Check Point Software Technologies Ltd: FireWall-1

by Paul Grosse - February 2000

Introduction

eCommerce and e-Business have progressed so far that a company has to embrace the technology if it is to remain viable. Having a competently built web site and being able to interact with current and potential customers requires good security in addition to good programming. With the number of Internet users growing so fast, a company needs to ensure that its servers can provide its online user population - whether they are home based customers wishing to gain access to Internet shopping or business users requiring access to the internal network - with an appropriate service rather than a wait, so a fast and reasonably secure firewall is a primary consideration for a company wishing to take its online future seriously.

Sitting on the junction between two networks, a firewall has only one job to do: to decide whether or not traffic should pass between the networks. There have been several strategies applied each with strengths and weaknesses and valid applications. The first approach was to make a decision based upon the information contained in the packet header. If a packet header had IP addresses that were permitted through the firewall, the traffic was allowed through - if not, it was disregarded. Unfortunately, for many networks, this proved inadequate as hackers could observe the traffic going through a firewall (sniffing) and substitute malicious content with the correct header information (spoofing). In answer to this weakness in the first generation of firewalls, a second generation was designed where the data in the traffic from packets with correct header information was built up and then examined by a program that was familiar with that particular protocol. Although this strategy is far more secure, the processing overhead is too great for some applications.

In answer to this, Check Point invented an intermediate technology which it called Stateful Multi-Layer Inspection (SMLI) which has become known as the third generation of firewall. It still checks packet headers to make sure that each one contains the correct information but does so all of the way up the OSI stack, checking the header for each layer and keeping the data pertinent to each layer in memory so that it is able to check on the validity of subsequent packets. It further extends first generation firewall technology by checking the data content of some protocols.

Products

FireWall-1

As the number of protocols rise - various vendors supplying their solution to a problem, or a new protocol - the job of the firewall becomes increasingly complicated. In addition to the variety of traffic passing through is the sheer volume. Hyper Text transfer Protocol traffic (HTTP - the basis of the World Wide Web) is becoming increasingly based upon images while File Transfer Protocol traffic (FTP) increases in volume as program size increases and documents become more complex and larger. As a result of this, any firewall needs to be able to assess the validity of the traffic in addition to allow it through the Gateway.

State Awareness

First and second generation firewalls demonstrated that speed and security are at opposite ends of the spectrum. However, Check Point's FireWall-1 provides a useful balance between these two for most applications by checking only the header information at each layer of each packet - only checking the data content of the packet at the application layer for particular protocols when requested to do so. Packets have each header inspected as it travels up the OSI stack - packets being dropped as soon as they fail an inspection - until they reach the top. If the security policy for the protocol for a specific packet requires that the data is inspected as well, this is done. Once the firewall is satisfied that the communication is genuine, it has headers added to it and is passed back down the OSI stack and across to the other network.

In this way, it is more secure than a simple packet filter as it: keeps in memory, the information in the header of each packet at each layer, matching up state information and dropping any packets that fail to comply to a session; and, it checks the data content of packets of specified protocols so that viruses cannot pass through, explicit scripting and controls may be stripped from HTTP traffic if requested by the security policy and so on. As a result of this, FireWall-1 with its Stateful, Multi-Layer Inspection (SMLI or third generation firewall) is faster and leaner than a full application gateway while retaining much of the speed of a simple packet filter.

In order for the firewall to integrate with other aspects of network security, FireWall-1 uses Open Platform for Secure Enterprise Connectivity (OPSEC). Check Point has encouraged a number of vendors to supply their products in an OPSEC compliant form thereby allowing FireWall-1 to be the most effective firewall to install in terms of compliance with security measures already purchased. Check Point breaks down OPSEC into three areas:

Industry Standards and Protocols

The use of industry standards such as Remote Authentication Dial In User Service (RADIUS) and Lightweight Directory Access Protocol (LDAP) means that the purchaser of FireWall-1 has a wide choice of authentication servers available. For example, Vendors that supply RADIUS authentication servers that are OPSEC compliant include: ActivCard; Axent; CRYPTOcard; Netegrity; Security Dynamics; VASCO; and so on. Other Industry standards that are supported include: IPSec, SKIP and ISAKMP encryption schemes; X.509 certificates; Simple Network Management Protocol (SNMP).

Check Point defined OPSEC protocols and Application Programming Interfaces (APIs)

OPSEC APIs include: a Content Vectoring Protocol (CVP) API; a URL Filtering Protocol (UFP) API; a Suspicious Activity Monitoring Protocol (SAMP) API; a Log Export API (LEA); and, an Object Management Interface API (OMI).

Security applications written with INSPECT

FireWall-1 has its own language - INSPECT - which is an object oriented high level script, similar to PASCAL, that acts as an interface between the Graphical User Interface (GUI) where a company's security policy is defined, and the firewall inspection module on each of the network's firewall inspection points. The INSPECT script is stored in the form of an ASCII file so that administrators may edit it manually when a company has specialised security requirements. Using this language, a new protocol can be written quickly - the following day in some instances. This allows companies such as telecommunications companies to write their own protocols and protect their internal networks from attack very quickly.

Defining a Security Policy

The security policy for the entire enterprise is defined and managed using the FireWall-1 GUI which runs on a secured, authenticated machine. This may be done on-site or even remotely thus allowing for a distributed architecture and centralised definition of security policy. The policy is defined in terms of objects and rules that govern their interaction with network object being considered as individuals or groups in a hierarchical structure that makes administration easy to understand.

Network objects include networks, sub-networks, hosts, gateways, servers, routers and so on; Users can be individuals or groups of users and servers include content screening and authentication servers. A security rule consisting of a source and destination, a definition of a particular service or group of services, action to be taken, details of any log entries that should be made, the time of day or day of week that this action should occur and where the security rule should be installed. The FireWall-1 databases which include network object definitions, user definitions, the security policy and log files for all firewall gateways is stored on the Management Server. The GUI and the Management Server may be the same machine or two machines in a client server configuration.

Security rules have the capability of being as specific as is required with granularity going down to particular users and time of day, day of week and so on. Like all reasonably well thought out firewalls, anything that is not explicitly accepted is by default rejected with FireWall-1 working its way through the rule base until it finds a rule that allows the packet to the inspection module. Although this could mean that attacks on the firewall could go unnoticed if a particular protocol was not mentioned in the security policy, the logging of any unspecified events can be forced by including a final rule that states that a communication attempt from any source to any destination using any service should be rejected and logged.

Load Balancing

Primarily for the purposes of redundancy and load balancing, FireWall-1 may be configured to run on a number of machines, any of which can act as the gateway for some packets of a particular session. To get around the problem of packets from a given session arriving at different gateways and being dropped because only part of the session information is stored on any one machine, the state information is shared between FireWall-1 gateways so that packets for one session can all get through.

ConnectControl provides this load balancing service and deals with the real servers and how they manage their respective loads although to the user, there appears to be only one server. Rules for this are defined by the systems administrator in order to make the system function in a particular manner. There are a number of load balancing algorithms to choose from:

  1. Server load - the firewall queries the servers in order to ascertain which is best able to handle the new connection;
  2. Round trip - the firewall uses PING to find the shortest round trip time;
  3. Round robin - the firewall assigns the next server on the list;
  4. Random - servers are assigned connections randomly; and,
  5. Domain - the firewall assigns the closest server based upon domain names.

In addition to controlling servers, FireWall-1 is also able to control routers with the security policy being defined and managed at a single point - the routers acting as policy enforcement points throughout the network. The routers are managed in two ways:

Routers and switches that support this are supplied by: Nortel (Bay Networks); and, Alcatel (Xylan).

Other Features

FireWall-1 supports additional features such as:

Platforms

FireWall-1 GUI Client (Client / Server configuration):

FireWall-1 Management Server (Client / Server configuration):

FireWall-1 Management Module (OpenLook GUI):

FireWall-1 Firewall Module Microsoft Windows NT (Intel only);

FireWall-1 Inspection Module Microsoft Windows NT (Intel only);

Pricing

FireWall-1 pricing is done of a reseller for reseller basis therefore there is no fixed price.

Opinion

Financial considerations inevitably lead systems administrators to demand compatibility with existing, legacy security systems in addition to a long life and effective functioning. This not only applies to companies that are just venturing into a connection to the Internet but also to companies that have taken over smaller companies that have already invested in some security. Taking these points into account, it makes sense to opt for a system that will take advantage of existing security measures while providing an adequate level of security. For a while now, Check Point has imposed OPSEC on the security vendors - bringing about a certain level of standardisation of security products in the access and content control areas. Although OPSEC only relates to Check Point, the company is in a sufficiently strong position to make such decisions and the resulting choice that has presented itself to the purchaser of FireWall-1 can only be of benefit.

OPSEC is clearly one of the major factors when deciding whether or not to invest in FireWall-1. Access control that is supported through OPSEC includes a number of hardware tokens that supply a pseudo-random number based upon a PIN that the user knows including: SecureID from Security Dynamics; and, SafeWord from Secure Computing. In both cases, the PIN is never seen by the workstation as this is typed into the token. Content control is handled by products from Integralis and others which look at incoming and outgoing traffic for profanity, certain special words and so on. In addition, content control programs can ensure that mistakes cannot happen such as accidental attachments with emails. URL filters are also included within OPSEC and some of these are updated weekly, giving up-to-date and accurate information.

A recent worry of content is that of malicious script embedded in HTML tags within documents. This allow the user's browser to execute the script if scripting has not been disabled at the browser, simply by looking at a web page. In addition to carefully constructed pages with embedded script tags, CGI HTML content, forms and SSL sessions are put at risk - SSL sessions may be compromised if the attack starts before the SSL session is initiated. It is not clear whether all script tags can be extracted as scripting and similar superfluous functionality may be inserted into web pages in a number of ways and malicious users will always be one step ahead. Having content security in place to remove scripting and active controls will only protect against those scenarios that have been seen. The only real protection is to turn scripting and other active content off at the browser. The saying goes "If it can't be said without scripting, it isn't worth saying".

INSPECT - the inspection engine script stored as an ASCII file may be viewed by the systems administrator with the express intent of editing it so that a peculiarity in the security policy may be accommodated. It is worth remembering that the vast majority of vulnerabilities in company firewalls are due to the system being configured incorrectly due either to being set up incorrectly in the first instance or being adjusted afterwards.

With so many supported protocols, it may be tempting for some to enable a large proportion of them. However, having so many doors to a system means that the opportunity for some of them to be tampered with may be too great and you may find yourself with unwanted guests. It is always good policy that only the services that are strictly required should be enabled.

SMLI was invented by Check Point and FireWall-1 is clearly the best implementation of this technology. However, it must be remembered that the checking that is performed by SMLI is not complete for every packet and in many respects, the second generation of firewall - the application gateway - is more secure. Without doubt, SMLI with its simpler checking can handle more simultaneous connections and has a higher bandwidth than application gateways. It is a simple trade-off between security and speed - some companies will only opt for the highest levels of security even though for most, SMLI is probably the most appropriate balance.

Strengths

Weaknesses

Conclusions

When considering which type of firewall to purchase, speed and security are two primary concerns. Normally, SMLI firewalls are around 5 times faster than second generation firewalls but with the speed of processors increasing continually and the main bottle neck being the network itself, this ratio is decreasing. Other considerations should include the compatibility of any new system with legacy equipment and here, FireWall-1 scores highly by having forced the manufacturers to supply OPSEC compliant products.

The intelligent use of GUIs and hierarchical object structures makes this firewall flexible and easy to administer which is essential if it a company is to take advantage of tele-working using VPNs for communication.

Check Point itself, has increased in size fairly consistently in the last few years and looks as though it will continue to do so in the near future at least. The company supplies an integrated firewall that is a market leader and functions and connects well with other products. For those companies that are looking for a suitable firewall, FireWall-1 looks set to be a favoured choice for the foreseeable future.

Company Profile

Founded in Israel in 1993, Check Point Software Technologies has established itself and maintained its position as the market leader, with just under half the firewall market world-wide. With its international headquarters in Ramat-Gan, Israel, its US headquarters in Redwood City California with other US offices in Texas and Washington state and other offices in the UK, France, Italy, Germany, Switzerland, Singapore, Japan and Australia the company now employs over 750 people world-wide.

The company's product portfolio is centred around FireWall-1, the Stateful, MultiLayer Inspection (SMLI) firewall - the technology being invented and patented by Check Point. FireWall-1 - which supports hundreds of services, applications and protocols and is available on many platforms - is used by the majority of Fortune 100 companies and, as of January 2000, Check Point Software had more than 110,000 installations in companies and government agencies world-wide.

Other products in Check Point's portfolio include: FloodGate-1 - a policy cased bandwidth management solution to reduce traffic congestion on overused Internet and Intranet links; ConnectControl - a server load-balancing product; VPN-1 - a family of Virtual Private Network products with versions based on software and on hardware with policies managed from a central location; Provider-1 - giving the administrator the ability to manage many security policies from one point; Meta IP - providing centralised management and distributed administration of IP addresses; and, Intelligent Queuing (IQ) Engine which allocates bandwidth resources on a more granular level - allowing certain types of traffic to be classified and resources allocated as appropriate.

Check Point's products are distributed world-wide through a global network of OEMs, Distributors, VARs, over 1,000 Channel partners and ISPs. Check Point has strategic alliances and partnerships with over 200 industry-leading companies through the OPSEC (Open Platform for Secure Enterprise Connectivity) Alliance which includes 3Com, Axent, Bay Networks, Intel, IBM, McAfee Associates, Microsoft, Sun, US Robotics, Xylan and so on.

The company trades its stock on NASDAQ under the symbol CHKP (formerly CHKPF) and has seen its revenues increase steadily from $9.5 million in the financial year 1995, through $82.9 million in 1997 to $219.6 million for the financial year 1999 representing an increase of 55% over 1998's revenue.

Check Point has picked up numerous awards - 1999's include: Blue Ribbon Award - Network World; Editor's Choice - PC Magazine; Best VPN Product - Network Computing (Germany); Best Usability of Firewall Products - Network Computing (Germany); Market Engineering Product Focus Award - Frost and Sullivan; Product of the Year - Internet Telephony; and so on.

In the US:
Check Point Software Technologies Inc.
Three Lagoon Drive
Suite 400
Redwood City
CA 94065
USA
Tel: +1 650 628 2000
Toll free 800 429 4391
Fax: +1 650 654 4233
Email:
info@checkpoint.com
WWW:
http://www.checkpoint.com/

In the UK:
Check Point Software Technologies UK Ltd
Suite 5b
Enterprise House
Vision Park
Chivers Way
Histon
Cambridge CB4 9ZR
United Kingdom
Tel: +44 (0)1223 713600
Fax: +44 (0)1223 236847
Email:
ukinfo@checkpoint.com
WWW:
http://www.checkpoint.com/

Copyright (c) 2000 P. A. Grosse. All Rights Reserved.


Back to the Internet Security Index

Back to the Index