Check Point halts application threats

Application-layer (or layer 7), firewalls generally work by using multiple application proxies that reside between servers and end points. Each proxy is typically dedicated to certain protocols, specific applications, or specific attacks, allowing layer 7 firewalls to inspect packets utilizing complex protocols such as SIP (Session Initiation Protocol), H.323, and SOAP. Proxies decide whether traffic looks suspicious, and whatever doesn’t smell right gets dropped.

Because layer 7 firewalls differ significantly from traditional stateful inspection boxes, most are designed to layer on top of existing firewall installations. However, Check Point’s solution allows you to implement layer 7 protection in the same box that handles layer 2 and layer 3 security.

Check Point has incorporated application-aware proxies in its firewall software since Version 4.0. In its newest NG (Next Generation) version, Check Point has combined Firewall-1/VPN-1 with a host of application proxies under the banner of SmartDefense. The result is a highly effective defense against most application layer attacks. However, companies using the Web for critical applications should consider additional safeguards, such as full application proxies available from vendors such as KaVado and Sanctum.

Check Point shipped us pre-loaded hardware to our Advanced Network Computing Laboratory at the University of Hawaii. The box was based on a SuperMicro rack-mount server chassis running Firewall-1

/VPN-1 on top of a hardened Linux platform. To test SmartDefense’s layer 7 capabilities, we used a Spirent WebAvalanche 220 to run a variety of DoS attack configurations, including ARP Flood, PingSweep, ResetFlood, Smurf, Syn Flood, TCP PortScan, UDP Flood, UDP PortScan, and XMASTree. Not only did SmartDefense thwart known and unknown attacks, but it maintained high performance levels even while under attack, indicating that Check Point has managed to work out performance bottlenecks that have plagued application proxies since they were invented.

Building the Wall

Basic setup was as simple as booting the machine from the bundled CD and stepping through a series of configuration questions. We especially liked the way Firewall-1 will generate an internal CA (certificate authority), which means you can configure SSL connections without the expense of buying a CA from a third party such as VeriSign.

Once basic setup is accomplished, we have only one recommendation: Read the manual. Attempting to configure Firewall-1 the way you may have configured previous firewalls is a mistake. We know because we went that route and temporarily turned our firewall into a paper weight.

Beneath the installation routine, you’ll find that Check Point has included advanced features such as multiple log-in shells for daily firewall administrators as well as an “expert” mode that allows more access to the Linux base, but simultaneously gives you more ways to get in trouble. It was from expert mode that we initiated troubleshooting processes that allowed us to revive our Firewall-1 and make it productive again.

Another big difference between Firewall-1 and the rest of the pack: The concept of a DMZ is not terribly useful in Check Point’s view of the world, either; every host is either external or internal. Check Point allows you to manually define hosts behind any interface and either provide NAT for them or not with the additional ability to use different NAT subnets per interface. And although you can configure Firewall-1 to examine traffic on different VLANs, Check Point suggests you stick to examining trunk traffic and use a switch behind the firewall to break out the VLAN traffic.

Manageable Security

Once you’ve climbed the Check Point learning curve, you’ll be pleasantly surprised by the unit’s management capabilities. The SmartView Tracker, for example, provides a level of reporting that may seem overwhelming until you start focusing on how the data is organized. The first level of the report tree shows a list of all packets that have touched the system; progressively more detailed tabs allow you to look at only VPN traffic, VoIP (voice over IP) Traffic, Web traffic, or any traffic stopped by the layer 7 filter.

Overall, our testing was uneventful, which struck us as extraordinary. As expected, when our DoS test attacks started, some traffic got through. But as SmartDefense recognized the sequence of packets as a denial of service attack, it began blocking. Although our rules were configured for Any — anything was allowed in or out — the Check Point software recognized our attacks and blocked them.

Furthermore, performance remained blazing regardless of whether the machine was under attack. The WebAvalanche 220 device we were using could generate only enough traffic to saturate a Fast Ethernet link. Because this is far and away more bandwidth than most organizations have to the outside world, it seemed enough. However, even on our most complex DoS attack sequences, Firewall-1 never missed a beat.

We were impressed with Check Point’s Firewall-1/VPN-1 and SmartDefense. Not only is this combination deep, it’s more than fast enough to handle standard enterprise traffic levels. And while we’ve criticized the complexity of Check Point’s software in the past, we have to admit it’s taken a quantum leap forward from previous iterations. If you’re willing to put in some work, there’s no reason you should need a dedicated Check Point technician to help configure and manage the device.