Check Point Software Technologies Ltd: FireWall-1

by Paul Grosse - February 2000

Introduction

eCommerce and e-Business have progressed so far that a company has to embrace the technology if it is to remain viable. Having a competently built web site and being able to interact with current and potential customers requires good security in addition to good programming. With the number of Internet users growing so fast, a company needs to ensure that its servers can provide its online user population - whether they are home based customers wishing to gain access to Internet shopping or business users requiring access to the internal network - with an appropriate service rather than a wait, so a fast and reasonably secure firewall is a primary consideration for a company wishing to take its online future seriously.

Sitting on the junction between two networks, a firewall has only one job to do: to decide whether or not traffic should pass between the networks. There have been several strategies applied each with strengths and weaknesses and valid applications. The first approach was to make a decision based upon the information contained in the packet header. If a packet header had IP addresses that were permitted through the firewall, the traffic was allowed through - if not, it was disregarded. Unfortunately, for many networks, this proved inadequate as hackers could observe the traffic going through a firewall (sniffing) and substitute malicious content with the correct header information (spoofing). In answer to this weakness in the first generation of firewalls, a second generation was designed where the data in the traffic from packets with correct header information was built up and then examined by a program that was familiar with that particular protocol. Although this strategy is far more secure, the processing overhead is too great for some applications.

In answer to this, Check Point invented an intermediate technology which it called Stateful Multi-Layer Inspection (SMLI) which has become known as the third generation of firewall. It still checks packet headers to make sure that each one contains the correct information but does so all of the way up the OSI stack, checking the header for each layer and keeping the data pertinent to each layer in memory so that it is able to check on the validity of subsequent packets. It further extends first generation firewall technology by checking the data content of some protocols.

Products

FireWall-1

As the number of protocols rise - various vendors supplying their solution to a problem, or a new protocol - the job of the firewall becomes increasingly complicated. In addition to the variety of traffic passing through is the sheer volume. Hyper Text transfer Protocol traffic (HTTP - the basis of the World Wide Web) is becoming increasingly based upon images while File Transfer Protocol traffic (FTP) increases in volume as program size increases and documents become more complex and larger. As a result of this, any firewall needs to be able to assess the validity of the traffic in addition to allow it through the Gateway.

State Awareness

First and second generation firewalls demonstrated that speed and security are at opposite ends of the spectrum. However, Check Point's FireWall-1 provides a useful balance between these two for most applications by checking only the header information at each layer of each packet - only checking the data content of the packet at the application layer for particular protocols when requested to do so. Packets have each header inspected as it travels up the OSI stack - packets being dropped as soon as they fail an inspection - until they reach the top. If the security policy for the protocol for a specific packet requires that the data is inspected as well, this is done. Once the firewall is satisfied that the communication is genuine, it has headers added to it and is passed back down the OSI stack and across to the other network.

In this way, it is more secure than a simple packet filter as it: keeps in memory, the information in the header of each packet at each layer, matching up state information and dropping any packets that fail to comply to a session; and, it checks the data content of packets of specified protocols so that viruses cannot pass through, explicit scripting and controls may be stripped from HTTP traffic if requested by the security policy and so on. As a result of this, FireWall-1 with its Stateful, Multi-Layer Inspection (SMLI or third generation firewall) is faster and leaner than a full application gateway while retaining much of the speed of a simple packet filter.

In order for the firewall to integrate with other aspects of network security, FireWall-1 uses Open Platform for Secure Enterprise Connectivity (OPSEC). Check Point has encouraged a number of vendors to supply their products in an OPSEC compliant form thereby allowing FireWall-1 to be the most effective firewall to install in terms of compliance with security measures already purchased. Check Point breaks down OPSEC into three areas:

• Industry standards and standard protocols;
• Check Point-defined OPSEC protocols and APIs; and,
• Security applications written with INSPECT (a high level programming language - similar to PASCAL - designed to program new SMLI security applications).

Industry Standards and Protocols

The use of industry standards such as Remote Authentication Dial In User Service (RADIUS) and Lightweight Directory Access Protocol (LDAP) means that the purchaser of FireWall-1 has a wide choice of authentication servers available. For example, Vendors that supply RADIUS authentication servers that are OPSEC compliant include: ActivCard; Axent; CRYPTOcard; Netegrity; Security Dynamics; VASCO; and so on. Other Industry standards that are supported include: IPSec, SKIP and ISAKMP encryption schemes; X.509 certificates; Simple Network Management Protocol (SNMP).

Check Point defined OPSEC protocols and Application Programming Interfaces (APIs)

OPSEC APIs include: a Content Vectoring Protocol (CVP) API; a URL Filtering Protocol (UFP) API; a Suspicious Activity Monitoring Protocol (SAMP) API; a Log Export API (LEA); and, an Object Management Interface API (OMI).

• Content Vectoring Protocol permits content control both of incoming data (looking for viruses in file attachments to emails, ActiveX, explicit JAVA script in HTML and so on) and outward-bound data (for example, sensitive data leaving the site such as a mistakenly attached accounts file to an email). This API allows the vendors to supply content control applications that can be installed and run simply and Check Point customers can select the content security applications that they wish to use. Content security application vendors include; Cheyenne; Integralis; McAfee; Symantec; and so on.
• URL Filtering Protocol gives URL filtering applications integrated access to FireWall-1. Outward bound requests are checked against lists of banned sites either on a site-by-site, time-of-day or user-by-user basis. URL checkers such as that supplied by Integralis can be configured in a very flexible and granular way - having URL lists that can be updated on a weekly or daily basis.
• Suspicious Activity Monitoring Protocol looks for suspicious back connections and other peculiar activity on the network such as attacks on sequential ports. Worms that send emails back onto the Internet whenever they detect anything of interest on-site can be stopped by applications using this API. Sessions that conform to a definition of suspicious activity can be stopped part way through with future sessions prevented altogether if so desired.
• Log Export API provides a mechanism for secure transmission of audit log information. This can also be applied to the SAMP for immediate notification of suspicious activity.
• Object Management Interface is used to develop a client program that is able to query, modify and install the FireWall-1 Security policy.

Security applications written with INSPECT

FireWall-1 has its own language - INSPECT - which is an object oriented high level script, similar to PASCAL, that acts as an interface between the Graphical User Interface (GUI) where a company's security policy is defined, and the firewall inspection module on each of the network's firewall inspection points. The INSPECT script is stored in the form of an ASCII file so that administrators may edit it manually when a company has specialised security requirements. Using this language, a new protocol can be written quickly - the following day in some instances. This allows companies such as telecommunications companies to write their own protocols and protect their internal networks from attack very quickly.

Defining a Security Policy

The security policy for the entire enterprise is defined and managed using the FireWall-1 GUI which runs on a secured, authenticated machine. This may be done on-site or even remotely thus allowing for a distributed architecture and centralised definition of security policy. The policy is defined in terms of objects and rules that govern their interaction with network object being considered as individuals or groups in a hierarchical structure that makes administration easy to understand.

Network objects include networks, sub-networks, hosts, gateways, servers, routers and so on; Users can be individuals or groups of users and servers include content screening and authentication servers. A security rule consisting of a source and destination, a definition of a particular service or group of services, action to be taken, details of any log entries that should be made, the time of day or day of week that this action should occur and where the security rule should be installed. The FireWall-1 databases which include network object definitions, user definitions, the security policy and log files for all firewall gateways is stored on the Management Server. The GUI and the Management Server may be the same machine or two machines in a client server configuration.

Security rules have the capability of being as specific as is required with granularity going down to particular users and time of day, day of week and so on. Like all reasonably well thought out firewalls, anything that is not explicitly accepted is by default rejected with FireWall-1 working its way through the rule base until it finds a rule that allows the packet to the inspection module. Although this could mean that attacks on the firewall could go unnoticed if a particular protocol was not mentioned in the security policy, the logging of any unspecified events can be forced by including a final rule that states that a communication attempt from any source to any destination using any service should be rejected and logged.

Load Balancing

Primarily for the purposes of redundancy and load balancing, FireWall-1 may be configured to run on a number of machines, any of which can act as the gateway for some packets of a particular session. To get around the problem of packets from a given session arriving at different gateways and being dropped because only part of the session information is stored on any one machine, the state information is shared between FireWall-1 gateways so that packets for one session can all get through.

ConnectControl provides this load balancing service and deals with the real servers and how they manage their respective loads although to the user, there appears to be only one server. Rules for this are defined by the systems administrator in order to make the system function in a particular manner. There are a number of load balancing algorithms to choose from:

1. Server load - the firewall queries the servers in order to ascertain which is best able to handle the new connection;
2. Round trip - the firewall uses PING to find the shortest round trip time;
3. Round robin - the firewall assigns the next server on the list;
4. Random - servers are assigned connections randomly; and,
5. Domain - the firewall assigns the closest server based upon domain names.

In addition to controlling servers, FireWall-1 is also able to control routers with the security policy being defined and managed at a single point - the routers acting as policy enforcement points throughout the network. The routers are managed in two ways:

• Access lists - where access lists derived from the security policy are downloaded to selected routers; and,
• Stateful Inspection - where the FireWall1 Inspection Module runs directly on the router.

Routers and switches that support this are supplied by: Nortel (Bay Networks); and, Alcatel (Xylan).

Other Features

FireWall-1 supports additional features such as:

• De-Militarised Zones (DMZs) are supported by installing a third network card. A DMZ provides HTTP, FTP and other services including Web-Server services to non-local networks that do not initiate traffic.
• Network Address Translation (NAT) allows internal network addresses to be concealed from the outside network either for security reasons or simply because they are not legal IP addresses. NAT can be implemented in two ways, dynamically - allocating a different address each time a sessions is started - making the internal network address into a moving target for the hacker, or, statically - translating the internal address to a single, legal IP address. NAT can be implemented differently, according to the source and destination, specified ports and so on. Again, there is an option for the administration of the NAT to be performed using a GUI according to a packet's source, destination and service used.
• Virtual Private Networks (VPNs) allow sites to communicate securely, over an open network such as the Internet, by creating an encrypted tunnel of traffic. Any particular session is encrypted using a different key and packets that are intercepted are of no use to competitors as practically, they cannot be deciphered. In addition, spoofing attacks are limited to attack by denial as the encrypted information within packets is not reasonably substitutable. Check Point's VPN-1 gateway uses DES, Triple DES and IPSec/IKE with digital certificate support included for companies with PKI.

Platforms

FireWall-1 GUI Client (Client / Server configuration):

• Microsoft Windows 95;
• Microsoft Windows 98;
• Microsoft Windows NT (3.51 and 4.0 - Intel only); and,
• X/Motif (on Solaris 2.5 and 2.6, HP-UX 10.x, IBM AIX 4.2.1 and 4.3.0).

FireWall-1 Management Server (Client / Server configuration):

• Microsoft Windows NT (3.51 and 4.0 - Intel only);
• Solaris 2.5 and higher;
• HP-UX 10.x; and,
• IBM AIX 4.2.1 and 4.3.0.

FireWall-1 Management Module (OpenLook GUI):

• Solaris 2.5 and higher.

FireWall-1 Firewall Module Microsoft Windows NT (Intel only);

• Solaris 2.5 and higher;
• HP-UX 10.x;
• IBM AIX 4.2.1 and 4.3.0; and,
• Nokia IP Routing.

FireWall-1 Inspection Module Microsoft Windows NT (Intel only);

• Solaris 2.5 and 2.6;
• HP-UX 10.x;
• IBM AIX 4.2.1 and 4.3.0;
• Bay Networks; and,
• Xylan (limited functionality).

Pricing

FireWall-1 pricing is done of a reseller for reseller basis therefore there is no fixed price.

Opinion

Financial considerations inevitably lead systems administrators to demand compatibility with existing, legacy security systems in addition to a long life and effective functioning. This not only applies to companies that are just venturing into a connection to the Internet but also to companies that have taken over smaller companies that have already invested in some security. Taking these points into account, it makes sense to opt for a system that will take advantage of existing security measures while providing an adequate level of security. For a while now, Check Point has imposed OPSEC on the security vendors - bringing about a certain level of standardisation of security products in the access and content control areas. Although OPSEC only relates to Check Point, the company is in a sufficiently strong position to make such decisions and the resulting choice that has presented itself to the purchaser of FireWall-1 can only be of benefit.

OPSEC is clearly one of the major factors when deciding whether or not to invest in FireWall-1. Access control that is supported through OPSEC includes a number of hardware tokens that supply a pseudo-random number based upon a PIN that the user knows including: SecureID from Security Dynamics; and, SafeWord from Secure Computing. In both cases, the PIN is never seen by the workstation as this is typed into the token. Content control is handled by products from Integralis and others which look at incoming and outgoing traffic for profanity, certain special words and so on. In addition, content control programs can ensure that mistakes cannot happen such as accidental attachments with emails. URL filters are also included within OPSEC and some of these are updated weekly, giving up-to-date and accurate information.

A recent worry of content is that of malicious script embedded in HTML tags within documents. This allow the user's browser to execute the script if scripting has not been disabled at the browser, simply by looking at a web page. In addition to carefully constructed pages with embedded script tags, CGI HTML content, forms and SSL sessions are put at risk - SSL sessions may be compromised if the attack starts before the SSL session is initiated. It is not clear whether all script tags can be extracted as scripting and similar superfluous functionality may be inserted into web pages in a number of ways and malicious users will always be one step ahead. Having content security in place to remove scripting and active controls will only protect against those scenarios that have been seen. The only real protection is to turn scripting and other active content off at the browser. The saying goes "If it can't be said without scripting, it isn't worth saying".

INSPECT - the inspection engine script stored as an ASCII file may be viewed by the systems administrator with the express intent of editing it so that a peculiarity in the security policy may be accommodated. It is worth remembering that the vast majority of vulnerabilities in company firewalls are due to the system being configured incorrectly due either to being set up incorrectly in the first instance or being adjusted afterwards.

With so many supported protocols, it may be tempting for some to enable a large proportion of them. However, having so many doors to a system means that the opportunity for some of them to be tampered with may be too great and you may find yourself with unwanted guests. It is always good policy that only the services that are strictly required should be enabled.

SMLI was invented by Check Point and FireWall-1 is clearly the best implementation of this technology. However, it must be remembered that the checking that is performed by SMLI is not complete for every packet and in many respects, the second generation of firewall - the application gateway - is more secure. Without doubt, SMLI with its simpler checking can handle more simultaneous connections and has a higher bandwidth than application gateways. It is a simple trade-off between security and speed - some companies will only opt for the highest levels of security even though for most, SMLI is probably the most appropriate balance.

Strengths

• FireWall-1 is very easy to configure. Intelligent and extended use of GUIs together with hierarchical structures makes the configuration and management of security policies particularly easy.
• Distributed inspection on different servers, together with the sharing of state information provides seamless functionality for the end user. Allowing packets to be routed through different machines allows load balancing even on the second time-scale.
• OPSEC implies a greater choice for new and legacy systems. Its open architecture means that any weaknesses in the technology have already been exposed and therefore can be avoided. The great scope that a purchaser has means that he can choose the exact system he requires with new protocols being added quickly and easily as they are published.

Weaknesses

• SMLI does not piece together all of the content of the traffic as this is both time consuming and requires a lot of system resources. The loss of this top end security is acceptable for most applications but may not be for some.
• OPSEC is written in C which is not particularly good at bounds checking on buffers or strings. This type of fundamental error may lead to the hacker gaining highly privileged root access or gaining the ability to execute arbitrary code. This should always be considered if something unexpected happens such as with malformed packets.
• INSPECT, the scripting language could be abused from within the company. Although the figure of 75% of all computer attacks come from inside companies could be a result of good firewall technology, internally originating attacks on FireWall-1 in particular could include programming in INSPECT. To avoid this, physical, in addition to network access controls on-site must be adhered to strictly.

Conclusions

When considering which type of firewall to purchase, speed and security are two primary concerns. Normally, SMLI firewalls are around 5 times faster than second generation firewalls but with the speed of processors increasing continually and the main bottle neck being the network itself, this ratio is decreasing. Other considerations should include the compatibility of any new system with legacy equipment and here, FireWall-1 scores highly by having forced the manufacturers to supply OPSEC compliant products.

The intelligent use of GUIs and hierarchical object structures makes this firewall flexible and easy to administer which is essential if it a company is to take advantage of tele-working using VPNs for communication.

Check Point itself, has increased in size fairly consistently in the last few years and looks as though it will continue to do so in the near future at least. The company supplies an integrated firewall that is a market leader and functions and connects well with other products. For those companies that are looking for a suitable firewall, FireWall-1 looks set to be a favoured choice for the foreseeable future.

Company Profile

Founded in Israel in 1993, Check Point Software Technologies has established itself and maintained its position as the market leader, with just under half the firewall market world-wide. With its international headquarters in Ramat-Gan, Israel, its US headquarters in Redwood City California with other US offices in Texas and Washington state and other offices in the UK, France, Italy, Germany, Switzerland, Singapore, Japan and Australia the company now employs over 750 people world-wide.

The company's product portfolio is centred around FireWall-1, the Stateful, MultiLayer Inspection (SMLI) firewall - the technology being invented and patented by Check Point. FireWall-1 - which supports hundreds of services, applications and protocols and is available on many platforms - is used by the majority of Fortune 100 companies and, as of January 2000, Check Point Software had more than 110,000 installations in companies and government agencies world-wide.

Other products in Check Point's portfolio include: FloodGate-1 - a policy cased bandwidth management solution to reduce traffic congestion on overused Internet and Intranet links; ConnectControl - a server load-balancing product; VPN-1 - a family of Virtual Private Network products with versions based on software and on hardware with policies managed from a central location; Provider-1 - giving the administrator the ability to manage many security policies from one point; Meta IP - providing centralised management and distributed administration of IP addresses; and, Intelligent Queuing (IQ) Engine which allocates bandwidth resources on a more granular level - allowing certain types of traffic to be classified and resources allocated as appropriate.

Check Point's products are distributed world-wide through a global network of OEMs, Distributors, VARs, over 1,000 Channel partners and ISPs. Check Point has strategic alliances and partnerships with over 200 industry-leading companies through the OPSEC (Open Platform for Secure Enterprise Connectivity) Alliance which includes 3Com, Axent, Bay Networks, Intel, IBM, McAfee Associates, Microsoft, Sun, US Robotics, Xylan and so on.

The company trades its stock on NASDAQ under the symbol CHKP (formerly CHKPF) and has seen its revenues increase steadily from $9.5 million in the financial year 1995, through $82.9 million in 1997 to $219.6 million for the financial year 1999 representing an increase of 55% over 1998's revenue.

Check Point has picked up numerous awards - 1999's include: Blue Ribbon Award - Network World; Editor's Choice - PC Magazine; Best VPN Product - Network Computing (Germany); Best Usability of Firewall Products - Network Computing (Germany); Market Engineering Product Focus Award - Frost and Sullivan; Product of the Year - Internet Telephony; and so on.

In the US:
Check Point Software Technologies Inc.
Three Lagoon Drive
Suite 400
Redwood City
CA 94065
USA
Tel: +1 650 628 2000
Toll free 800 429 4391
Fax: +1 650 654 4233
Email: info@checkpoint.com
WWW: http://www.checkpoint.com/

In the UK:
Check Point Software Technologies UK Ltd
Suite 5b
Enterprise House
Vision Park
Chivers Way
Histon
Cambridge CB4 9ZR
United Kingdom
Tel: +44 (0)1223 713600
Fax: +44 (0)1223 236847
Email: ukinfo@checkpoint.com
WWW: http://www.checkpoint.com/

Copyright (c) 2000 P. A. Grosse. All Rights Reserved.

Back to the Internet Security Index

Back to the Index