs). Two VPN gateways may have several paths of communication that they can use to reach each other. Also new are Link Selection mechanisms, which provide additional methods to resolve a gateway’s IP address, such as defining a fixed IP address to always be used, and defining a DNS name to be resolved, which is most useful for gateways with dynamically allocated IP addresses.
4 GRE is now supported over IPsec in order to interoperate with devices that support dynamic routing over the VPN only with GRE.
5 Wire mode VPN is now available: Internal (safe) VPN connectivity is supported by reducing security checks on VPN traffic.
6 On Linux, SecurePlatform, and SecurePlatform Pro, encrypted packets will now be rerouted again after they are encrypted (and the destination was changed to the gateway IP address). (This behavior already takes place on Nokia platforms.)
VPN Tunnel Management
7 VPN tunnels may now be defined on VPN-1 gateways. The functionality is accessed using the command line interface to the gateway. This extends the interface to external management tools for Check Point gateways.
8 VPN links can now be configured to be “always on.” This feature enables:
• VPN link (tunnel) monitoring - link-properties, link-state, traffic through the link and more.
• Better support of sensitive applications for link setup delays.
• Configuration of Route Injection Mechanism when using MEP.
• Alert upon tunnel failure
9 SmartView Monitor can now monitor VPN tunnels. SmartViews of VPN tunnel properties and status, both for site to site and for remote access VPN, are now available.
Multiple Entry Point (MEP) and VPN Load Distribution
10 For site to site VPN, Explicit MEP configuration is now available at the center of a star community. There are several methods to connect to the MEP gateway, including explicit priority among entry points (which is independent of the VPN domain definition of entry points). For Remote Access VPN, the old MEP configuration still exists.
What’s New in Check Point NGX R60A Last Update — 9/8/05 15
New Features — VPN
VPN-1 Clusters
11 By enabling the new Sticky Decision Function, ClusterXL Load Sharing now supports:
• VPN routing of third party gateways that require stickiness
• SecureClient Visitor mode
• SSL Network Extender clients
• L2TP and Nokia clientsSupport for these features requires certain additional configuration. Consult the ClusterXL guide for more details.
PKI, PKCS
12 Internal CA diagnostics are now available through SmartView Monitor.
13 Internal CA enhancements include:
• Certificate enrollment using PKCS10 is available.
• Generate certificate - as PKCS12 (used in CAPI token)
• Additional, configurable level of administration privileges
14 Certificate enrollment to a VPN-1 module using SCEP and CMP protocols is now available.
15 Online Certificate Status Protocol (OCSP) is now supported.
16 An existing CA certificate can now be replaced with a newer one in a VPN-1 system, provided that the new certificate has the exact same pair of keys as the certificate that it is replacing.
NAT with VPN
17 SecureClient now supports NAT-T.
VPN-1 Diagnostics (Logging, Monitoring, Planning)
18 The usability of VPN activity logs has been enhanced.
Connectivity
19 SecuRemote/SecureClient can now resolve the address of the remote gateway by using one of the following link selection methods:
• Main IP / Single IP
• Topology calculation
What’s New in Check Point NGX R60A Last Update — 9/8/05 16
New Features — VPN
• RDP probing, which allows the possibility of configuring the primary interface and manual IP list for probing.
20 The encryption domain of the gateway can now be defined differently for site-to-site VPN, and for remote access VPN.
21 Third party DAIP gateways and externally managed DAIP gateways are now supported with certificate authentication.
Office Mode
22 Office Mode assignment can now be used to access other gateways in the site.
23 A RADIUS server can now be used for Office Mode IP assignment.
L2TP Clients
24 Legacy authentication schemes, such as Check Point password, OS password, RADIUS, LDAP, TACACS, etc., are now supported for L2TP clients.
Multicast
25 Through the use of VPN Virtual interfaces, multicast traffic can now be encrypted and passed through VPN tunnels.
Route Injection Mechanism (RIM)
26 RIM is now supported both with and without MEP. It can be configured under the Tunnel Management page on the community.
What’s New in Check Point NGX R60A Last Update — 9/8/05 17
New Features — SecuRemote/SecureClient
SecuRemote/SecureClient
In This Section
NAT with VPN
1 SecureClient now supports NAT-T.
User Experience
2 SecuRemote/SecureClient user interface now supports the following languages: English, French, Italian, German and Spanish.
3 The Hotspot Registration feature now limits the number of unsuccessful registration attempts and disables registration IP addresses once the client connects.
Connectivity
4 In MEP configuration, the client MEP decision can be disabled, in which case the client connects to the gateway specified in the profile.
5 In an MEP configuration, a backup gateway can be specified in a centrally managed connection profile. If so specified, and the primary gateways are unreachable, the SecuRemote/SecureClient connects to the specified backup gateway and does not perform an MEP decision.
6 The encryption domain of the gateway can now be defined differently for site-to-site VPN, and for remote access VPN.
7 SecuRemote/SecureClient can now resolve the address of the remote gateway by using one of the following link selection methods:
• Main IP / Single IP
NAT with VPN page 18
User Experience page 18
Connectivity page 18
Office Mode page 19
Desktop Security page 19
Secure Configuration Verification (SCV) page 19
Windows - XP-specific Issues page 20
Miscellaneous page 20
SecureClient Software Distribution Sever (SDS) page 20
What’s New in Check Point NGX R60A Last Update — 9/8/05 18
New Features — SecuRemote/SecureClient
• Topology calculation
• RDP probing, which allows the possibility of configuring the primary interface and manual IP list for probing.
Office Mode
8 Office Mode assignment can now be used to access other gateways in the site.
9 A RADIUS server can now be used for Office Mode IP assignment.
10 VPN-1 Pro gateway DHCP requests can contain various client attributes that allow DHCP clients to differentiate themselves. The attributes are pre-configured on the client side operating system, and can be used by different DHCP servers in the process of distributing IP addresses. VPN-1 Pro gateway DHCP requests can contain the following attributes:
• Host Name
• Fully Qualified Domain Name (FQDN)
• Vendor Class
• User Class
Desktop Security
11 When policy expiration is enabled and SecureClient is connected, it will attempt to update policy every expire_time/2. If it fails to update the policy, SecureClient will not revert to the default policy.
12 Desktop security rules now support RADIUS groups.
13 Policy server logon is by default set to the Policy Server on the gateway to which you connect. Centrally managed profiles can be configured to direct logons to a different Policy Server. Perform the following:
1 Specify the Policy Server in the profile.
2 Use the dbedit database tool to set the property use_profile_ps_configuration to true.
Secure Configuration Verification (SCV)
14 When enforcing Secure Configuration Verification on simplified mode VPN (VPN-1 communities), specific hosts and services may be defined as exceptions to the rule (e.g., to allow anti-virus updates, even if the client machine is not verified).
What’s New in Check Point NGX R60A Last Update — 9/8/05 19
New Features — SecuRemote/SecureClient
15 SecuRemote (which does not support SCV) can be regarded as verified when SCV is enforced. To enable it set scv_allow_sr_clients to true in userc.c, (by default it this value is set to false). This global flag can be overridden by the administrator by setting the matching flag in the topology, using the dbedit tool.
16 OS Monitor is now supported on Windows 2003 Server.
17 The operator greater than (>) is supported in signature file comparison in AntiVirus monitor.
18 ZoneAlarm Pro antivirus signatures version validation is supported for AntiVirus monitor.
19 The following enhancements for SCV monitors are now available:
• You can now check keys under HKCU, HKU and HKLM in the Registry Monitor
• While in Secure Domain Logon (SDL), each check under the Registry Monitor, OS Monitor and Browser Monitor can be disabled.
Windows - XP-specific Issues
20 Improved integration with Windows XP SP2 Firewall.
Miscellaneous
21 The following R56 local attributes can now be centrally managed:
• Hotspot registration configuration
• Disconnect_when_in_enc_domain • Simplified_client_route_all_traffic
22 SecureClient now reports the following parameters to User Monitor:
• OS version, Client version and build
• last known SCV failure reason
23 Secure Domain Logon (SDL) by default will not be part of the Windows logon procedure when the client machine is part of the encryption domain. To force SDL when inside the encryption domain, use the Windows Registry editor to set SdlIgnoreEncDomain to 0 (DWORD) in HKLM\Software\CheckPoint\SecuRemote.
24 VPN-1 Pro now enforces the amount of licensed remote access connections, this include the amount of SecuRemote allowed according to the gateway size plus the amount of SecureClient licenses.
SecureClient Software Distribution Sever (SDS)
25 The SDS server and the SDS agent are no longer part of the SecureClient product.
What’s New in Check Point NGX R60A Last Update — 9/8/05 20
New Features — Integrity
Integrity1 Integrity Product Family achieves Total Access Protection for all PCs that connect to
your network. Check Point Integrity endpoint security products ensure that both employee and guest users' PCs are secure before they're granted network access. By stopping worms, spyware, and hacker attacks, Integrity maintains business continuity, supports regulatory compliance, and protects you against financial loss due to endpoint attacks.
2 Integrity client and server software secures all networked PCs by centrally managing proactive defenses and enforcing policy compliance.
3 Integrity for Linux offers enterprises easy-to-manage endpoint security for the growing number of Linux workstations, providing sophisticated attack protections coupled with centralized policy deployment and reporting.
4 Integrity SecureClient unites the complementary strengths of VPN-1 SecureClient and Integrity to deliver the most advanced remote access, endpoint security, and access policy enforcement.
5 Integrity Clientless Security mitigates risks posed by employee and guest endpoints accessing enterprise resources via the Web. It delivers spyware disablement, ensures session confidentiality, and enforces network access policy.
6 Integrity Desktop delivers preemptive protection against the latest worms, viruses, spyware, and hacker attacks.
SSL Network Extender1 The SSL Network Extender is now centrally managed, and can be configured on
SmartDashboard.
2 SSL Network Extender now supports SecureID’s New Pin Mode and password changes for RADIUS and LDAP authentication servers.
3 SSL Network Extender now supports ICS.
4 SSL Network Extender clients are supported on ClusterXL gateways in Load Sharing mode when the Sticky Decision Function is enabled.
5 SSL Network Extender now supports IntegrityTM Clientless Security (ICS) version 3.0, including IntegrityTM Secure Browser (ISB).
6 The SSL Network Extender end-user interface can now be customized, as well as localized for the following languages (user-selectable):
• English
• French
What’s New in Check Point NGX R60A Last Update — 9/8/05 21
New Features — SmartCenter
• Italian
• German
• Spanish
• Japanese
• Traditional Chinese
• Simplified Chinese
• Portuguese (Brazilian)
• Hebrew
SmartCenter
Cloning Network Objects
1 Networks and Host Nodes can now be “cloned” with a right click. The newly created object has field values in common with the original object.
SmartGroups
2 Groups can be viewed hierarchically in the Objects Tree. Additionally, a new feature in SmartDashboard allows you to configure group conventions. When you do so, SmartDashboard makes suggestions to assign newly created objects to groups based on their name, color or network location.
Tooltips
3 Details about a network object or service, such as IP/port, version, and comment, are now visible within SmartDashboard rule bases without opening the object or service.
Unique Rule Identifier
4 A new feature in SmartView Tracker allows you to open SmartDashboard to the rule that a certain connection matched on. Also, an enhanced rule filter provides the ability to search within SmartView Tracker for other connections that matched on that rule, either by rule number or unique rule ID. A new feature in SmartDashboard allows you to view all logs generated for a certain rule.
Improved Manageability of Administrators
5 In this release, cpconfig allows the definition of just one administrator. Others can be added through SmartDashboard. All cpconfig administrators can be converted to administrators in SmartDashboard by using the $FWDIR/bin/cp_admin_convert tool.
What’s New in Check Point NGX R60A Last Update — 9/8/05 22
New Features — VPN-1 Edge
Mandatory Session Description
6 SmartDashboard users can now be compelled to enter a session ID describing the changes they have made. This provides a better ability to track database changes in the audit logs.
GUI Client Disconnect
7 When logging into a SmartCenter Server, an administrator can now disconnect other users who are logged in and locking the database.
Central Management for Connectra
8 Connectra devices are now part of Check Point’s centralized SMART management, integrating security, monitoring, logging, reporting, updating and intelligent information processing in a single interface.
Web-Based Access to SmartCenter — SmartPortal
9 SmartPortal is a web-based management tool providing a centralized view of security policies, network and security activity status, and administrator information. This web-based access to SmartCenter extends the visibility of security policies to groups outside of the IT security team and enables collaborative management of SmartCenter administrators.
VPN-1 Edge1 VPN-1 Pro now supports VPN-1 Edge behind NAT devices. This can implemented by
using NAT traversal (port 4500), which encapsulates the IKE/IPSEC in UDP packets, between the VPN-1 Edge device and the VPN-1 Pro.
2 Enhanced VPN-1 Edge configuration in SmartDashboard, including:
• time of log generation and forwarding
• time at which the VPN-1 Edge device is updated with new configuration settings
• content filtering (CVP and UFP)
• Unrestricted mode (connections from centrally managed peers that do not undergo access control or NAT)
3 VPN-1 Edge (with firmware 4.5 or higher) is now integrated with Eventia Reporter.
4 Excluded Services are now supported with VPN Communities that contain SofaWare entities.
5 VPN-1 Edge Web UI can now be launched from within SmartDashboard, as follows:
What’s New in Check Point NGX R60A Last Update — 9/8/05 23
New Features — SmartView Monitor
• Select a VPN-1 Edge object in the Objects tree, right click and choose Manage
Device in the displayed menu.
• In the VPN-1 Edge Object’s General Properties page, click Configure Edge Using
Web Interface.
6 VPN Enhancements: VPN-1 Edge now supports different IKE methods, rules with communities in the VPN column, Multiple Entry Point (MEP) enhancements, shared secrets, excluded services, as well as Link selection.
7 Content filtering for VPN-1 Edge can now be centrally managed from SmartCenter. This can be done using the Content filtering section of the VPN-1 Edge page of the Global Properties, or the Content Filtering page of the VPN-1 Edge object. The configuration includes specifying OPSEC UFP, CVP & SMTP servers, and determining which Edge devices use UFP/CVP.
8 NAT rules can now be configured and installed on VPN-1 Edge gateways. NAT rules can either be manual, by placing a VPN-1 Edge gateway in a NATed rule in the Install
On column, or automatic by choosing a VPN-1 Edge gateway as the Install on gateway in the network object’s NAT page.
9 A High Availability (HA) deployment can now be configured for VPN-1 Edge devices using SmartCenter. Configuring HA for VPN-1 Edge is done in the VPN page of the VPN-1 Edge Gateway Object’s Properties window. Select Use Backup Gateways and specify the (VPN-1 Edge) gateway that will function as the backup gateway.
10 A configuration script can now be added to the VPN-1 Edge object window. This script is downloaded to the VPN-1 Edge device. It controls various features and settings, (for example QoS settings, Wireless Settings).
SmartView Monitor1 SmartView Monitor has become a new monitoring application that combines the
functionality of the following applications:
• SmartView Status
• SmartView Monitor
• User Monitor In addition it has new capabilities. The GUI is an MDI (Multi-document interface) application that allows users to see side-by-side multiple views of traffic in different aspects.
2 It is now possible to monitor the following elements in SmartView Monitor Traffic Monitoring:
• Traffic by top or specific tunnels
• Traffic by top or specific interfaces
What’s New in Check Point NGX R60A Last Update — 9/8/05 24
New Features — Eventia Reporter
• Packet size distribution
• Traffic by top individual connections
• Connection direction filter
3 Tunnel Monitoring is a new feature that allows the user to view the current gateway to gateway tunnels in the organization. The user can define filters to present specific tunnels, as well as display tunnel state and other properties. The user can also reset a tunnel and drill down to view its traffic.
4 SmartView Monitor now has new ways of presenting traffic monitoring:
• Traffic data can now be presented in a pie graph or in a table.
• After drilling down into data, a back button is now available to undo drill downs.
• Exporting to HTML is now possible.
• Inbound and outbound traffic can now be viewed side by side
5 The various SmartView Status applications have been replaced with Gateway views. SmartView Monitor now presents a table view that displays all gateways and configurable status columns. In addition there is a detail view that allows browser-like drill down.
Eventia Reporter1 Eventia Reporter Add-On and Eventia Reporter Server can now be installed on a
Solaris 64-bit platform.
2 Eventia Reporter is faster than previous versions.
• Report generation - a report based on 20 GB of logs can be generated in little over an hour.
• Log consolidation – the log consolidator can process 32 GB per day (without DNS).
3 Eventia Reporter now provides more flexible and meaningful report content.• Clearer Reports
Unnecessary details and sections have been removed from the reports. By default, graphs are only created for time/date reports so as to achieve a smaller output.
• Internal filters
Internal filters are displayed for better report comprehension and flexibility. A user can now filter reports based on communication direction, firewall action, VPN-1 fields, email sender/recipient, etc.
4 Consolidator and database management controls have moved from the SmartDashboard and are now integrated in the Reporter Client.
What’s New in Check Point NGX R60A Last Update — 9/8/05 25
New Features — SmartUpdate
5 When the database grows too large, the Reporter can automatically archive or delete the oldest records. Database maintenance can be defined in terms of database space or record age.
6 Provider-1 now supports log-based reports.
7 Eventia Reporter can now create reports for VPN-1 VSX for all versions including and later than NG with Application Intelligence. Connection to an R60A management server is required.
8 Improved Security Rule support:
• Rule name support: users can now tag rules with names. Names will be displayed in reports and can be used in filters.
• UUID support for rules can be used to track rule usage regardless of their location in the Rule Base.
• Rule Base Activity: the Rule Bases Analysis report includes a section that shows all rules in a policy and their usage.
• Support for Rule Base policies in reports.
SmartUpdate1 Packages can now be distributed to remote devices and then installed at a later date.
This is beneficial in a number of ways:
• The risk of a loss of connectivity during installation is minimized, as the package is delivered to the remote device before the remote install command is issued.
• Upgrade performance is improved, as packages can be transferred in parallel to multiple devices.
• The process is now more efficient, as it can more easily be performed after hours, when the load on the network is less.
• Downtime due to upgrade is reduced.
2 SmartUpdate can now upgrade remote devices to versions earlier than that of the management server. Earlier versions supported are R54, R55, R55W, and R55P, and their respective HFAs.
3 The Upgrade All option in SmartUpdate allows Nokia platforms to be upgraded to any IPSO OS version. To do so, the desired Nokia IPSO OS package must first be added to the SmartUpdate Package Repository and set as the default package, followed by selecting the Upgrade All option.
4 SmartUpdate supports an automatic revert from an unsuccessful upgrade when upgrading SecurePlatform gateways. SmartUpdate creates the image backup before the upgrade starts. Should the Upgrade not complete successfully, the SecurePlatform machine will revert to the backed up image.
What’s New in Check Point NGX R60A Last Update — 9/8/05 26
New Features — SmartLSM
5 SmartUpdate supports the CPInfo utility. The CPInfo utility runs on remote gateways and/or the SmartCenter server, and collects information about that machine into a single text file. This text file is fetched and accessible from the GUI machine.
6 The SmartUpdate command line tool can make a snapshot of the SecurePlatform machine. A list of currently available snapshots on a machine can be compiled and used to revert a machine to one of the snapshots.
SmartLSM1 When defining VPN Domain for VPN-1 Express/Pro or VPN-1 Edge ROBO
Gateways, the user should use the new Topology table available in the SmartLSM GUI (or the parallel capabilities of LSMcli). It is possible to define the VPN Domain for ROBO Gateway in one of the following ways:
• Use the external IP address of the Gateway only
• VPN Domain includes all of the networks behind the Gateway's internal interfaces (based on topology)
• VPN Domain consists of manually defined IP address ranges.
2 Controlling the settings of internal interfaces of VPN-1 Edge ROBO Gateways is now supported from the centralized SmartLSM management. The following settings can be controlled and enforced on the VPN-1 Edge ROBO Gateway:
• Interface is enabled/disabled
• Interface IP address and netmask
• NAT Hide of the network behind the interface is enabled/disabled
• DHCP server on the interface is enabled/disabled
• Range of IP addresses distributed by the DHCP server
• DHCP server serves as a relay to another external DHCP server
3 It is now possible to launch VPN-1 Edge Portal Web GUI when using context menus of items representing VPN-1 Edge gateways and VPN-1 Edge ROBO Gateways in the SmartLSM main view.
SecurePlatform
Installation
1 SecurePlatform can be installed in two flavors: the regular flavor, and the “SecurePlatform Pro” flavor. SecurePlatform Pro is an enhanced version of SecurePlatform. SecurePlatform Pro adds advanced networking and management capabilities to SecurePlatform such as:
• Dynamic routing
What’s New in Check Point NGX R60A Last Update — 9/8/05 27
New Features — SecurePlatform
• RADIUS authentication for SecurePlatform administrators
To install “SecurePlatform Pro” select “SecurePlatform Pro” option during the installation.
To convert regular SecurePlatform to SecurePlatform Pro, from the expert mode command line run: “pro enable”.
For information regarding advanced routing, see the “Check Point Advanced Routing Suite” guide.
2 In this release, the SecurePlatform installation allows adding new hardware drivers for mass storage and networking devices, during the installation phase.
3 There is a change in behavior from R55 and earlier SecurePlatform versions. When no key is pressed after the SecurePlatform installation has begun, the installation will be aborted, and the system boots from the hard disk.
General
4 Speed/Duplex settings of Ethernet interfaces can be controlled using the eth_set utility in the command line, or by using the WebUI. The interface settings configured via the WebUI, or via the command line utility will survive reboot and become persistent.
5 The patch add command now supports scp as one of the options, allowing convenient and secure transfer of patch files to SecurePlatform.
6 VPN-1 log files are not included in the backup operation by default.
7 The display of time zones in the command line was changed from the POSIX convention to the commonly accepted convention. For example, for a region located two hours to the east of the GMT region, the time zone will show GMT+2 and not GMT-2, as in earlier versions.
8 During the installation of SecurePlatform, one interface is selected as the management interface. The IP address of this interface cannot be set to 0.0.0.0, as this will disrupt operation of the product. The commands sysconfig and ifconfig enforce this limitation in this release. If a specific interface must receive the IP address 0, a different interface must first be configured to be the management interface, and then the IP address 0.0.0.0 can assigned to the specific interface.
9 SecurePlatform now supports platforms using dual AMD Opteron CPUs in 32 bit mode.
Note - SecurePlatform Pro requires a separate license that must be installed on the SmartCenter Server that manages the SecurePlatform Pro enforcement modules.
What’s New in Check Point NGX R60A Last Update — 9/8/05 28
New Features — ClusterXL
User Experience
10 Starting with this release, Netscape 7.1 is supported for use with the administration WebUI. This allows using the WebUI from non-Windows systems.
ClusterXL
Configuration
1 ClusterXL has a new (and optional) packet distribution scheme for Load Sharing which is supported with the two Load Sharing modes: Multicast and Unicast. In the new distribution scheme (called “Sticky Decision Function”), a connection that started on a certain cluster member will continue to pass only through that member. The Sticky Decision Function is not supported with Performance Pack or with an Acceleration device.
VPN-1 Clusters
2 ClusterXL Load Sharing now supports SecureClient visitor mode and SSL extender clients when the Sticky Decision Function is enabled.
3 Third party peers can now open VPN tunnels on ClusterXL in Load Sharing mode with the Sticky Decision Function enabled.
4 ClusterXL Load Sharing now supports VPN routing configuration, in which both sides of the connection are encrypted for peer gateways of third parties, such as Cisco, which requires stickiness. This support is limited to when the Sticky Decision Function is enabled, and requires certain additional configuration. Consult the ClusterXL guide for more details.
Supported Features
5 Dynamic routing is now supported in SecurePlatform clusters.
6 Multicast data traffic is supported on ClusterXL in High Availability mode, and in Load Sharing mode under certain conditions. Refer to the Release Notes for more details.
Performance Pack1 BGE interface is now supported on Solaris.
2 SmartView Monitor is now supported by Performance Pack.
3 Dynamic Routing changes are now supported by Performance Pack on SecurePlatform.
What’s New in Check Point NGX R60A Last Update — 9/8/05 29
New Features — VSX
VSX
In This Section:
Manageable Versions
1 SmartCenter Server can now manage the following versions of VSX:
• VSX 2.0.1
• VSX NG AI
• VSX NG AI Release 2
• VSX NGX
2 For more information on these releases, please see the documentation at http://www.checkpoint.com/support/technical/documents/index.html.
Single IP Address for Management
In previous versions (VSX 2.0.1, VSX NG AI) the VSX installation process created a default Virtual System called the Management Virtual System (MVS). Instead of the MVS, the VSX gateway object now:
• Handles provisioning and configuration of Virtual Systems and Virtual Routers.
• Manages Gateway State Synchronization when working with clusters.
Manageable Versions page 30
Single IP Address for Management page 30
Adding New Members to a Cluster page 31
Upgrading Cluster Members page 31
Backward Compatibility Support page 31
Simplified VSX GUI page 32
Virtual Switch page 32
Virtual System in Bridge Mode page 33
Unnumbered Interface Support page 33
Full Dynamic Routing Capability page 33
VSX Extensions for ClusterXL page 34
NAT Routes page 34
SPLAT Add-Ons & Enhancements page 35
What’s New in Check Point NGX R60A Last Update — 9/8/05 30
New Features — VSX
• Provides a single IP for communication with the management entity (Provider-1, SmartCenter, LDAP Server, Radius, TACACS, SNMP). All management communication between the VSX gateway and management entity takes place via single IP address. The TCP connection is terminated at the VSX gateway, and does not continue to the Virtual Device. In a cluster environment, each cluster is managed by a single IP address. Members of the cluster are automatically assigned IP addresses.
Single IP Address for Cluster Management
In a VSX cluster, only the cluster members require an IP address. This reduces the overall number of IP addresses required to manage the cluster. For example, a VSX system with one hundred Virtual Systems on four cluster members requires only four IP addresses for management, one for each cluster member. The Virtual systems within any cluster member are managed by internally assigned IP addresses.
Adding New Members to a Cluster
In versions previous to VSX NGX, you could not add or remove members from an existing cluster. In NGX, using the command line reconfigure option, new members can be added or removed from an existing cluster. The “Add/remove new members” wizard updates the database with the configuration of the new member. The reconfigure option then pushes the configuration to the new module.
Upgrading Cluster Members
The reconfigure command is also used to upgrade members of a cluster. Once the member module has been upgraded, the configuration of the (pre-upgrade) module, contained in the Management Server database, is pushed back to the new (upgraded) module.
Recovering Fallen Modules
The reconfigure script is also used to recover fallen modules. For example, after a hard disk failure. Once the hard disk has been replaced, a new module installed, and SIC established with the management server, the reconfigure script returns the modules previous configuration (stored in the management database) back to the module.
Backward Compatibility Support
Full backward compatibility. From the current NGX release, you can create and manage VSX 2.0.1 and VSX_NG_AI objects.
What’s New in Check Point NGX R60A Last Update — 9/8/05 31
New Features — VSX
Simplified VSX GUI
During the creation of a VSX gateway a Virtual System creation template page appears:FIGURE 0-1 Creation templates
This page provides two networking templates for Virtual Systems:
• Each Virtual System can have its own external and internal interfaces
• All virtual systems have their own internal interface but share a single external interface
The third alternative is not to use one of the templates, but customize each Virtual System according to your VSX deployment.
Choosing a Management Model
The choice of Virtual System creation template also decides the management model for the VSX deployment: whether or not there will be an interface dedicated to the management of the VSX system. Choosing “Template 1”, as shown in FIGURE 0-1, means eth0 (by default) will be reserved exclusively for VSX management traffic. The VSX deployment will have a dedicated management interface (DMI). Choosing “Template 2” results in a non-DMI management model.
Virtual Switch
In previous VSX releases, the only way to share an interface between multiple Virtual Systems, or to connect between Virtual Systems, was through a Virtual Router. The new Virtual Switch allows multiple Virtual Systems to share an interface.
A Virtual Switch provides layer 2 connectivity between Virtual Systems and connectivity to a shared interface. As with a physical switch, each Virtual Switch maintains a forwarding table with a list of MAC addresses and their associated ports. The forwarding decision is made by inspecting the MAC destination address of each incoming packet.
What’s New in Check Point NGX R60A Last Update — 9/8/05 32
New Features — VSX
When sharing a physical interface via a Virtual Switch there is no need:
• To allocate an additional subnet for IP addresses of Virtual Systems connected to the switch.
• To manually configure the routing on the routers adjacent to the shared interface.
Virtual System in Bridge Mode
When deploying a VSX gateway on an existing network, the need for changing network addresses and routes should be avoided. By providing a Virtual System that implements native layer-2 bridging instead of IP routing, a VSX gateway can be deployed without requiring changes to the existing IP (layer-3) infrastructure - for example on a network set up for dynamic routing. A Virtual System in bridge mode is used to forward traffic at layer 2 between the physical networks.
A typical network connection in such a scenario will involve a 802.1q VLAN switch on either side of the VSX gateway. The interfaces of the bridge do not require IP addresses. The Virtual System in bridge mode remain transparent to the existing IP network.
A Virtual System in Bridge mode:
• Has the same Firewall security capabilities of a Virtual System except for VPN and NAT (NAT modifies layer-3 information)
• Enables easier configuration of Virtual Systems since no IP addresses or specific routing information is required.
• Does not segment an existing network.
Unnumbered Interface Support
To reduce the amount of IP addresses required in a VSX deployment, Virtual Systems within a VSX gateway now support unnumbered interfaces. This is possible where the Virtual System does not require an IP address. For example, when the interface on the Virtual System is connected to a Virtual Router (and Hide NAT or VPN features are not enabled) the interface can be configured as unnumbered.
Full Dynamic Routing Capability
Dynamic Routing (DR) is performed locally on the gateway. The user needs to switch dynamic routing on manually in the properties page of the VSX gateway. Also context aware CLI command vrf - connect is available which determines to which Virtual System or Virtual Router the dynamic routing applies. First switch DR on through the management GUI and then through the CLI specify for which VS and VRs it dynamic routing applies.
What’s New in Check Point NGX R60A Last Update — 9/8/05 33
New Features — VSX
Supported Dynamic Protocols
Unicast:
• OSPF
• RIP
• BGP
Multicast:
• IGMP
• PIM-SM
• PIM-DM
VSX Extensions for ClusterXL
In a clusterXL environment, Virtual Systems running in bridge mode are now able to fail-over to their peer in the cluster. Providing that the Virtual System is connected to a distinct physical interface or VLAN interface, only the Virtual System fails-over, not the member.
The cphaprob diagnostic command has been extended to display additional data when the fail-over per Virtual System feature is enabled.
NAT Routes
A Virtual System is capable of Network Address Translation (NAT) the same as a physical Firewall. When a Virtual System is connected to a Virtual Router and the Virtual System performs Static or Hide NAT to a host on a given network, NATed routes have to be forwarded to the Virtual Routers.
The NATed address can be:
• Manually added to the Virtual Router
• Defined on the Virtual System
Hide or Static NAT addresses configured on the Virtual System are automatically forwarded to the Virtual Router to which the Virtual System is directly connected. NATed addresses can be:
• A single IP (for Static NAT)
• A range of addresses (Hide NAT)
• Complete subnets (Hide NAT)
What’s New in Check Point NGX R60A Last Update — 9/8/05 34
New Features — VSX
SPLAT Add-Ons & Enhancements
Enhanced CLI
Check Point Dynamic Routing utilizes industry standard commands for configuration. The basic features of the CLI include the following:
• Command line editing and completion
• Context-sensitive help
• Command history
• Disabling/Enabling CLI Tracing
Additional commands have been added for:
• NTP
• DHCP Relay
• Bridge support
NTP
VSX NGX supports the Network Time Protocol (NTP) that is used to synchronize computer clock times in a network of computers. The NTP client initiates a time request exchange with the time server. As a result of this exchange, the client is able to calculate the link delay, its local offset, and adjust its local clock to match the clock at the server's computer.
DHCP Relay
The sysconfig command now allows the configuration of DHCP Clients and DHCP Servers on different networks.
Ethernet Bridge Utility
A new bridge utility has been added to set up, maintain, and inspect the ethernet bridge configuration in the SPLAT kernel. An ethernet bridge is a device used to connect different ethernets together using the MAC hardware address. Each of the ethernets being connected corresponds to one physical interface in the bridge. These individual physical ethernets constitute a large logical ethernet which is the bridge network interface. With the bridge support utility, the ethernet bridge configuration in the kernel can be maintained and inspected.
What’s New in Check Point NGX R60A Last Update — 9/8/05 35
New Features — QoS
Internal Cluster IP Addresses
In a VSX cluster, the ifconfig command now hides the internal cluster addresses, i.e. the addresses of the physical interfaces on each cluster member that are reserved for internal VSX and ClusterXL communication, allocated addresses from a reserved IP range (IP:192.168.196.0/Netmask:255.255.252.0). The command ifconfig only displays the cluster IP address.
New Monitoring Classes for Status Information
For SNMP users, additional status information can be obtained from enforcement modules by taking advantage of additional VSX monitoring classes in the Check Point MIB. For more information see the guide to the Check Point MIB at:
http://www.checkpoint.com/support/technical/documents/index.html
QoS1 The license for QoS Express should be installed on the SmartCenter server instead of
on the Enforcement module. QoS supports licenses for 1, 3 or 5 modules. These licenses should be added via SmartUpdate and then attached to the SmartCenter Gateway Object.
2 QoS is now supported by and can run on the same Enforcement Module that runs Web Intelligence.
UserAuthority1 UserAuthority now supports outbound identity-based access control for non-TCP
connections.
2 User credentials can now be fetched using UserAuthority Servers on other SIC domains.
InterSpectSmartcenter Server can now manage the following versions of InterSpect:
• InterSpect 1.5
• InterSpect 2.0
• InterSpect NGX
What’s New in Check Point NGX R60A Last Update — 9/8/05 36
New Features — Express CI R60A
Express CI R60A
In This Section:
Anti Virus Protection
When Anti Virus scanning is enabled, traffic for the selected protocols is trapped in the kernel and forwarded to the security server. The security server forwards the data stream to the Anti Virus engine. The data is allowed or blocked based on the response of the Anti Virus engine.
Anti Virus scanning is applied only to traffic that has been allowed by the Security Policy.
Express CI R60A Anti Virus makes CVP resource configuration obsolete. In cases where both Anti Virus and CVP are used, only Anti Virus will work.
Signature Updates
Automatic updates of the virus signature can be scheduled at any chosen interval. Manual updates of virus signatures can be initiated at any time.
The following two signature update mechanisms are available. For both mechanisms, the default update interval is 120 minutes:
• Signature redistribution on SmartCenter, by which updates are downloaded only by the SmartCenter Server from the default Check Point signature distribution server, and then redistributed by the SmartCenter Server to all Check Point Express CI R60A gateways. This method is useful when Internet access is not available for all gateways or when it is required that the download only occur once for all the gateways. The gateways communicate only with the SmartCenter, using Secure internal Communication (SIC).
Anti Virus Protection page 37
Signature Updates page 37
Continuous Download page 38
Scanning Files page 38
SMTP page 39
POP3 page 39
FTP page 39
HTTP page 39
File Type Recognition page 40
Logging and Monitoring page 40
Scan Failure page 40
What’s New in Check Point NGX R60A Last Update — 9/8/05 37
New Features — Express CI R60A
• Default signature distribution server, by which updates are downloaded directly to the Check Point Express CI R60A gateways. This method will likely result in faster update times, because the gateways get the update from the Check Point signature distribution server as soon as it becomes available. This mechanism is only available for automatic updates. It is not available for manual updates.
Continuous Download
The Anti Virus engine acts as a proxy which caches the scanned file before delivering it to the client only for files that need to be scanned.
When large files are being scanned, if the whole file is checked before being made available, the user may experience an unacceptably long delay before the file is delivered. A similar problem may arise when using client applications with short timeout periods (certain FTP clients for example) to download large files. If the whole file is cached and scanned before being delivered, the client applications may time out while waiting.
To address this, Continuous Download trickles information to the client while the Anti Virus scanning is taking place. If a virus is found during the scan, the file delivery to the client is terminated.
It is possible to specify file types for which Continuous Download will not take place. Some file types (such as Adobe Acrobat PDF files and Microsoft PowerPoint) can open on a client computer before the whole file has been downloaded. If Continuous Download is allowed for those file types, and a virus is present in the opened part of the file, it could infect the client computer.
Scanning Files
There are two ways to specify the files to be scanned: Scan By direction and Scan by IP. In both cases, Anti Virus scanning is performed only on traffic that is allowed by the Security Rule Base
Scan By Direction
Specifies whether to scan files passing to or from the external, internal and/or DMZ networks.
This method (the default) is an intuitive way of specifying which files will be scanned without having to specify hosts or networks.
Note - SMTP and POP3 support Continuous Download per the entire email message.
What’s New in Check Point NGX R60A Last Update — 9/8/05 38
New Features — Express CI R60A
Use this method if you wish to scan all traffic in a given direction. It is possible to specify exceptions, that is, locations to or from which files will not be scanned.
Scan By IP Address
Scan by IP address allows you to define very precisely which traffic to scan. For example, if all incoming traffic from external networks reaches the DMZ, Scan by IP allows you to specify that only traffic to the FTP, SMTP, HTTP and POP3 servers will be scanned, whereas Scan by Direction scans all traffic to the DMZ.
When choosing to Scan by IP address, you use a Rule Base to specify the source and destination of the data to scan. For FTP, for each rule, you can choose to scan either the GET or PUT methods, or both. For HTTP, for each rule, you can choose to scan either the HTTP Request, or the HTTP Response, or both.
SMTP
For SMTP, Scan by Direction and by IP are essentially the same. Content Inspection for SMTP, sends the files (data) in the same direction as the connection. SMTP is used for sending mail. Protocols that are used for receiving email (such as POP3 and IMAP) are not scanned when SMTP is selected.
POP3
Conent Inspection for POP3, sends the files (data) in the opposite direction of the connection. POP3 is used for retrieving mail.
FTP
When the FTP GET command is used, files are transferred in the opposite direction to the connection. When the FTP PUT command is used, files are transferred in the same direction as the connection. The Scan files by direction option allows you to scan files, without having to consider the direction of the connection.
HTTP
When choosing to scan by IP, the Source and Destination of the connection are specified, and also whether the Request, Response or both will be scanned. This makes it possible to specify what will be scanned in a very precise way.
Note - Scan By Direction works only when Check Point Express CI R60A is connected as a gateway, and is placed inline between the external and the Internal/DMZ networks. It does not work when Check Point Express CI R60A is connected as a node, in Proxy mode.
In addition, Scan By Direction only works when the Gateway topology is correctly defined.
What’s New in Check Point NGX R60A Last Update — 9/8/05 39
New Features — Express CI R60A
File Type Recognition
Check Point Express CI R60A has a built-in File Type recognition engine, which positively identifies the types of files passed as part of the connection. This also enables you to define a per-type policy for handling files of a given type.
It is possible to specify “safe” file types that will be allowed to pass through the Check Point Express CI R60A Gateway without being scanned for viruses. It is also possible to configure file types that will be scanned or blocked. The following actions can be configured for each file type:
• Scan performs Anti Virus scanning for files of this type, according to the settings in the different services pages. By default, all unrecognized file types are scanned.
• Block does not allow files of this type. There are file types that are preset to be blocked according to SmartDefense advisories.
• Pass allows files of this type to pass though the Check Point Express CI R60A gateway without being scanned for viruses. Files of this type are considered safe.
File types can be considered safe because they are not known to contain viruses. For example, some picture and video files are considered safe. Other formats can be considered safe because they are relatively hard to tamper with. What is considered safe can change according to published threats, and depends on how the administrator balances security versus performance considerations.
Check Point Express CI R60A reliably identifies binary file types by examining the file type signatures (magic numbers). Check Point Express CI R60A does not rely on the file extension (such as *.GIF) which can be spoofed. It also does not use the MIME headers (such as image/gif) in HTTP and mail protocols, which can also be spoofed.
Logging and Monitoring
Logging information about the Anti Virus scan is sent to the SmartCenter Server, and can be viewed using SmartView Tracker. Information about the results is shown in the logs.
In addition, there are logs for signature updates, new update checks and download results.
Monitoring Anti Virus status is performed with SmartView Status. The Anti Virus status will appear under the Firewall-1 product. This status contains information about the currently installed Signature file and the Anti Virus engine version. The Anti Virus status also includes statistics about scanned files and found viruses.
Scan Failure
The default settings in the Anti Virus window have been configured to prevent the Anti Virus engine from overloading. It is recommended that you use the default settings provided.
What’s New in Check Point NGX R60A Last Update — 9/8/05 40
New Features — Express CI R60A
If the Anti Virus engine becomes overloaded you can use the options in the Anti Virus window to determine:
• whether you would like to take the chance of allowing files that have not been scanned to pass. This option will leave you open to virus attacks.
• whether you would like to block all files. If you select to block all files a connectivity problem may arise.
What’s New in Check Point NGX R60A Last Update — 9/8/05 41