Check Point Goes The Extra Mile To Secure Networks

The Check Point package is so inclusive that even its name needs explaining. VPN-1/FireWall-1 is the product name, and NG with Application Intelligence refers to the version. SmartDefense technology is part of VPN-1/FireWall-1, and both the VPN and firewall are part of the same code, but solution providers can license only VPN-1 or FireWall-1. VPN-1 Pro protects business communications over the Internet and prevents unauthorized access with single-click VPN deployment and authentication certificates.

Typical firewalls rely on three techniques to ensure security: packet filters, an application-layer gateway and stateful inspection. Packet filters are based on content, but they can't understand packet context, which makes it easier for hackers to break in. An application-layer gateway examines all application layers, bringing context to the filtering process, but it breaks the client/server model, which requires one connection from the client to the firewall and another from the firewall to the server. Stateful inspection, on which FireWall-1 is based, gets around those limitations by providing full application-layer awareness without breaking the client/server model. It also records state information from all application layers in dynamic state tables for comparing subsequent connection attempts.

The IP is the most common vehicle for attacks against the network layer, including IP fragmentation and denial of service (DoS). To prevent those attacks, FireWall-1 does an assortment of things,among them, blocking Java code; stripping script, applet and ActiveX tags; camouflaging default banners; and filtering URLs.

Typical firewalls can defeat most network attacks but cannot do so at the application level. FireWall-1 works at both levels. Hackers like to exploit application vulnerabilities such as HTTP (TCP port 80) and HTTPS (TCP port 443), which are left open in most networks. By targeting applications directly, hackers can deny service to legitimate users via DoS attacks, gain access to the administrative system and back-end information databases, and install Trojan horse software or sniffer software that captures user IDs and passwords. Hackers target the application layer because it contains actual user data and supports most protocols.

The Application Intelligence feature detects and prevents application-level attacks using four defense strategies. First, it validates compliance to protocol standards. Second, it validates protocols for expected usage. Third, it limits an application's ability to carry malicious data. Fourth, it controls application-layer operations. Applications themselves can sometimes perform unauthorized operations, so Application Intelligence blocks file-sharing operations originating from unauthorized users or systems, restricts connections to particular file names and monitors FTP commands such as PUT, GET, SITE, REST and MACB.

FireWall-1 supports more than 150 predefined applications and protocols out of the box. Examples include Microsoft CIFS; SMTP, FTP, HTTP, DNS and Telnet traffic; SOAP/XML; instant-messaging and peer-to-peer applications; Windows Media, RealVideo and Session Initiation Protocol (SIP); H.323-based services, including VoIP and NetMeeting; and Oracle SQL and ERP. By restricting mail to user-defined recipients and unknown domains, enforcing limits on the number of RCPT commands allowed per transaction and restricting mail-relay usage,among other things,Application Intelligence blocks attacks such as bounce, directory traversal, DNS query malformed packet, firewall traversal, FTP port injection, passive FTP and TCP segmentation.

Check Point's VPN-1/FireWall-1 NG with Application Intelligence comes on a single CD-ROM. Solution providers can install only the parts they need, as the license code provides access to the different applications. Typically, one would have the VPN-1/FireWall-1 software running on multiple open systems along with a SmartCenter management server, with one or more Windows systems set up to run the SmartConsole management client.

Once the SmartConsole client is installed, SmartDashboard, a user interface for creating and deploying security policies for multiple Check Point products, can be launched. That way, the management of FireWall-1 and NAT policies is part of a comprehensive security policy including VPNs, client security and quality of service (QoS) management. SmartDashboard has tabs along the top indicating all available network- and application-layer defenses. The Security tab lists access-control options, and the SmartDefense tab shows the available types of defenses.

A policy for firewall, NAT, SmartDefense, VPN, QoS and desktop security can be enforced by a single security gateway.

CHANNEL PROGRAM SNAPSHOTS

>CHECK POINT VPN-1/FIREWALL-1 NG WITH APPLICATION INTELLIGENCE
PRICE: $3,000 to $25,000
AUTHORIZATION REQUIREMENTS: Certification and exam
DISTRIBUTORS: GE Access, Ingram Micro, Tech data, Westcon
TECH RATING:

CHANNEL RATING:

CHANNEL OVERVIEW: Solution providers in Redwood City, Calif.-based Check Point's four-level channel program receive varying amounts of technical support, sales and marketing assistance, and licensing support. Field-based integration assistance is available, and sales and technical resources, monthly Webcasts and business tools are available online.

Note: Vendors can earn up to five stars for technical merit and five for their channel program. If the average of these two scores is four stars or greater, the product earns CRN Test Center Recommended status.