Introduction to Check Point Next Generation

Solutions in this chapter:

Introduction

The Check Point Next Generation suite of products provides the tools necessary for easy development and deployment of enterprise security solutions. Check Point VPN-1/FireWall-1 has been beating out its competitors for years, and the Next Generation software continues to improve the look, feel, and ease of use of this software. Most notably, there is a new security dashboard that gives security administrators a more detailed view of the Security Policy and management objects in one window. The user interface is easy to comprehend and provides optimal functionality all in one place.

With the Next Generation software, you can manage multiple firewalls from a central management server, and can now centrally manage licenses and software upgrades with the SecureUpdate application. Other useful tools in the Next Generation suite include LDAP account management, SecuRemote VPNs, bandwidth usage services, DNS/DHCP services, reporting, logging, and high availability configurations.

In this chapter we will introduce you to each of these tools, and discuss the various components of VPN-1/FireWall-1 in a little more detail. You will learn the difference between proxy firewalls, packet filtering firewalls, and the technology that Check Point Next Generation uses, called Stateful Inspection. You will become familiar with the inspection engine, which is the nuts and bolts of the software, and learn how it analyzes traffic going through the firewall.

Introducing the Check Point Next Generation Suite of Products

It seems that the Internet moves a little further into the network everyday, and along with it comes new network security and management challenges. A few years ago, when I first started working with firewalls, it was easy to define and visualize a network into simple security zones: “trusted” for anything behind the firewall and “un-trusted” for anything in front of it. Security at that time seemed easy: stick a firewall where the internal network met the Internet, maybe add a De-Militarized Zone (DMZ) for the Web and e-mail servers, and call it a day. Now, however, with new Internet applications, Extranets, and VPNs becoming common, I find the un-trusted network creeping through into the DMZ and even right into what I used to call the trusted network. To address the security needs of this new network, we need not only secure scaleable firewall technology but also the tools to provide Quality of Service (QoS), network management, and to log and report on the usage and health of the network infrastructure.

The Check Point Next Generation (NG) Suite is composed of several different products bundled to create a complete enterprise security solution. The combination of these specialized tools allows the NG suite to address the major security and network management challenges facing today’s security managers. Rather than look at network security solely from the firewall or Virtual Private Network (VPN) solution, Check Point set out with its Secure Virtual Network (SVN) architecture, to encompass all areas of Enterprise security into a single, easy-to-use product offering. Until recently, many enterprise security managers believed that simply firewalling their network at the Internet connection provided all the security they needed. In today’s network world we have Intra- and Extranet connections to secure, not to mention remote dial and VPN access to worry about. The SVN architecture looks at the entire enterprise network, encompassing not only Local Area Network (LAN) and Wide Area Network (WAN) connections, but extending right down to the individual VPN connected user. This new enterprise level view of security defines a complete, scalable, and secure architecture that requires the integration of several products to achieve.

The Next Generation (NG) product suite is designed to fill the security and management needs of the SVN architecture. Using VPN-1/FireWall-1 to firewall between networks and provide a robust endpoint for VPN traffic addressed most companies’ primary security needs. Having secured the front door, SecuRemote was added to the NG suite as a desktop application to enable easy VPN setup. Secure Client was designed to build on to the functionality of SecuRemote by enabling Security Managers to set and enforce a desktop Security Policy for desktop machines connecting to the VPN service. Having addressed the firewall and user VPN capabilities most companies are looking for, NG turned to address the user management problems identified by the SVN. Two products were added to the suite to enable security managers to easily manage users and accounts. The Account Management component was added to manage user accounts stored on LDAP servers, and the UserAuthority (UA) was introduced to make authentication information acquired by VPN-1/FireWall-1 available to other applications. To help manage the IP network, two more tools where added to the NG suite. Meta IP allows easy management of DNS and DHCP servers, while FloodGate-1 provides the Quality of Service (QoS) management needed for VPN and Internet networks. Finally, to provide detailed security and usage reports from not only the NG suite of products, but also from supported third-party applications, Check Point added the Reporting Module tool. By combining all eight of these tools into a single suite, NG provides network and security managers with the security and management tools needed in today’s enterprise networks in one integrated, scaleable package.

To tie all these products together into an easy-to-manage solution, NG includes a new Security Dashboard that incorporates the best features of the Policy Editor with additional object display windows and the optional Visual Policy Editor. The Security Dashboard, shown in Figure 1.1, not only provides a single point of access for managing the entire NG suite, but also shows how the different products integrate together allowing configuration information to be moved and shared between applications quickly and easily.

VPN-1/FireWall-1

At the cornerstone of the NG Suite, and what most of us think about when someone mentions the Check Point name, is VPN-1/FireWall-1. The VPN-1 and FireWall-1 products are designed to prevent unauthorized access to or from the networks connected to the firewall, based on the rules defined by the security manager. VPN-1/FireWall-1 uses a set of rules to create a Security Policy. This policy is loaded into the inspection engine component of the firewall and is applied to all traffic that crosses the firewall’s network interfaces.

Although it’s common to think of VPN-1 and FireWall-1 as a single product, and although many people use the term FireWall-1 (FW-1) to refer to both products, they have very different functions. FireWall-1 provides the data filtering, logging, and access control as expected of any firewall gateway. VPN-1 integrates tightly into FireWall-1 to add virtual private networking tools alongside the firewall. Combining VPN-1 with FireWall-1 has allowed Check Point to provide firewall and VPN products that not only leverage each other’s strengths, but that also function together seamlessly and are managed through a single management application. Tying VPN-1 and FireWall-1 together enables you to build VPN gateways into your firewall rather than having to maintain two separate machines to provide firewall and VPN services. This can simplify the network complexity and Security Policy required, allowing for easier management and reducing the possibility of configuration errors.

Although VPN-1 provides all the tools you need to support site-to-site VPNs, and has even improved support for easy set-up with third-party firewall products, there is still the issue of individual user-to-site VPN connections. To ensure that VPN-1 could provide the level of encryption, security, and control required when used with user-to-site VPNs, Check Point has updated the SecuRemote and Secure Client software packages. By integrating SecuRemote and Secure Client so tightly with VPN-1, Check Point has not only provided you with the tools you need to secure your user-to-site VPN, but has also ensured their continued dominance in the VPN market space.

Check Point provides, in the NG suite, the tools required to manage VPN-1/FireWall-1 in a distributed environment, allowing security managers to define and enforce a single Security Policy across the entire enterprise. By building FireWall-1 on a distributed model, Check Point has designed a product that functions equally well as a stand-alone single gateway product, as it does in large multiple firewall gateway networks. This distributed nature allows multiple VPN-1 and FireWall-1 gateways to be managed from a single management station, simplifying not only Security Policy definition, but also logging functions since the logs from all gateways are available from a centralized...