When installed on a gateway,the FireWall-1 INSPECT Engine controls traffic
passing between networks. The INSPECT Engine is dynamically loaded into the
operating system kernel, between the Data Link and the Network layers (layers 2 and 3). Since the data link is the actual network interface card (NIC) and the network link is the fi rst layer of the protocol stack (for example, IP), FireWall-1 is positioned at the lowest software layer. By inspecting at this layer, FireWall-1 ensures that the INSPECT Engine intercepts and inspects all inbound and outbound packets on all interfaces. No packet is processed by any of the higher protocol stack layers, no matter what protocol or application the packet uses, unless the INSPECT Engine fi rst verifi es that the packet complies with the
security policy.
Ref - www.checkpoint.com
Tuesday, September 7, 2010
CHECK POINT FIREWALL-1: EXTENSIBLE STATEFUL INSPECTION
Check Point FireWall-1’s Stateful Inspection architecture utilizes a unique,patented INSPECT™ Engine which enforces the security policy on the gateway on which it resides. The INSPECT Engine looks at all communication layers and extracts only the relevant data, enabling highly effi cient operation, support for a large number of protocols and applications, and easy extensibility to new applications and services.
The INSPECT Engine is programmable using Check Point’s powerful INSPECT
Language. This provides important system extensibility, allowing Check Point, as well as its technology partners and end users, to incorporate new applications, services, and protocols, without requiring new software to be loaded. For most new applications, including most custom applications developed by end users, the communication-related behavior of the new application can be incorporated simply by modifying one of FireWall-1’s built-in script templates via the graphical user interface. Even the most complex applications can be added quickly and easily via the INSPECT Language. Check Point provides an open application
programming interface (API) for third-party developers .
Ref - www.checkpoint.com
The INSPECT Engine is programmable using Check Point’s powerful INSPECT
Language. This provides important system extensibility, allowing Check Point, as well as its technology partners and end users, to incorporate new applications, services, and protocols, without requiring new software to be loaded. For most new applications, including most custom applications developed by end users, the communication-related behavior of the new application can be incorporated simply by modifying one of FireWall-1’s built-in script templates via the graphical user interface. Even the most complex applications can be added quickly and easily via the INSPECT Language. Check Point provides an open application
programming interface (API) for third-party developers .
Ref - www.checkpoint.com
STATEFUL INSPECTION TECHNOLOGY
Stateful Inspection, invented by Check Point Software Technologies, has emerged as the industry standard for enterprise-class network security solutions. Stateful Inspection is able to meet all the security requirements defi ned above while traditional fi rewall technologies, such as packet fi lters and application-layer gateways, each fall short in some areas. With Stateful Inspection, packets are intercepted at the network layer for best performance (as in packet fi lters), but then data derived from all communication layers is accessed and analyzed for improved security (compared to layers 4–7 in application-layer gateways). Stateful Inspection then introduces a higher level of security by incorporating communication- and application-derived state and context information which is stored and updated dynamically. This provides cumulative data against which subsequent communication attempts can be evaluated. It also delivers the ability to create virtual session information for tracking connectionless protocols (for example, RPC and UDP-based applications), something no other firewall technology can accomplish.
Ref - www.checkpoint.com
Ref - www.checkpoint.com
Statefull Inspection Firewall Capabilites
For ensuring the highest level of security, a firewall must be capable of
accessing, analyzing, and utilizing the following:
• Communication information
Information from all seven layers in the packet
• Communication-derived state
The state derived from previous communications. For example, the outgoing
PORT command of an FTP session could be saved so that an incoming FTP
data connection can be verifi ed against it.
• Application-derived state
The state information derived from other applications. For example, a previously authenticated user would be allowed access through the firewall for authorized services only.
• Information manipulation
The ability to perform logical or arithmetic functions on data in any part
of the packet
Ref - www.checkpoint.com
accessing, analyzing, and utilizing the following:
• Communication information
Information from all seven layers in the packet
• Communication-derived state
The state derived from previous communications. For example, the outgoing
PORT command of an FTP session could be saved so that an incoming FTP
data connection can be verifi ed against it.
• Application-derived state
The state information derived from other applications. For example, a previously authenticated user would be allowed access through the firewall for authorized services only.
• Information manipulation
The ability to perform logical or arithmetic functions on data in any part
of the packet
Ref - www.checkpoint.com
Wednesday, September 1, 2010
Checkpoint important protocols.
| Internet Protocol 17 | tunnel_test_mapped | tunnel testing for a module performing the tunnel test |
| Internet Protocol 50 | ESP | IPSEC Encapsulating Security Payload Protocol |
| Internet Protocol 51 | AH | IPSEC Authentication Header Protocol |
| Internet Protocol 94 | FW1_Encapsulation | Check Point VPN-1 SecuRemote FWZ Encapsulation Protocol |
| Internet Protocol 112 | VRRP | Virtual Router Redundancy Protocol, HA for Nokia's IPSO |
Checkpoint Shortcuts for Module Names
| FWM | Enforcement Point, also SecuRemote Server |
| GUI | SmartConsole |
| ICA | Internal CA, mostly primary SmartCenter |
| SCt | SmartCenter |
| PS | Policy Server |
| SAA | Session Authentication Agent |
| SIC | Secure Internal Communication |
| SR | SecuRemote Client |
| SCl | SecureClient |
| MDG | Multi Domain GUI (Provider-1) |
| MDS | Multi Domain Server, Manager or Container (Provider-1) |
| CMA | Customer Management Add-on (Provider-1) |
| MLM | Multi Customer Log Module (Provider-1) |
| CLM | Customer Log Module (Provider-1) |
Check Point NGX communication port
| Port No. | Name in Service Manager | Short description |
| 256 /tcp | FW1 | Check Point VPN-1 & FireWall-1 Service - Get topology information from SCt or CMA to FWM - Full synchronisation for HA configuration |
| 257 /tcp | FW1_log | Check Point VPN-1 & FireWall-1 Logs - Protocol used for delivering logs from FWM to SCt - Protocol used for delivering logs from FWM to CMA or CLM |
| 259 /tcp | FW1_clntauth_telnet |
Check Point VPN-1 & FireWall-1 Client Authentication (Telnet) - Protocol for performing Client-Authentication at FWM using telnet |
| 259 /udp | RDP | Check Point Reliable Datagram Protocol - Protocol used by SR/SCl for checking the availability of the FWM/PS |
| 260 /udp | FW1_snmp | Check Point VPN-1 & FireWall-1 SNMP Agent - Check Point's SNMP, used additionally to 161/udp (snmp) |
| 261 /tcp | FW1_snauth | Check Point VPN-1 & FireWall-1 Session Authentication - Protocol for Session Authentication between FWM and SAA |
| 262 /tcp | - not predefined - | only internally used by Mail Dequerer (process: mdq) |
| 264 /tcp | FW1_topo | Check Point VPN-1 SecuRemote Topology Requests - Topology Download for SR (build 4100 and higher) and SCl |
| 265 /tcp | FW1_key | Check Point VPN-1 Public Key Transfer Protocol - Public Key download for SR/SCl |
| 900 /tcp | FW1_clntauth_http |
Check Point VPN-1 & FireWall-1 Client Authentication (HTTP) - Protocol for performing Client-Authentication at FWM using HTTP |
| 981 /tcp | - not predefined - | Check Point VPN-1 Edge remote administration from external IPs using HTTPS |
| 2746 /udp | VPN1_IPSEC_encapsulation | Check Point VPN-1 SecuRemote IPSEC Transport Encapsulation Protocol - Default-Protocol used for UDP encapsulation, Check Point proprietary |
| 4433 /tcp | - not predefined - | Default Port used for SmartPortal to have read-access to rulebase, objects, users, etc. Access with HTTPS using a Web Browser |
| 4532 / tcp | - not predefined - | only internally used by Session Authentication (in.asessiond) |
| 5004 /udp | MetaIP-UAT | Check Point Meta IP UAM Client-Server Communication |
| 8116 /udp | - not predefined - | Check Point Cluster Control Protocol - Protocol for internal communication between High Availability Cluster Members. Used for e.g. report/query state, probing, load balancing |
| 8989 / tcp | - not predefined - | only internally used by CMA for Messaging (process: cpd) |
| 9281 /udp | SWTP_Gateway | VPN-1 Embedded / SofaWare commands - Encrypted Protocol for communication between MM and Check Point Appliance (e.g. VPN-1 Edge) |
| 9282 /udp | SWTP_SMS | VPN-1 Embedded / SofaWare Management Server (SMS) - Encrypted Protocol for communication between MM and Check Point Appliance (e.g. VPN-1 Edge) |
| 9283/tcp | SMS | VPN-1 Embedded / SofaWare Management Server (SMS) |
| 18181 /tcp | FW1_cvp | Check Point OPSEC Content Vectoring Protocol - Protocol used for communication between FWM and AntiVirus Server |
| 18182 /tcp | FW1_ufp | Check Point OPSEC URL Filtering Protocol - Protocol used for communication between FWM and Server for Content Control (e.g. Web Content) |
| 18183 /tcp | FW1_sam | Check Point OPSEC Suspicious Activity Monitor API - Protocol e.g. for Block Intruder between SCt (or CMA) and FWM |
| 18184 /tcp | FW1_lea | Check Point OPSEC Log Export API - Protocol for exporting logs from SCt |
| 18185 /tcp | FW1_omi | Check Point OPSEC Objects Management Interface - Protocol used by applications having access to the ruleset saved at SCt |
| 18186 /tcp | FW1_omi-sic | Check Point OPSEC Objects Management Interface with SIC - Protocol used by applications having access to the ruleset saved at SCt |
| 18187 /tcp | FW1_ela | Check Point OPSEC Event Logging API - Protocol for applications logging to the Firewall log at SCt |
| 18190 /tcp | CPMI | Check Point Management Interface - Protocol for communication between GUI and SCt - Protocol for connections from MDG to MDS and CMA |
| 18191 /tcp | CPD | Check Point Daemon Protocol - Download of rulebase from SCt to FWM - Fetching rulebase, from FWM to SCt or CMA when starting FWM - Download of rulebase from MDS/CMA to FWM |
| 18192 /tcp | CPD_amon | Check Point Internal Application Monitoring - Protocol for getting System Status, from SCt or MDS/CMA to FWM |
| 18193 /tcp | FW1_amon | Check Point OPSEC Application Monitoring - Protocol for monitoring apps, e.g. from SCt to CVP server |
| 18202 /tcp | CP_rtm | Check Point Real Time Monitoring - Protocol used by SmartView Monitor |
| 18205 /tcp | CP_reporting | Check Point Reporting Client Protocol - Protocol used by Reporting client when connecting to Reporting Server (SCt) |
| 18207 /tcp | FW1_pslogon | Check Point Policy Server Logon protocol - Protocol used for download of Desktop Security from PS to SCl (4.x clients only) |
| 18208 /tcp | FW1_CPRID | Check Point Remote Installation Protocol - Protocol used from MM to FWM when installing Secure Updates. |
| 18209 /tcp | - not predefined - | Protocol used in SIC for communication between FWM and ICA (status, issue, revoke) |
| 18210 /tcp | FW1_ica_pull | Check Point Internal CA Pull Certificate Service - Protocol used by SIC for e.g. FWM pulling CA's from SCt |
| 18211 /tcp | FW1_ica_push | Check Point Internal CA Push Certificate Service - Protocol used by SIC for pushing CA's from SCt or CMA/MDS to FWM |
| 18212 /udp | FW1_load_agent | Check Point ConnectControl Load Agent - Default-Port for Load Agent running on load-balanced Servers (e.g. WWW, FTP) |
| 18221 /tcp | CP_redundant | Check Point Redundant Management Protocol - Protocol used for synchronizing primary and secondary SCt or CMA - Protocol used for synchronizing primary and secondary MDS |
| 18231 /tcp | FW1_pslogon_NG | Check Point NG Policy Server Logon protocol (NG) - Protocol used for download of Desktop Security from PS to SCl |
| 18232 /tcp | FW1_sds_logon | Check Point SecuRemote Distribution Server Protocol - Protocol for software distribution of Check Point components |
| 18233 /udp | FW1_scv_keep_alive | Check Point SecureClient Verification KeepAlive Protocol - Protocol for Secure Configuration Verification on SecureClient |
| 18234 /udp | tunnel_test | Check Point tunnel testing application - Protocol for testing applications through a VPN, used by SR/SCl |
| 18241 /udp | E2ECP | Check Point End to End Control Protocol - Protocol to check SLA's defined in Virtual Links by SmartView Monitor |
| 18264 /tcp | FW1_ica_services | Check Point Internal CA Fetch CRL and User Registration Services - Protocol for Certificate Revocation Lists and registering users when using the Policy Server - needed when e.g. FWM is starting |
| 18265/tcp | FW1_ica_mgmt_tools | Check Point Internal CA Management Tools - Protocol for managing the ICA, also used for central administration of certificates on SCt. - needs to be started separately with the command cpca_client. |
| 18266 /tcp | CP_seam | Check Point SEAM Server Protocol |
| 19190 /tcp | FW1_netso | Check Point User Authority simple protocol - Protocol used in UA for connecting from UA Server to Web Plugin when authenticating users here |
| 19191 /tcp | FW1_uaa | Check Point OPSEC User Authority API - Protocol for connections to the UA Server |
| 19194 /udp | CP_SecureAgent-udp | SecureAgent Authentication service |
| 19195 /udp | CP_SecureAgent-udp | SecureAgent Authentication service |
| 60709 / tcp | - not predefined - | Internally used by SecurePlatform for web based system administration (process: cpwmd). It's bound to localhost, so no remote connect is possible. |
| 65524 /tcp | FW1_sds_logon_NG | Check Point SecuRemote Distribution Server Protocol - Protocol for software distribution of Check Point components in Next Generation |
Check Points module shortcut names
Shortcuts |
new name since FP3 |
|
| FWM | Firewall Module, Inspection Module, Enforcement Point, also SecuRemote Server |
|
| GUI | Rulebase Editor, Graphical User Interface, Management Client, Policy Editor |
SmartDashboard, SmartConsole |
| ICA | Internal CA, mostly primary MM | |
| MM | Management Module, Management Server | SmartCenter / SmartCenter Pro |
| PS | Policy Server | |
| SAA | Session Authentication Agent | |
| SIC | Secure Internal Communication | |
| SR | SecuRemote Client | |
| SCl | SecureClient | |
| MDG | Multi Domain GUI (Provider-1) | |
| MDS | Multi Domain Server, Manager or Container (Provider-1) | |
| CMA | Customer Management Add-on (Provider-1) | |
| MLM | Multi Customer Log Module (Provider-1) | |
| CLM | Customer Log Module (Provider-1) | |
Check Point Communication Port
| Port No. | Name in Service Manager | Short description |
| 256 /tcp | FW1 | Check Point VPN-1 & FireWall-1 Service - Download of rulebase from MM to FWM (4.x) - Fetching rulebase from FWM to MM when starting (4.x) - Get topology information from MM or CMA to FWM (also for NG) - Full synchronisation for HA configuration (also for NG) |
| 257 /tcp | FW1_log | Check Point VPN-1 & FireWall-1 Logs - Protocol used for delivering logs from FWM to MM - Protocol used for delivering logs from FWM to CMA or CLM |
| 258 /tcp | FW1_mgmt | Check Point VPN-1 & FireWall-1 Management (Version 4.x, obsolete) - Protocol for communication between GUI and MM 4.x |
| 259 /tcp | FW1_clntauth FW1_clntauth_telnet |
Check Point VPN-1 & FireWall-1 Client Authentication (Telnet) - Protocol for performing Client-Authentication at FWM using telnet |
| 259 /udp | RDP | Check Point VPN-1 FWZ Key Negotiations - Reliable Datagram Protocol - Protocol used for FWZ VPN (supported up to NG FP1 only) - Protocol used by SR/SCl for checking the availability of the FWM/PS |
| 260 /udp | FW1_snmp | Check Point VPN-1 & FireWall-1 SNMP Agent - Check Point's SNMP, used additionally to 161/udp (snmp) |
| 261 /tcp | FW1_snauth | Check Point VPN-1 & FireWall-1 Session Authentication - Protocol for Session Authentication between FWM and SAA |
| 262 /tcp | - not predefined - | only internally used by Mail Dequerer (process: mdq) |
| 264 /tcp | FW1_topo | Check Point VPN-1 SecuRemote Topology Requests - Topology Download for SR (build 4100 and higher) and SCl |
| 265 /tcp | FW1_key | Check Point VPN-1 Public Key Transfer Protocol - Protocol for exchanging CA- and DH-keys between MM's (SKIP, FWZ (4.x)) - Public Key download for SR/SCl |
| 900 /tcp | FW1_clntauth FW1_clntauth_http |
Check Point VPN-1 & FireWall-1 Client Authentication (HTTP) - Protocol for performing Client-Authentication at FWM using HTTP |
| 981 /tcp | - not predefined - | Check Point VPN-1 Edge remote administration from external using HTTPS |
| 2746 /udp | VPN1_IPSEC_encapsulation | Check Point VPN-1 SecuRemote IPSEC Transport Encapsulation Protocol - Default-Protocol used for UDP encapsulation |
| 4532 / tcp | - not predefined - | only internally used by Session Authentication (in.asessiond) |
| 5004 /udp | MetaIP-UAT | Check Point Meta IP UAM Client-Server Communication |
| 8116 /udp | - not predefined - | Check Point Cluster Control Protocol - Protocol for internal communication between High Availability Cluster Members. Used for e.g. report/query state, probing, load balancing |
| 8989 / tcp | - not predefined - | only internally used by CMA for Messaging (process: cpd) |
| 9281 /udp | SWTP_Gateway | VPN-1 Embedded / SofaWare commands - Encrypted Protocol for communication between MM and Check Point Appliance (e.g. VPN-1 Edge) |
| 9282 /udp | SWTP_SMS | VPN-1 Embedded / SofaWare Management Server (SMS) - Encrypted Protocol for communication between MM and Check Point Appliance (e.g. VPN-1 Edge) |
| 18181 /tcp | FW1_cvp | Check Point OPSEC Content Vectoring Protocol - Protocol used for communication between FWM and AntiVirus Server |
| 18182 /tcp | FW1_ufp | Check Point OPSEC URL Filtering Protocol - Protocol used for communication between FWM and Server for Content Control (e.g. Web Content) |
| 18183 /tcp | FW1_sam | Check Point OPSEC Suspicious Activity Monitor API - Protocol e.g. for Block Intruder between MM (or CMA) and FWM |
| 18184 /tcp | FW1_lea | Check Point OPSEC Log Export API - Protocol for exporting logs from MM |
| 18185 /tcp | FW1_omi | Check Point OPSEC Objects Management Interface - Protocol used by applications having access to the ruleset saved at MM |
| 18186 /tcp | FW1_omi-sic | Check Point OPSEC Objects Management Interface with SIC - Protocol used by applications having access to the ruleset saved at MM |
| 18187 /tcp | FW1_ela | Check Point OPSEC Event Logging API - Protocol for applications logging to the Firewall log at MM |
| 18190 /tcp | CPMI | Check Point Management Interface - Protocol for communication between GUI and MM - Protocol for connections from MDG to MDS and CMA |
| 18191 /tcp | CPD | Check Point Daemon Protocol - Download of rulebase from MM to FWM - Fetching rulebase, from FWM to MM when starting FWM - Download of rulebase from MDS/CMA to FWM - Fetching rulebase, from FWM to CMA when starting FWM |
| 18192 /tcp | CPD_amon | Check Point Internal Application Monitoring - Protocol for getting System Status, from MM or MDS/CMA to FWM |
| 18193 /tcp | FW1_amon | Check Point OPSEC Application Monitoring - Protocol for monitoring apps, e.g. from MM to CVP server |
| 18202 /tcp | CP_rtm | Check Point RTM Log - Protocol used by Real Time Monitor (SmartView Monitor) |
| 18205 /tcp | CP_reporting | Check Point Reporting client - Protocol used by Reporting client when connecting to Reporting Server (MM) |
| 18207 /tcp | FW1_pslogon | Check Point Policy Server Logon protocol - Protocol used for download of Desktop Security from PS to SCl (4.x) |
| 18208 /tcp | FW1_CPRID | Check Point Remote Installation Protocol - Protocol used from MM to FWM when installing Secure Updates. |
| 18209 /tcp | - not predefined - | Protocol used in SIC for communication between FWM and ICA (status, issue, revoke) |
| 18210 /tcp | FW1_ica_pull | Check Point Internal CA Pull Certificate Service - Protocol used by SIC for e.g. FWM pulling CA's from MM |
| 18211 /tcp | FW1_ica_push | Check Point Internal CA Push Certificate Service - Protocol used by SIC for pushing CA's from MM or CMA/MDS to FWM |
| 18212 /udp | FW1_load_agent | Check Point ConnectControl Load Agent - Default-Port for Load Agent running on load-balanced Servers (e.g. WWW, FTP) |
| 18221 /tcp | CP_redundant | Check Point Redundant Management Protocol - Protocol used for synchronizing primary and secondary MM - Protocol used for synchronizing CMA between primary and secondary MDS |
| 18231 /tcp | FW1_pslogon_NG | Check Point NG Policy Server Logon protocol (NG) - Protocol used for download of Desktop Security from PS to SCl |
| 18232 /tcp | FW1_sds_logon | Check Point SecuRemote Distribution Server Protocol - Protocol for software distribution of Check Point components |
| 18233 /udp | FW1_scv_keep_alive | Check Point SecureClient Verification KeepAlive Protocol - Protocol for Secure Configuration Verification on SecureClient |
| 18234 /udp | tunnel_test | Check Point tunnel testing application - Protocol for testing applications through a VPN, used by SR/SCl |
| 18241 /udp | E2ECP | Check Point End to End Control Protocol - Protocol to check SLA's defined in Virtual Links by SmartView Monitor |
| 18262 /tcp | CP_Exnet_PK | Check Point Extrnet public key advertisement - Protocol for exchange of public keys when configuring Extranet no more supported since NG AI R55 |
| 18263 /tcp | CP_Exnet_resolve | Check Point Extranet remote objects resolution - Protocol for importing exported objects from partner in Extranet no more supported since NG AI R55 |
| 18264 /tcp | FW1_ica_services | Check Point Internal CA Fetch CRL and User Registration Services - Protocol for Certificate Revocation Lists and registering users when using the Policy Server - needed when e.g. FWM is starting |
| 18265/tcp | FW1_ica_mgmt_tools | Check Point Internal CA Management Tools - Protocol for managing the ICA, established with NG AI, also used for central administration of certificates on MM. - needs to be started separately with the command cpca_client |
| 19190 /tcp | FW1_netso | Check Point User Authority simple protocol - Protocol used in UA for connecting from UA Server to Web Plugin when authenticating users here |
| 19191 /tcp | FW1_uaa | Check Point OPSEC User Authority API - Protocol for connections to the UA Server |
| 19194 /udp | CP_SecureAgent-udp | SecureAgent Authentication service |
| 19195 /udp | CP_SecureAgent-udp | SecureAgent Authentication service |
| 60709 / tcp | - not predefined - | Internally used by SecurePlatform for web based system administration (process: cpwmd). It's bound to localhost, so no remote connect is possible. |
| 65524 /tcp | FW1_sds_logon_NG | Check Point SecuRemote Distribution Server Protocol - Protocol for software distribution of Check Point components in Next Generation |
Subscribe to:
Posts (Atom)