Check Point halts application threats

Application-layer (or layer 7) firewalls generally work by using multiple application proxies that reside between servers and end points. Each proxy is typically dedicated to certain protocols, specific applications, or specific attacks, allowing layer 7 firewalls to inspect packets using complex protocols such as SIP (Session Initiation Protocol), H.323, and SOAP. Proxies decide whether traffic looks suspicious, and whatever doesn’t smell right gets dropped.

Because layer 7 firewalls differ significantly from traditional stateful inspection boxes, most are designed to layer on top of existing firewall installations. However, Check Point’s solution allows you to implement layer 7 protection in the same box that handles layer 2 and layer 3 security.

Check Point has incorporated application-aware proxies in its firewall software since Version 4.0. In its newest NG (Next Generation) version, Check Point has combined Firewall-1/VPN-1 with a host of application proxies under the banner of SmartDefense. The result is a highly effective defence against most application layer attacks. However, companies using the Web for critical applications should consider additional safeguards, such as full application proxies available from vendors such as KaVado and Sanctum.

Check Point shipped pre-loaded hardware to our Advanced Network Computing Laboratory at the University of Hawaii for tests at Computerworld’s sister publicaton, InfoWorld. The box was based on a SuperMicro rack-mount server chassis running Firewall-1 /VPN-1 on top of a hardened Linux platform.

To test SmartDefense’s layer 7 capabilities, we used a Spirent WebAvalanche 220 to run a variety of DoS attack configurations, including ARP Flood, PingSweep, ResetFlood, Smurf, Syn Flood, TCP PortScan, UDP Flood, UDP PortScan, and XMASTree. Not only did SmartDefense thwart known and unknown attacks, but it maintained high performance levels even while under attack, indicating that Check Point has managed to work out performance bottlenecks that have plagued application proxies since they were invented.

Building the wall

Basic setup was as simple as booting the machine from the bundled CD and stepping through a series of configuration questions. We especially liked the way Firewall-1 will generate an internal CA (certificate authority), which means you can configure SSL connections without the expense of buying a CA from a third-party such as VeriSign.

Once basic setup is accomplished, we have only one recommendation: read the manual. Attempting to configure Firewall-1 the way you may have configured previous firewalls is a mistake. We know because we went that route and temporarily turned our firewall into a paper weight.

Beneath the installation routine, you’ll find that Check Point has included advanced features such as multiple log-in shells for daily firewall administrators as well as an “expert” mode that allows more access to the Linux base, but simultaneously gives you more ways to get into trouble. It was from expert mode that we initiated troubleshooting processes that allowed us to revive our Firewall-1 and make it productive again.

Another big difference between Firewall-1 and the rest of the pack: the concept of a DMZ is not terribly useful in Check Point’s view of the world, either; every host is either external or internal. Check Point allows you to manually define hosts behind any interface and either provide NAT for them or not with the additional ability to use different NAT subnets per interface.

Once you’ve climbed the Check Point learning curve, you’ll be pleasantly surprised by the unit’s management capabilities. The SmartView Tracker, for example, provides a level of reporting that may seem overwhelming until you start focusing on how the data is organized. The first level of the report tree shows a list of all packets that have touched the system; progressively more detailed tabs allow you to look at only VPN traffic, VoIP (voice over IP) Traffic, Web traffic, or any traffic stopped by the layer 7 filter.

Overall, our testing was uneventful, which struck us as extraordinary. As expected, when our DoS test attacks started, some traffic got through. But as SmartDefense recognized the sequence of packets as a denial of service attack, it began blocking. Although our rules were configured for Any — anything was allowed in or out — the Check Point software recognized our attacks and blocked them.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email Computerworld
• Follow Computerworld on twitter

• Share
  Share this article

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark