CP Firewall

8/6/2019 CP Firewall

1/24

2001 Check Point Software Technologies Ltd. - Proprietary & Confidential

Check Point FactsCheck Point Facts HistoryHistory

Founded June 1993Founded June 1993

IPO June 1996IPO June 1996

Strong growth in revenues and profitsStrong growth in revenues and profits

Global market leadershipGlobal market leadership 62% VPN market share (Datamonitor, 2001)62% VPN market share (Datamonitor, 2001)

42% firewall market share (#1 Position42% firewall market share (#1 Position -- IDC, 2000)IDC, 2000)

DeDe--facto standard for Internet securityfacto standard for Internet security

Strong business modelStrong business model

Technology innovation and leadershipTechnology innovation and leadership

Technology partnershipsTechnology partnerships

Strong and diversified channel partnershipsStrong and diversified channel partnerships

Check Point

Software


2/24


What is a Firewall ?What is a Firewall ? A firewall :A firewall :

Acts as a securityActs as a security

gateway between twogateway between two

networksnetworks

Usually betweenUsually between

trusted and untrustedtrusted and untrusted

networks (such asnetworks (such as

between a corporatebetween a corporate

network and thenetwork and the

Internet)Internet)

Internet

Corporate

Site

Corporate Network

Gateway


3/24


Why Firewalls are NeededWhy Firewalls are Needed

Prevent attacks from untrustedPrevent attacks from untrusted

networksnetworks

Protect data integrity of criticalProtect data integrity of critical

informationinformation

Preserve customer and partnerPreserve customer and partner

confidenceconfidence


4/24


Evolution of FirewallsEvolution of Firewalls

PacketFilter

Stateful

Inspection

Stage of Evolution

Application

Proxy


5/24


Packets examined at the network layerPackets examined at the network layer

Useful first line of defenseUseful first line of defense -- commonlycommonlydeployed on routersdeployed on routers

Simple accept or reject decision modelSimple accept or reject decision model No awareness of higher protocol layersNo awareness of higher protocol layers

Packet FilterPacket Filter

Applications

Presentations

Sessions

Transport

Data Link

Physical

Data Link

Physical

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network

Presentations

Sessions

Transport

Applications

Network Network


6/24


7/24


Stateful InspectionStateful Inspection

Applications

Presentations

Sessions

Transport

Data Link

Physical

Data Link

Physical

Applications

Presentations

Sessions

Transport

Data Link

Physical

Network Network

Network

Presentations

Sessions

Transport

INSPECT Engine

Applications

DynamicDynamicState TablesState TablesDynamicDynamic

State TablesState TablesDynamicState Tables

Packets Inspected between data link layer and network layer inPackets Inspected between data link layer and network layer in

the OS kernelthe OS kernel

State tables are created to maintain connection contextState tables are created to maintain connection context

Invented by Check PointInvented by Check Point


8/24


Block All Network AttacksBlock All Network Attacks

We block all known network attacksWe block all known network attacks

(Note: Historically not highlighted by Check Point)(Note: Historically not highlighted by Check Point)

20022002 Greater visibility and enhancements are comingGreater visibility and enhancements are coming

IncludingIncluding

LANdLANdICMP FloodICMP Flood

TearTear

DropDrop

Ping ofPing of

DeathDeathBonkBonk

UDP FloodUDP Flood

SpoofingAttackSpoofingAttackDos ProtectionDos Protection

DDoS ProtectionDDoS Protectionoptionsoptions

NetworkAddressNetworkAddress

Translation (NAT)Translation (NAT)SYNSYN

AttackAttack

SmurfSmurf

PortAddressPortAddress

Translation (PAT)Translation (PAT)

NesteaNestea

IGMP FragmentsIGMP Fragments

WinNukeWinNukeIP OptionsIP Options--based attacksbased attacks

And moreAnd more


9/24


Here is the proof!!Here is the proof!!


10/24


Not Every stateful IsStateful InspectionNot Every stateful IsStateful Inspection

Inspect Sets Check Point ApartInspect Sets Check Point Apart


11/24


12/24


VPN device is vulnerable to

attack eg. denial of service

Requires opening multiple

holes in firewall for VPN

traffic

Bypasses security policy

Denial of service

VPN InternetFirewall Internet

VPN

Firewall

Internet

VPNFirewall Internet

Different Types of VPN/FirewallTopologiesDifferent Types of VPN/FirewallTopologies


13/24


Security ManagementArchitecturesSecurity ManagementArchitectures

Does not scaleDoes not scale

Repetitive policy changesRepetitive policy changes

Error prone / inconsistent policyError prone / inconsistent policy

Remote Policy

Editing

Local Policy Storage and

Enforcement

GUI Client

Enforcement Points

Two-Tier London

New York

Paris


14/24



Scales very wellScales very well Make changes onceMake changes once

Better securityBetter security

ManagementServer

Centralized Policy Storage

and Deployment

GUI Client

Remote Policy

Editing

Local Policy Enforcement

Enforcement PointsThree-TierLondon

New York

Paris


15/24


Internet


Reduces organizational costsReduces organizational costs

Security depends on experienceSecurity depends on experience

and implementation choices ofand implementation choices of

MSPMSP

Security Managementand GUI

Local Policy Enforcement

Enforcement PointsManaged Service ProviderAcme

Corp

New York

Paris


16/24


17/24


Secure Management Administrator SecuritySecure Management Administrator Security

MultipleAdministratorsMultipleAdministrators

Highly Granular PermissionsHighly Granular Permissions e.g., by job functione.g., by job function

Security Management Cannot Be The Weakest LinkSecurity Management Cannot Be The Weakest Link

Access Control andAccess Control and

AuthenticationAuthentication e.g., by locatione.g., by location

e.g., digital certse.g., digital certs


18/24


SecureUpdateSecureUpdate


19/24


AuditingAuditing

Check Point NGCheck Point NG Full Change AuditFull Change Audit Administrator login/logout, Object changes, Rule changes, etc.Administrator login/logout, Object changes, Rule changes, etc.

Critical feature for many companies and industriesCritical feature for many companies and industries e.g., financial institutionse.g., financial institutions


20/24


AdministratorAuditingAdministratorAuditing

Creates a record for troubleshooting & debuggingCreates a record for troubleshooting & debugging

Tracks information in detail and enables sorting,Tracks information in detail and enables sorting,searching, reporting, etc.searching, reporting, etc.

Who modified the server named tempest?

What has the administrator Gretchen been doing?


21/24


End-to-End Security SecureClientEnd-to-End Security SecureClient

Must protect all network accessible devicesMust protect all network accessible devices

Especially VPN/mobile computersEspecially VPN/mobile computers

SecureClientSecureClient Corporate Policy at DesktopCorporate Policy at Desktop

Desktop firewallDesktop firewall SCVSCV Secure Configuration VerificationSecure Configuration Verification

Automatic UpdatesAutomatic Updates

Highly scalableHighly scalable tenstens--ofof--thousands of clientsthousands of clients


22/24


The Security PuzzleThe Security Puzzle

irell

irell P

KI

PKI

PP

IDS

IDS

te t

ilteri

te t

ilteriAntiviruAntiviru


23/24


Check Point Architecture Winning SecurityCheck Point Architecture Winning Security

SVN Connect & ProtectSVN Connect & Protect

Stateful Inspection & SecureXLStateful Inspection & SecureXL

SMARTSMART

OPSEC & SecureChoiceOPSEC & SecureChoice

OPSECOPSEC -- Open &Open &Extensible SecurityExtensible Security Integrated & CertifiedIntegrated & Certified

SolutionsSolutions 300 Security Partners300 Security Partners

120 Certified Applications120 Certified Applications

Open SDKOpen SDK Thousands of OPSECThousands of OPSEC

DevelopersDevelopers


24/24


Reporting GUIReporting GUI

CP Firewall

Documents