Intro to OPSEC
SDK Overview
High
Availability | Integrated
Security | Industry
Standards
Open Protocols
and APIs | Secure
eBusiness | CVP | ELA
LDAP | LEA | CPMI | AMON | PKI | SAM | SDK | SNMP
UAM | UAA | UFP
The Security Challenge of eBusiness
Today's eBusiness world demands greater access to information
and avenues of communication among customers, business partners,
suppliers and employees. Any business that uses the Internet
to achieve this must implement significant safeguards to protect
its network, or else risk the vulnerability of all its private
stores of digital information.
The key to addressing this information security risk is a comprehensive Internet security architecture. The solution requires multiple layers of security using best-of-breed products from a variety of vendors. The integration and manageability of these multiple products is an essential factor in the achievement of a secure architecture. Security administrators must be confident that applications can properly authenticate users and that Internet gateways will always enforce the appropriate security policy. They must also be able to define and apply security policies across multiple technologies including firewalls, VPNs and QoS devices, manage reports on network activity, and maintain the proper system configurations. These tasks can pose significant challenges to the security implementation team securing an enterprise's eBusiness infrastructure. Check Point Software Technologies' Secure Virtual Network (SVN) architecture and the Open Platform for Security (OPSEC) offer industry-leading integrated Internet security solutions to substantially reduce these challenges.
Check Point SVN secures the Internet environment by providing security that extends across networks, systems (individual clients and systems), applications and users, and across intranets, extranets and the Internet. SVN goes beyond the basics of VPNs (the use of the Internet as the transport backbone for secure links with partners and regional offices) to deliver Internet security that offers scalability, manageability, comprehensiveness, high performance and ease of use. SVN Phase II is the next evolution in eBusiness application security in which the comprehensive security infrastructure of SVN can be unified with applications. This is accomplished via new technology called UserAuthorityT that enables seamless network authentication sharing directly with eBusiness applications for intelligent user authorization. SVN protects all systems throughout the IP-based enterprise network by securing all Internet gateways, allowing single sign-on capabilities at the application server level, and enabling granular access control for all users regardless of location.
[top]
OPSEC: Integrated
Internet Security
OPSEC extends the Secure Virtual Network architecture by providing
a unique, open platform for integration and interoperability.
For OPSEC partners, integration with the SVN architecture
results in the most robust solutions on the market today.
For customers, OPSEC integration means the ability to match
the best product or service to their specific needs from a
wide choice of best-of-breed products and services, without
the burden of questionable interoperability! OPSEC allows
users to take full advantage of the SVN architecture across
the leading server, internetworking and appliance platforms
and also provides the option of outsourced managed security
services. OPSEC certification, earned only after rigorous
lab testing, further assures the integration of products and
services bearing the OPSEC Certified logos.
OPSEC answers the greatest challenges of multivendor solutions-interoperability and management complexity-and avoids the biggest problems of single vendor suites-lack of integration and limited flexibility. A strategy based on best-of-breed solutions allows the use of the best products and services on the market, and takes advantage of the innovations and expertise of the vendors that specialize in the functionality customers need. The combination of Check Point and OPSEC solutions gives customers the flexibility to design a secure eBusiness solution that matches the challenges unique to its own network and business needs.
[top]
OPSEC Integration Points
OPSEC integration is achieved through a combination of published
application programming interfaces (APIs), industry-standard
protocols and a high-level scripting language. OPSEC provides
a single framework for third-party products to integrate into
all aspects of the secure virtual network. Clearly defined
interfaces enable integration with VPN-1T/FireWall-1, FloodGate-1T
and Meta IPT without delving into the complexity of the underlying
infrastructure. OPSEC's powerful client/sever communications
infrastructure allows products residing on remote platforms
and servers to communicate securely with SVN products. Leading
security vendors have taken advantage of the OPSEC SDK for
over two years to build complementary security applications
that seamlessly integrate with the Check Point Secure Virtual
Network architecture.
Third-party vendors may achieve OPSEC compliance and certification through one of the following integration points:
- OPSEC Software Development Kit (SDK) Allows integration with Check Point's industry-leading Secure Virtual Network architecture. The SDK leverages the Check Point-defined OPSEC protocols and APIs for integration with VPN-1/FireWall-1, FloodGate-1 and Meta IP.
- Industry standard interfaces and protocols, when available and applicable Provide specifications to ensure multi-vendor product interoperability and certification criteria.
- Check Point's INSPECT language Adds application support to intercept, analyze and act on all communications to applications utilizing VPN-1/FireWall-1 and FloodGate-1.
- Embedded version of Check Point's INSPECT Virtual machine or full VPN-1/FireWall-1 code set Allows third-party vendors to embed Check Point technologies into systems and appliances for a robust security feature set.
[top]
The OPSEC
Software Development Kit: Open Protocols and Applications
Programming Interfaces
Check Point Software realized early on that the key to the
broad availability of innovative and tightly integrated products
was the commitment to a software development kit with well-documented
application programming interfaces (APIs). First delivered
in 1997, the OPSEC Software Development Kit (SDK) enables
third-party vendors and end-users to easily integrate their
products with VPN-1/FireWall-1, FloodGate-1 and Meta IP. Its
APIs hide the intricacies of the underlying protocols and
networking from the application developers. To provide additional
security, applications built with the OPSEC SDK can utilize
strong Secure Socket Layer (SSL) encryption for all OPSEC
communications between the client and server. Today, Check
Point is still the only significant Internet security provider
that offers a freely available software development kit for
policy management and enforcement integration.
[top]
Content Security
using CVP (Content Vectoring Protocol)
Content security allows the customer to scan the content of
all traffic going across the network. Scanning the files for
viruses and/or malicious Java or ActiveX applets as they pass
through the firewall significantly enhances security by controlling
eBusiness access points with a consistent policy that would
otherwise be difficult to enforce across all desktops, servers
and business units.
Check Point provides this capability using the Content Vectoring Protocol (CVP) API, now in its third generation of functionality. The CVP API defines an asynchronous interface to server applications that perform content validation. It allows content validation to be based on a variety of content criteria, including any string match in the file. It also enables the application to make modifications to the original file. Figure 1 shows how the rule base is enforced using CVP and a validation server.
An advanced component of the latest generation of CVP is CVP Manager, included with VPN-1 and FireWall-1. CVP Manager can be configured to chain a number of content validation servers to allow multiple scans of the same file. It can also provide basic load sharing of content to multiple validation servers, enabling scalability as well as failover capability for validation servers. CVP Manager is extremely important if the customer has multiple validation servers, each performing a different validation such as anti-virus, URL filtering or email-scanning.
[top]
Web Resource Management
using UFP (URL Filtering Protocol)
With the broad access to web content now required by eBusiness
comes the possibility that employees are using the web for
casual and inappropriate browsing. Besides possible liability
issues for the company, the increased HTTP traffic can put
a burden on the Internet gateway which can result in slower
response time and transmittal of mission-critical information.
UFP allows security administrators to track and monitor employee
web usage in order to maintain network connectivity and employee
efficiency.
Check Point's implementation of URL filtering represents the most highly integrated in the industry, with filtering rules defined directly within the context of the Check Point Management Console rule-base. UFP defines a client/server asynchronous interface to categorize and control communication based on specific URL addresses. The UFP client on the firewall passes the URL to the UFP server, which uses dynamic categorization technology to return a classification category for the URL. The firewall then uses this category to determine the action required in accordance with the security policy as defined in the rule-base. With this extensive integration, customers can use a single security policy to facilitate effective web resource management.
[top]
Intrusion Detection
using SAM (Suspicious Activity Monitoring)
Check Point introduced the concept of active-feedback loop
integration between intrusion detection systems and firewall/VPN
gateways in 1997. The Suspicious Activity Monitoring (SAM)
API enables VPN-1/FireWall-1 to block the connection when
an intrusion detection application identifies suspicious activity
on the network or specific host. Examples of suspicious activity
include: a specific client making repeated connection attempts
to privileged services on a specific host (e.g. scanning);
a client attempting to issue illegal commands or repeatedly
failing to complete a login to a server system for which access
by the client would generally be considered send illegal CGI
commands through a form); or any other criteria set which
if met, qualifies the activity as an inferred security threat.
The SAM API defines an interface through which an intrusion detection application can communicate with a VPN-1/FireWall-1 management server. The intrusion detection engine uses SAM to identify specific hosts generating suspicious activity on the network or server system, and the management server in turn directs the VPN-1/FireWall-1 modules to terminate sessions or deny access to those specific hosts. The specific actions taken by the firewall might include terminating a current session in progress or blocking new session attempts that match the criteria over a specified time period in the future.
SAM applications generate dynamic and time-dependent action rules, unlike the permanent rules defined in the context of the Security Management Server. SAM does not allow connections to pass through the firewall unless they are already allowed by the explicitly defined management policies. Only the additional blocking of specific connections for a limited time period is possible via SAM. SAM applications can use other OPSEC interfaces and APIs to send logs, alerts, and status messages to the VPN-1/FireWall-1 management server for centralized security monitoring.
[top]
Event Integration
Event integration is an essential integration point for any
enterprise security management system. Check Point has two
APIs, LEA (Log Export API) and ELA (Event Logging API), that
allow third parties to access log data. This ability to access
a granular level of connection detail enables robust reporting
capabilities by specialized security products, network reporting
products, help desk and event management systems, security
audits, accounting and billing, and network management systems.
This integration is accomplished through two client-server
APIs which enable events to be passed between the Check Point
Management Console and other products through secure channels.
[top]
Reporting and Event
analysis using LEA (Log Export API)
The Log Export API enables applications to read the VPN-1/FireWall-1
log database. The LEA client, written by an OPSEC partner,
can retrieve both real-time and historical log data from the
Management Console with the LEA server. A reporting application
can use the LEA client in an on-line mode or off-line mode
to process the logged events that are generated by the VPN-1/FireWall-1
security policy. OPSEC partners rely on LEA as a mission-critical
source for granular traffic connection information driven
by the VPN-1/FireWall-1 kernel engine. The SSL-enabled version
of LEA provides additional security to applications-ensuring
that all data traversing the network between the LEA application
and the firewall management system is encrypted.
[top]
Security and Event
Consolidation using ELA (Event Logging API)
Applications use the Event Logging API to write to the VPN-1/FireWall-1
log database. ELA enables third party applications to trigger
the VPN-1/FireWall-1 alert mechanism for specific events such
as virus detection, or failover from one firewall to another
under a high availability mechanism. As the corporate gateway
becomes the focal point for security policy management, ELA
enables the Check Point Management Console to become the central
repository for all traffic events accounting and analysis.
OPSEC partners can utilize ELA in conjunction with SAMP to
ensure suspicious activity is tracked and corrective action
taken by VPN-1/FireWall-1 to terminate a malicious connection.
[top]
Management
using CPMI and AMON
CPMI (Check Point Management Interface) is the interface to
Check Point's central policy and objects database that enables
third party applications to securely access the security policy
stored in the management server. CPMI available in the NG
OPSEC SDK, replaces OMI with Read/Write access to the policy
and objects database. With this interface vendors can build
sophisticated applications that can share common objects defined
in the firewall. By sharing objects, the user will only need
to define them once, simplifying the overall manageability
of the solution. Additionally, by using SSL, CPMI can be used
remotely to enable applications to access the policy from
a remote client.
AMON (Application Monitoring) is a new API introduced in NG OPSEC SDK. With this interface vendors can export status of their application to the Check Point System Status Viewer. This provides a unified, up-to-date status of the security infrastructure to the security administrator.
[top]
Authentication using
OPSEC PKI Integration
Public Key Infrastructure (PKI) is an emerging technology
that provides scalable trusted authentication for applications
such as VPNs. X.509 digital certificates are used by IPSEC/IKE
to validate the public keys required to establish an encrypted
connection and verify the authenticity of the parties in the
exchange. The certificate authority (CA), considered to be
a trusted third party entity that vouches for (or authenticates)
the identity of the digital certificate owner, issues certificate
revocation lists (CRLs) that are used to validate a user's
certificate. Depending on the CA, a CRL may be stored in an
HTTP server or an LDAP directory.
Check Point's goal is to provide an open integration environment whereby any vendor's PKI solution can be tightly integrated with Check Point's products. It is common for suppliers, partners and customers sharing an eBusiness extranet to each operate their own different CA; for example, your partner may have a VeriSignT CA, and your supplier may have an Entrust CA. VPN-1 Gateway's ability to simultaneously support certificates from multiple different CAs allows customers to set up and support multi-CA extranets that can be used with business partners, suppliers and customers. Open PKI makes it possible for administrators to select the PKI solution which best fits their needs and fully leverage this solution with Check Point's VPN-1 product. Through the use of industry standard public key cryptography standards (PKCS), Check Point created OPSEC PKI integration points for VPN-1 Gateway, VPN-1 SecureClient, and VPN-1 SecuRemote.
[top]
Authentication using
Secure Authentication API (SAA)
The Secure Authentication API (SAA) allows VPN-1 SecuRemote
and VPN-1 SecureClient to support a wide variety of authentication
mechanisms such as biometric devices, challenge response tokens,
and passwords. SAA takes advantage of Check Point's innovative
Hybrid Mode technology to integrate these different authentication
types with IPSEC/IKE, and allows customers to migrate their
authentication technology from challenge response tokens to
PKI. Until now, IPSEC connections have required the use of
either a shared secret with manual key exchange (cumbersome)
or a digital certificate (complex) for authentication. Hybrid
Mode allows a wide variety of two-factor authentication tokens,
with and without SAA integration, to establish an IPSEC/IKE
VPN-1 connection. Support for existing authentication tokens
with IPSEC/IKE is especially important to end-users that want
to migrate from existing authentication solutions which employ
these tokens to PKI-based trust models. Check Point has submitted
the Hybrid Mode technology to the IETF as an enhancement to
IPSEC.
SAA works by passing authentication information from VPN-1 SecureClient or the VPN-1 SecuRemote client to an authentication server (i.e. RADIUS, ACE, TACACS+) located behind the VPN-1 Gateway. Once the server authenticates the user to the Gateway, an IPSEC/IKE connection is established between SecureClient or the SecuRemote client and the VPN-1 Gateway.
SAA allows SecuRemote and SecureClient to operate transparently to the end user. It also provides the authentication vendor with the option of replacing the SecuRemote and SecureClient login dialog box with that of the authentication vendor's product.
[top]
High Availability
with Load Balancing (HA/LB) and Hot Standby (HA - HS)
With the growth of eBusiness over the Internet, the VPN-1/FireWall-1
gateway to the Internet has become a mission-critical link
companies cannot afford to lose, even temporarily. Check Point
leads the industry with an advanced framework for high availability
that allows gateways to share information on active connections.
Should one gateway or network connection fail, the other gateway(s)
can seamlessly take over existing connections without impacting
users. Even IPSEC/IKE connections can be maintained.
As the mission-critical Internet link in an enterprise grows, balancing the traffic between multiple gateways becomes imperative. Check Point's OPSEC HA/LB Partners provide cluster support for balancing the traffic load between multiple gateways with failover capabilities should one of the gateways go down. This cluster of gateways allow the enterprise to expand with its growing Internet traffic demands while maintaining the reliability of a HA solution.
Check Point's OPSEC HA/LB allows third party vendors to take advantage of the VPN-1/FireWall-1 state table synchronization feature. State table synchronization allows each VPN-1/FireWall-1 in a high availability cluster to record connection data and synchronize its connection data with the others. It also allows an OPSEC certified HA/LB product to seamlessly failover a VPN-1/FireWall-1 connection from a failed Gateway to an available Gateway in a HA cluster.
[top]
User Address Mapping
using UAM
The User-to-Address Mapping (UAM) API, a technology found
in Check Point Meta IP, provides the association between user
and IP address - transparently enhancing user accountability
and network security through user-based management. Unlike
other products, User-to-Address Mapping technology enables
vendors and administrators to gain this information without
requiring onerous secondary authentication challenges, such
as multiple passwords. By incorporating UAM into third-party
products, vendors can supply transparent user authentication
to the network based on operating system login-providing a
foundation for user-based security management and reporting.
The modular design of UAM is the only solution to provide user/address information across multiple network operating systems. UAM traps key information from the DHCP and DNS services, as well as Windows NT, and Novell NetWare 5.0 network authentications, including login name, login time, Media Access Control (MAC) address, IP address, and host name. The UAM API is tightly integrated with Check Point VPN-1/FireWall-1.
[top]
Securing eBusiness
Applications with UserAuthorityT API (UAA)
As the fundamental requirement for eBusiness, security needs
to be the common layer across multiple applications to ensure
all communications are secure, reliable and manageable. UserAuthority
is the software hook that delivers the critical security backbone
of SVN: LDAP directory support, open PKI, intrusion detection,
high availability, reporting/logging, multiple authentication
schemes and policy access management. UAP is the connecting
point for network user authorizations and connection information
to be shared directly with applications or eBusiness tools
such as authorization portals, web servers or middleware.
The UAA is a client-server asynchronous interface that can share network authorization information with applications with information from various Check Point products, including all contextual connection information and additional VPN-1/FireWall-1 management information. When an eBusiness application receives an authorization request from a VPN-1 user, the application requests the user's authentication credentials from the gateway to make an intelligent authorization decision.
User Authority enables seamless and secure user access to applications by leveraging the SVN authentication environment and reducing user authentication prompts. User navigation can be enhanced when multiple resources behind the gateway are integrated via the UAA. For legacy applications, UserAuthority, in conjunction with SecureServer, can Internet-enable a LAN based system as well as provide scalable and advanced security technology such as PKI
[top]
Industry Standards
and Standard Protocols
The list of standards supported by OPSEC continues to grow
as new industry standard proposals gain acceptance in the
market or are ratified. In order to keep up with the many
industry standards or standard protocols that exist today
to ensure multi-vendor product interoperability, Check Point
Software is a standards bearer and an active participant in
standards bodies. The following industry-specific standards
are integral parts of the OPSEC framework.
[top]
RADIUS/TACACS+
Remote Authentication Dial-In User Service (RADIUS) is the
IETF (Internet Engineering Task Force) standard that has gained
broad acceptance for the authentication of dial-up users.
TACACS+ is a similar protocol which has gained some level
of multivendor acceptance. Token-based authentication schemes
can be implemented using the RADIUS protocol or alternatively,
TACACS+.
With RADIUS support, VPN-1 and FireWall-1 can enforce authentication by checking with a RADIUS server before allowing, for example, an external engineering development partner access to the company CAD/CAM system. Other access control devices such as routers or modem servers can use the same RADIUS authentication server. The RADIUS standard unifies this authentication function. Different vendor security products can be used to authenticate a connection between two business partners provided that the equipment at each end of the communication is compliant with the RADIUS standard.
[top]
SNMP
SNMP, the Simple Network Management Protocol, is the industry
standard protocol for the management of hardware and software
resources from a central location. The SNMP management model
employs two basic entities-a management station loaded with
a resource MIB (Management Information Base) file and an agent.
The MIB describes the information, and the agent, a program
running on the resource to be managed, provides it to the
management station when queried. The MIB also describes "traps",
which are unsolicited event notifications that the agent sends
to the management station when a preset condition is met.
This allows the agent to continually monitor the resource
and report exceptions to the management station.
VPN-1/FireWall-1 provides a MIB and SNMP agent for management of the VPN-1/FireWall-1 gateway. Using any network management station, the VPN-1/FireWall-1 gateway can be queried for current status. In addition, the VPN-1/FireWall-1 agent can alert the management station of network events which might affect the operation of the gateway, or violations of the network security policy.
[top]
LDAP
LDAP, the Light-weight Directory Access Protocol, is an industry
standard for exchanging information with LDAP-compliant directory
servers. LDAP specifies a method for retrieving, storing,
and representing data in a directory server-which typically
is a repository for user information as well as network resources.
Some examples of information stored in a Directory Server
include user identification data, X.509 certificates for use
with Public Key Infrastructure (PKI) solutions, IP-to-hostname
mappings, etc. Various third-party directory servers offer
sophisticated features such as replication (master/slave,
multi-master), directory referrals, and backup services that
make directory servers an ideal repository for mission-critical
enterprise data.
When used in conjunction with the Check Point SmartDirectory, VPN-1/FireWall-1 uses LDAP to access information from Directory Servers to identify and authenticate users via user passwords, pre-shared secrets, digital certificates, or third-party authentication servers. In addition, VPN-1/FireWall-1 optionally uses the directory server to store some access control attributes. The communication between VPN-1/FireWall-1 and directory server is encrypted using SSL to maintain data privacy.
[top]
Application
Integration for Secure eBusiness
For customers or OPSEC partners seeking to secure their applications
from client to server across the Internet, intranet or extranets,
OPSEC delivers the flexibility to incorporate the protocols
and services necessary for Secure Virtual Networking (SVN).
OPSEC extends the power of SVN for eBusiness applications
by delivering integrated access enforcement, robust intrusion
detection and Quality of Service (QoS) all within a centralized
policy management framework. Through OPSEC, Check Point has
partnered with leading application vendors and customers to
deliver a scalable and highly availble security architecture
that delivers end to end security across heterogeneous computing
environments.
Check Point achieves this adaptability by leveraging its patented Statful Inspection technology. Stateful Inspection's extensibility allows it to support new applications by using INSPECT, a high-level programming language that can be compiled and downloaded to enforcement points and executed in accordance with the security policy. The INSPECT engine resides dynamically at the operating system kernel for very high performance and also includes awareness of all communication layers of the IP protocol family and the applications built on top of them. The result: integrating applications with Check Point enable users to create a security layer across their network with all the elements necessary for secure eBusiness.
Check Point has delivered the broadest support for applications and network services of any security vendor in the world.
Applications currently supported can be viewed on Check Point's VPN-1/FireWall-1 Application Support page.