Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Intro to OPSEC

SDK Overview

High Availability | Integrated Security | Industry Standards
Open Protocols and APIs | Secure eBusiness | CVP | ELA
LDAP | LEA | CPMI | AMON | PKI | SAM | SDK | SNMP
UAM | UAA | UFP

The Security Challenge of eBusiness
Today's eBusiness world demands greater access to information and avenues of communication among customers, business partners, suppliers and employees. Any business that uses the Internet to achieve this must implement significant safeguards to protect its network, or else risk the vulnerability of all its private stores of digital information.

The key to addressing this information security risk is a comprehensive Internet security architecture. The solution requires multiple layers of security using best-of-breed products from a variety of vendors. The integration and manageability of these multiple products is an essential factor in the achievement of a secure architecture. Security administrators must be confident that applications can properly authenticate users and that Internet gateways will always enforce the appropriate security policy. They must also be able to define and apply security policies across multiple technologies including firewalls, VPNs and QoS devices, manage reports on network activity, and maintain the proper system configurations. These tasks can pose significant challenges to the security implementation team securing an enterprise's eBusiness infrastructure. Check Point Software Technologies' Secure Virtual Network (SVN) architecture and the Open Platform for Security (OPSEC) offer industry-leading integrated Internet security solutions to substantially reduce these challenges.

Check Point SVN secures the Internet environment by providing security that extends across networks, systems (individual clients and systems), applications and users, and across intranets, extranets and the Internet. SVN goes beyond the basics of VPNs (the use of the Internet as the transport backbone for secure links with partners and regional offices) to deliver Internet security that offers scalability, manageability, comprehensiveness, high performance and ease of use. SVN Phase II is the next evolution in eBusiness application security in which the comprehensive security infrastructure of SVN can be unified with applications. This is accomplished via new technology called UserAuthorityT that enables seamless network authentication sharing directly with eBusiness applications for intelligent user authorization. SVN protects all systems throughout the IP-based enterprise network by securing all Internet gateways, allowing single sign-on capabilities at the application server level, and enabling granular access control for all users regardless of location.

OPSEC: Integrated Internet Security
OPSEC extends the Secure Virtual Network architecture by providing a unique, open platform for integration and interoperability. For OPSEC partners, integration with the SVN architecture results in the most robust solutions on the market today. For customers, OPSEC integration means the ability to match the best product or service to their specific needs from a wide choice of best-of-breed products and services, without the burden of questionable interoperability! OPSEC allows users to take full advantage of the SVN architecture across the leading server, internetworking and appliance platforms and also provides the option of outsourced managed security services. OPSEC certification, earned only after rigorous lab testing, further assures the integration of products and services bearing the OPSEC Certified logos.

OPSEC answers the greatest challenges of multivendor solutions-interoperability and management complexity-and avoids the biggest problems of single vendor suites-lack of integration and limited flexibility. A strategy based on best-of-breed solutions allows the use of the best products and services on the market, and takes advantage of the innovations and expertise of the vendors that specialize in the functionality customers need. The combination of Check Point and OPSEC solutions gives customers the flexibility to design a secure eBusiness solution that matches the challenges unique to its own network and business needs.

OPSEC Integration Points
OPSEC integration is achieved through a combination of published application programming interfaces (APIs), industry-standard protocols and a high-level scripting language. OPSEC provides a single framework for third-party products to integrate into all aspects of the secure virtual network. Clearly defined interfaces enable integration with VPN-1T/FireWall-1, FloodGate-1T and Meta IPT without delving into the complexity of the underlying infrastructure. OPSEC's powerful client/sever communications infrastructure allows products residing on remote platforms and servers to communicate securely with SVN products. Leading security vendors have taken advantage of the OPSEC SDK for over two years to build complementary security applications that seamlessly integrate with the Check Point Secure Virtual Network architecture.

Third-party vendors may achieve OPSEC compliance and certification through one of the following integration points:

OPSEC Software Development Kit (SDK) Allows integration with Check Point's industry-leading Secure Virtual Network architecture. The SDK leverages the Check Point-defined OPSEC protocols and APIs for integration with VPN-1/FireWall-1, FloodGate-1 and Meta IP.
Industry standard interfaces and protocols, when available and applicable Provide specifications to ensure multi-vendor product interoperability and certification criteria.
Check Point's INSPECT language Adds application support to intercept, analyze and act on all communications to applications utilizing VPN-1/FireWall-1 and FloodGate-1.
Embedded version of Check Point's INSPECT Virtual machine or full VPN-1/FireWall-1 code set Allows third-party vendors to embed Check Point technologies into systems and appliances for a robust security feature set.

The OPSEC Software Development Kit: Open Protocols and Applications Programming Interfaces
Check Point Software realized early on that the key to the broad availability of innovative and tightly integrated products was the commitment to a software development kit with well-documented application programming interfaces (APIs). First delivered in 1997, the OPSEC Software Development Kit (SDK) enables third-party vendors and end-users to easily integrate their products with VPN-1/FireWall-1, FloodGate-1 and Meta IP. Its APIs hide the intricacies of the underlying protocols and networking from the application developers. To provide additional security, applications built with the OPSEC SDK can utilize strong Secure Socket Layer (SSL) encryption for all OPSEC communications between the client and server. Today, Check Point is still the only significant Internet security provider that offers a freely available software development kit for policy management and enforcement integration.

Content Security using CVP (Content Vectoring Protocol)
Content security allows the customer to scan the content of all traffic going across the network. Scanning the files for viruses and/or malicious Java or ActiveX applets as they pass through the firewall significantly enhances security by controlling eBusiness access points with a consistent policy that would otherwise be difficult to enforce across all desktops, servers and business units.

Check Point provides this capability using the Content Vectoring Protocol (CVP) API, now in its third generation of functionality. The CVP API defines an asynchronous interface to server applications that perform content validation. It allows content validation to be based on a variety of content criteria, including any string match in the file. It also enables the application to make modifications to the original file. Figure 1 shows how the rule base is enforced using CVP and a validation server.

An advanced component of the latest generation of CVP is CVP Manager, included with VPN-1 and FireWall-1. CVP Manager can be configured to chain a number of content validation servers to allow multiple scans of the same file. It can also provide basic load sharing of content to multiple validation servers, enabling scalability as well as failover capability for validation servers. CVP Manager is extremely important if the customer has multiple validation servers, each performing a different validation such as anti-virus, URL filtering or email-scanning.

Web Resource Management using UFP (URL Filtering Protocol)
With the broad access to web content now required by eBusiness comes the possibility that employees are using the web for casual and inappropriate browsing. Besides possible liability issues for the company, the increased HTTP traffic can put a burden on the Internet gateway which can result in slower response time and transmittal of mission-critical information. UFP allows security administrators to track and monitor employee web usage in order to maintain network connectivity and employee efficiency.

Check Point's implementation of URL filtering represents the most highly integrated in the industry, with filtering rules defined directly within the context of the Check Point Management Console rule-base. UFP defines a client/server asynchronous interface to categorize and control communication based on specific URL addresses. The UFP client on the firewall passes the URL to the UFP server, which uses dynamic categorization technology to return a classification category for the URL. The firewall then uses this category to determine the action required in accordance with the security policy as defined in the rule-base. With this extensive integration, customers can use a single security policy to facilitate effective web resource management.

Intrusion Detection using SAM (Suspicious Activity Monitoring)
Check Point introduced the concept of active-feedback loop integration between intrusion detection systems and firewall/VPN gateways in 1997. The Suspicious Activity Monitoring (SAM) API enables VPN-1/FireWall-1 to block the connection when an intrusion detection application identifies suspicious activity on the network or specific host. Examples of suspicious activity include: a specific client making repeated connection attempts to privileged services on a specific host (e.g. scanning); a client attempting to issue illegal commands or repeatedly failing to complete a login to a server system for which access by the client would generally be considered send illegal CGI commands through a form); or any other criteria set which if met, qualifies the activity as an inferred security threat.

The SAM API defines an interface through which an intrusion detection application can communicate with a VPN-1/FireWall-1 management server. The intrusion detection engine uses SAM to identify specific hosts generating suspicious activity on the network or server system, and the management server in turn directs the VPN-1/FireWall-1 modules to terminate sessions or deny access to those specific hosts. The specific actions taken by the firewall might include terminating a current session in progress or blocking new session attempts that match the criteria over a specified time period in the future.

SAM applications generate dynamic and time-dependent action rules, unlike the permanent rules defined in the context of the Security Management Server. SAM does not allow connections to pass through the firewall unless they are already allowed by the explicitly defined management policies. Only the additional blocking of specific connections for a limited time period is possible via SAM. SAM applications can use other OPSEC interfaces and APIs to send logs, alerts, and status messages to the VPN-1/FireWall-1 management server for centralized security monitoring.

Event Integration
Event integration is an essential integration point for any enterprise security management system. Check Point has two APIs, LEA (Log Export API) and ELA (Event Logging API), that allow third parties to access log data. This ability to access a granular level of connection detail enables robust reporting capabilities by specialized security products, network reporting products, help desk and event management systems, security audits, accounting and billing, and network management systems. This integration is accomplished through two client-server APIs which enable events to be passed between the Check Point Management Console and other products through secure channels.

Reporting and Event analysis using LEA (Log Export API)
The Log Export API enables applications to read the VPN-1/FireWall-1 log database. The LEA client, written by an OPSEC partner, can retrieve both real-time and historical log data from the Management Console with the LEA server. A reporting application can use the LEA client in an on-line mode or off-line mode to process the logged events that are generated by the VPN-1/FireWall-1 security policy. OPSEC partners rely on LEA as a mission-critical source for granular traffic connection information driven by the VPN-1/FireWall-1 kernel engine. The SSL-enabled version of LEA provides additional security to applications-ensuring that all data traversing the network between the LEA application and the firewall management system is encrypted.

Security and Event Consolidation using ELA (Event Logging API)
Applications use the Event Logging API to write to the VPN-1/FireWall-1 log database. ELA enables third party applications to trigger the VPN-1/FireWall-1 alert mechanism for specific events such as virus detection, or failover from one firewall to another under a high availability mechanism. As the corporate gateway becomes the focal point for security policy management, ELA enables the Check Point Management Console to become the central repository for all traffic events accounting and analysis. OPSEC partners can utilize ELA in conjunction with SAMP to ensure suspicious activity is tracked and corrective action taken by VPN-1/FireWall-1 to terminate a malicious connection.

Management using CPMI and AMON
CPMI (Check Point Management Interface) is the interface to Check Point's central policy and objects database that enables third party applications to securely access the security policy stored in the management server. CPMI available in the NG OPSEC SDK, replaces OMI with Read/Write access to the policy and objects database. With this interface vendors can build sophisticated applications that can share common objects defined in the firewall. By sharing objects, the user will only need to define them once, simplifying the overall manageability of the solution. Additionally, by using SSL, CPMI can be used remotely to enable applications to access the policy from a remote client.

AMON (Application Monitoring) is a new API introduced in NG OPSEC SDK. With this interface vendors can export status of their application to the Check Point System Status Viewer. This provides a unified, up-to-date status of the security infrastructure to the security administrator.

Authentication using OPSEC PKI Integration
Public Key Infrastructure (PKI) is an emerging technology that provides scalable trusted authentication for applications such as VPNs. X.509 digital certificates are used by IPSEC/IKE to validate the public keys required to establish an encrypted connection and verify the authenticity of the parties in the exchange. The certificate authority (CA), considered to be a trusted third party entity that vouches for (or authenticates) the identity of the digital certificate owner, issues certificate revocation lists (CRLs) that are used to validate a user's certificate. Depending on the CA, a CRL may be stored in an HTTP server or an LDAP directory.

Check Point's goal is to provide an open integration environment whereby any vendor's PKI solution can be tightly integrated with Check Point's products. It is common for suppliers, partners and customers sharing an eBusiness extranet to each operate their own different CA; for example, your partner may have a VeriSignT CA, and your supplier may have an Entrust CA. VPN-1 Gateway's ability to simultaneously support certificates from multiple different CAs allows customers to set up and support multi-CA extranets that can be used with business partners, suppliers and customers. Open PKI makes it possible for administrators to select the PKI solution which best fits their needs and fully leverage this solution with Check Point's VPN-1 product. Through the use of industry standard public key cryptography standards (PKCS), Check Point created OPSEC PKI integration points for VPN-1 Gateway, VPN-1 SecureClient, and VPN-1 SecuRemote.

Authentication using Secure Authentication API (SAA)
The Secure Authentication API (SAA) allows VPN-1 SecuRemote and VPN-1 SecureClient to support a wide variety of authentication mechanisms such as biometric devices, challenge response tokens, and passwords. SAA takes advantage of Check Point's innovative Hybrid Mode technology to integrate these different authentication types with IPSEC/IKE, and allows customers to migrate their authentication technology from challenge response tokens to PKI. Until now, IPSEC connections have required the use of either a shared secret with manual key exchange (cumbersome) or a digital certificate (complex) for authentication. Hybrid Mode allows a wide variety of two-factor authentication tokens, with and without SAA integration, to establish an IPSEC/IKE VPN-1 connection. Support for existing authentication tokens with IPSEC/IKE is especially important to end-users that want to migrate from existing authentication solutions which employ these tokens to PKI-based trust models. Check Point has submitted the Hybrid Mode technology to the IETF as an enhancement to IPSEC.

SAA works by passing authentication information from VPN-1 SecureClient or the VPN-1 SecuRemote client to an authentication server (i.e. RADIUS, ACE, TACACS+) located behind the VPN-1 Gateway. Once the server authenticates the user to the Gateway, an IPSEC/IKE connection is established between SecureClient or the SecuRemote client and the VPN-1 Gateway.

SAA allows SecuRemote and SecureClient to operate transparently to the end user. It also provides the authentication vendor with the option of replacing the SecuRemote and SecureClient login dialog box with that of the authentication vendor's product.

High Availability with Load Balancing (HA/LB) and Hot Standby (HA - HS)
With the growth of eBusiness over the Internet, the VPN-1/FireWall-1 gateway to the Internet has become a mission-critical link companies cannot afford to lose, even temporarily. Check Point leads the industry with an advanced framework for high availability that allows gateways to share information on active connections. Should one gateway or network connection fail, the other gateway(s) can seamlessly take over existing connections without impacting users. Even IPSEC/IKE connections can be maintained.

As the mission-critical Internet link in an enterprise grows, balancing the traffic between multiple gateways becomes imperative. Check Point's OPSEC HA/LB Partners provide cluster support for balancing the traffic load between multiple gateways with failover capabilities should one of the gateways go down. This cluster of gateways allow the enterprise to expand with its growing Internet traffic demands while maintaining the reliability of a HA solution.

Check Point's OPSEC HA/LB allows third party vendors to take advantage of the VPN-1/FireWall-1 state table synchronization feature. State table synchronization allows each VPN-1/FireWall-1 in a high availability cluster to record connection data and synchronize its connection data with the others. It also allows an OPSEC certified HA/LB product to seamlessly failover a VPN-1/FireWall-1 connection from a failed Gateway to an available Gateway in a HA cluster.

User Address Mapping using UAM
The User-to-Address Mapping (UAM) API, a technology found in Check Point Meta IP, provides the association between user and IP address - transparently enhancing user accountability and network security through user-based management. Unlike other products, User-to-Address Mapping technology enables vendors and administrators to gain this information without requiring onerous secondary authentication challenges, such as multiple passwords. By incorporating UAM into third-party products, vendors can supply transparent user authentication to the network based on operating system login-providing a foundation for user-based security management and reporting.

The modular design of UAM is the only solution to provide user/address information across multiple network operating systems. UAM traps key information from the DHCP and DNS services, as well as Windows NT, and Novell NetWare 5.0 network authentications, including login name, login time, Media Access Control (MAC) address, IP address, and host name. The UAM API is tightly integrated with Check Point VPN-1/FireWall-1.

Securing eBusiness Applications with UserAuthorityT API (UAA)
As the fundamental requirement for eBusiness, security needs to be the common layer across multiple applications to ensure all communications are secure, reliable and manageable. UserAuthority is the software hook that delivers the critical security backbone of SVN: LDAP directory support, open PKI, intrusion detection, high availability, reporting/logging, multiple authentication schemes and policy access management. UAP is the connecting point for network user authorizations and connection information to be shared directly with applications or eBusiness tools such as authorization portals, web servers or middleware.

The UAA is a client-server asynchronous interface that can share network authorization information with applications with information from various Check Point products, including all contextual connection information and additional VPN-1/FireWall-1 management information. When an eBusiness application receives an authorization request from a VPN-1 user, the application requests the user's authentication credentials from the gateway to make an intelligent authorization decision.

User Authority enables seamless and secure user access to applications by leveraging the SVN authentication environment and reducing user authentication prompts. User navigation can be enhanced when multiple resources behind the gateway are integrated via the UAA. For legacy applications, UserAuthority, in conjunction with SecureServer, can Internet-enable a LAN based system as well as provide scalable and advanced security technology such as PKI

Industry Standards and Standard Protocols
The list of standards supported by OPSEC continues to grow as new industry standard proposals gain acceptance in the market or are ratified. In order to keep up with the many industry standards or standard protocols that exist today to ensure multi-vendor product interoperability, Check Point Software is a standards bearer and an active participant in standards bodies. The following industry-specific standards are integral parts of the OPSEC framework.

RADIUS/TACACS+
Remote Authentication Dial-In User Service (RADIUS) is the IETF (Internet Engineering Task Force) standard that has gained broad acceptance for the authentication of dial-up users. TACACS+ is a similar protocol which has gained some level of multivendor acceptance. Token-based authentication schemes can be implemented using the RADIUS protocol or alternatively, TACACS+.

With RADIUS support, VPN-1 and FireWall-1 can enforce authentication by checking with a RADIUS server before allowing, for example, an external engineering development partner access to the company CAD/CAM system. Other access control devices such as routers or modem servers can use the same RADIUS authentication server. The RADIUS standard unifies this authentication function. Different vendor security products can be used to authenticate a connection between two business partners provided that the equipment at each end of the communication is compliant with the RADIUS standard.

SNMP
SNMP, the Simple Network Management Protocol, is the industry standard protocol for the management of hardware and software resources from a central location. The SNMP management model employs two basic entities-a management station loaded with a resource MIB (Management Information Base) file and an agent. The MIB describes the information, and the agent, a program running on the resource to be managed, provides it to the management station when queried. The MIB also describes "traps", which are unsolicited event notifications that the agent sends to the management station when a preset condition is met. This allows the agent to continually monitor the resource and report exceptions to the management station.

VPN-1/FireWall-1 provides a MIB and SNMP agent for management of the VPN-1/FireWall-1 gateway. Using any network management station, the VPN-1/FireWall-1 gateway can be queried for current status. In addition, the VPN-1/FireWall-1 agent can alert the management station of network events which might affect the operation of the gateway, or violations of the network security policy.

LDAP
LDAP, the Light-weight Directory Access Protocol, is an industry standard for exchanging information with LDAP-compliant directory servers. LDAP specifies a method for retrieving, storing, and representing data in a directory server-which typically is a repository for user information as well as network resources. Some examples of information stored in a Directory Server include user identification data, X.509 certificates for use with Public Key Infrastructure (PKI) solutions, IP-to-hostname mappings, etc. Various third-party directory servers offer sophisticated features such as replication (master/slave, multi-master), directory referrals, and backup services that make directory servers an ideal repository for mission-critical enterprise data.

When used in conjunction with the Check Point SmartDirectory, VPN-1/FireWall-1 uses LDAP to access information from Directory Servers to identify and authenticate users via user passwords, pre-shared secrets, digital certificates, or third-party authentication servers. In addition, VPN-1/FireWall-1 optionally uses the directory server to store some access control attributes. The communication between VPN-1/FireWall-1 and directory server is encrypted using SSL to maintain data privacy.

Application Integration for Secure eBusiness
For customers or OPSEC partners seeking to secure their applications from client to server across the Internet, intranet or extranets, OPSEC delivers the flexibility to incorporate the protocols and services necessary for Secure Virtual Networking (SVN). OPSEC extends the power of SVN for eBusiness applications by delivering integrated access enforcement, robust intrusion detection and Quality of Service (QoS) all within a centralized policy management framework. Through OPSEC, Check Point has partnered with leading application vendors and customers to deliver a scalable and highly availble security architecture that delivers end to end security across heterogeneous computing environments.

Check Point achieves this adaptability by leveraging its patented Statful Inspection technology. Stateful Inspection's extensibility allows it to support new applications by using INSPECT, a high-level programming language that can be compiled and downloaded to enforcement points and executed in accordance with the security policy. The INSPECT engine resides dynamically at the operating system kernel for very high performance and also includes awareness of all communication layers of the IP protocol family and the applications built on top of them. The result: integrating applications with Check Point enable users to create a security layer across their network with all the elements necessary for secure eBusiness.

Check Point has delivered the broadest support for applications and network services of any security vendor in the world.

Applications currently supported can be viewed on Check Point's VPN-1/FireWall-1 Application Support page.

©2003-2008 Check Point Software Technologies Ltd. All rights reserved.