|
Home
>
Rex Global Solutions
>
Check Point Solutions
>
Check Point Firewall-1
Check Point Firewall-1 Access Control
Internet
technology provides a cost effective,
global communications infrastructure
that enables worldwide access for
employees, customers, vendors, suppliers
and key business partners. While this is
a critical requirement to collaborative
information sharing, it also exposes an
organization's network to new risks and
threats. How can an organization keep
its resources and information protected
from unauthorized network access, from
both inside and outside the
organization? Access control, a
fundamental building block in any
security policy, addresses this issue.
What Goes Into and Out of The Network
Access control protects an organization
from security threats by specifying and
enforcing what can go into and out of an
organization's network. A key element of
access control is an awareness of all
underlying services and applications.
First generation packet filters have no
awareness of applications, nor can they
support UDP or dynamic protocols. Second
generation application proxies (also
referred to as Proxy Firewalls) require
a tremendous amount of CPU overhead, and
are unable to provide timely support for
new services introduced on the Internet,
such as multimedia services.
Check Point's patented Stateful
Inspection Technology, combined with
powerful object-oriented management,
provides full application-layer
awareness as well as quick and easy
support of new Internet services.
FireWall-1 and VPN-1 Gateways provide
comprehensive access control for more
than 150 pre-defined applications,
services and protocols as well as the
flexibility to specify and define custom
services.
In addition to understanding the full
state and context of all communications,
FireWall-1 and VPN-1 Gateways include
the ability to define security rules
using a time parameter. This provides
exceptionally granular access control
allowing users to access the network at
very specific times and/or days. For
example, an organization may decide to
limit Web traffic (HTTP) to the Internet
during working hours, permitting access
only during lunch time, after normal
working hours and on weekends. Another
example is to deny access to critical
servers while system backups are being
performed.
Defining a Security Policy
Implementing access control parameters
is simple and straightforward with a well-defined graphical user
interface, such as that provided by Check Point's FireWall-1 and VPN-1
Gateway products. In fact, all aspects of an organization's security
policy can be specified using the award-winning user interface in Check
Point's enterprise security solutions.
All elements are specified using an
object oriented approach. Once defined,
these objects are used to define the
security policy within the Rule Base
Editor. Each rule is comprised of a
combination of network objects,
services, actions, and logging
mechanisms. With the Policy Editor,
rules can be hidden, disabled, or
searched based on column values. Implied
rules defined in the ?Properties Set-up?
window can be displayed in the rule base
as well.
Once a rule is defined, FireWall-1 and
VPN-1 Gateways provide the ability to
determine which enforcement points it
should be distributed to across the
network.
View higher resolution screen shot
Supported platforms include UNIX
(Solaris, HP-UX, AIX) and Windows NT
servers, and internetworking equipment
(integrated Internet access devices,
routers, switches) from Check Point's
many OPSEC Alliance partners. A distinct
feature of Check Point's security
products is the ability to define an
enterprise policy once, distribute it to
multiple access points throughout the
network, and manage locally or remotely
from a single management console.
Distributed Access
Check Point's architecture is fully
scalable so that it can grow as an
organization's security requirements
grow. FireWall-1 and VPN-1 Gateways are
capable of providing multiple level user
access. This allows the assignment of
different access rights to security
administrators. Upon authentication,
each administrator inherits the access
rights assigned by the organization's
security manager and indicated within
the security policy.
Supported access levels are defined as
follows:
-
Read/Write:
access to all functionality of
FireWall-1/VPN-1 management tools
-
User Edit:
the ability to modify user
information only; access to all
other functionality is read-only
-
Read Only:
read-only access to the Policy
Editor
-
Monitor Only:
read-only access limited to the Log
Viewer and the System Status tools
Protection Against Common Attacks
There are several common types of
attacks that hackers employ to gain
access or damage a company's network.
These attacks are easily defeated by
FireWall-1 and VPN-1 Gateways.
-
IP Spoofing -
A technique where an attacker
attempts to gain unauthorized access
through a false source address to
make it appear as though
communications have originated in a
part of the network with higher
access privileges. For example, a
packet originating on the Internet
may be masquerading as a local
packet with the source IP address of
an internal host. FireWall-1 and
VPN-1 Gateways protect against IP
spoofing attacks by limiting network
access based on the gateway
interface from which data is being
received.
-
Denial of Service Attack
- There are many types of denial of
service (DOS) attacks. One type of
DOS attack is a SYN Flood attack
where a TCP connection is initiated
by a client issuing a request to a
server with the SYN flag set in the
TCP header. Normally the server will
issue a SYN/ACK packet back to the
client. The client will then send an
ACK packet to the server and data
transfer can commence. When the
client IP address is unreachable
(due to a false source address for
the client), however, the server
cannot complete the connection, but
it still reserves system resources
in anticipation of the connection.
When the server receives hundreds or
thousands of connection requests
that cannot be completed because the
client is unreachable, the server
will be unable to service legitimate
clients and will deny all service.
FireWall-1 and VPN-1 Gateways
include Check Point's SYNDefender
application that provides three
different methods to defeat SYN
Flood attacks.
|
