Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Security /

Reviews /

Check Point: Response to firewall RFP

Today's breaking news
Send to a friendFeedback

Network World Fusion, 07/19/99

Introduction

Happy Pharmaceuticals' firewall requirements are typical of most organizations seeking to secure their enterprise network, while allowing as transparent as possible user access to key resources on extranets and the Internet. Happy Pharmaceuticals' requirements can be summarized as follows:

  • Availability
  • Performance
  • Network Address Translation
  • Centralized Management
  • Logging/Report Generation
Check Point Software Technologies Ltd. meets these requirements with Check Point(tm) FireWall-1(r), the industry's leading network security solution, with over 80,000 FireWall-1 installations at more than 20,000 customer sites worldwide. FireWall-1 enables enterprises to define and enforce a single, comprehensive Security Policy while providing fully transparent connectivity. Utilizing the Check Point patented Stateful Inspection Technology and the Check Point Open Platform for Secure Enterprise Connectivity (OPSEC(tm) ) architecture, FireWall-1 integrates and centrally manages all aspects of an organization's network security policy. An integrated product suite extends FireWall-1's capabilities to all levels of security management. For additional information on the full Check Point Secure Enterprise Networking suite, please see the Check Point web site at http://www.checkpoint.com.

Availability

Check Point FireWall-1 is based on advanced Stateful Inspection technology that extracts connection information from all communication layers. This information is maintained in dynamic state tables and is updated continuously. All network traffic is evaluated based on examination of this information. The key component of a high availability security solution is the synchronization of the information held within the Stateful Inspection tables between different security gateways. When one gateway fails, another FireWall-1 can transparently assume security responsibility without any loss of connectivity.

State synchronization affords customers the flexibility to deploy a high availability security solution specific to their network needs. Whether the deployment requires dynamic or static routing, a high availability security solution can be constructed using FireWall-1 and components from one of several Check Point OPSEC partners.

Utilizing multiple FireWall-1 firewalls with state synchronization has the additional benefit of providing asymmetric routing support. The synchronization of state information is necessary when packets that are part of the same session travel different routes and pass through different gateways. Without accurate state information on all communications into the enterprise network, a firewall may not recognize a packet that is part of an authorized session and will drop or reject that packet. This results in a loss of connectivity and dropping of connections. By synchronizing state information, all FireWall-1 firewalls have full knowledge of all authorized connections. This permits each gateway to support all communications, even if the particular connection was not initiated through the gateway in question. This level of communication awareness on an enterprise scale is enabled by Stateful Inspection.

Performance

Not all firewall architectures provide the same level of performance. The FireWall-1 Stateful Inspection, technology is designed to deliver superior performance with the highest level of network security. Stateful Inspection offers multiple performance advantages, such as enhanced throughput from eliminating the burdensome context switching required by older generation, application layer firewalls - there is no need to copy packets between the firewall application and the operating system. Another performance advantage comes from intercepting all communications below the network layer (layer three of the seven layer OSI network model) which reduces latency. Additionally, a reduction in CPU overhead is achieved by running the Stateful Inspection engine inside the operating system kernel. As a result, FireWall-1 achieves demonstrated network throughput performance of over 100 Megabits per second and 50,000+ concurrent connections, more than sufficient to meet Happy Pharmaceuticals' requirements, now and in the future.

Network Address Translation

The advanced network address translation (NAT) capability of FireWall-1 supports all applications and services, including H.323 applications. In addition, NAT works seamlessly with the virtual private networking (VPN) capability of Check Point VPN solutions. For example, a VPN tunnel can be established between two gateways that allow internal hosts on each network to communicate securely, even if each host uses an illegal IP address. Additionally, throughput performance is not significantly degraded when deploying NAT.

There are two modes of operation for NAT: dynamic mode and static mode. Dynamic NAT provides users access to the Internet while conserving registered IP addresses and hiding the actual IP addresses of network resources. Dynamic mode uses a single IP address to hide all internal network resources. An unlimited number of internal IP addresses can be mapped to a single public IP address. Since the IP address used in dynamic mode is used only for outbound communication and not used by any internal server or user, there is nothing to hack or spoof.

As an organization's communication infrastructure requirements grow, the need may arise to publish IP addresses for public servers, such as FTP and Web. Static mode supports this requirement and provides a one-to-one assignment between the published IP address and the internal IP address. Static mode would typically be implemented when administrators did not wish to expose the real IP addresses of the network servers. With FireWall-1, static and dynamic address translation together provide an unlimited amount of control and flexibility in setting up an organization's network.

Centralized Management

FireWall-1 manages the enterprise Security Policy through a distributed Client/Server architecture that ensures high performance, scalability and centralized control. FireWall-1 components can be deployed on the same machine or in flexible Client/Server configurations across a broad range of platforms (see the Proposed Configuration section of this document). Diagram 2 shows a distributed Client/Server configuration.

In this configuration the Security Administrator configures and monitors network activity for several sites from a single desktop machine. The Security Policy is defined on the GUI Client, while the FireWall-1 database is maintained on the Management Server. The Security Policy is downloaded to three Firewall Modules (each on a different platform), which in turn protect three networks. The security policy download is accomplished using a single command, instead of having to issue three separate command instructions, one for each firewall. The connections between the client, server and multiple enforcement points are secured, enabling true remote management.

Although FireWall-1 is deployed in a distributed configuration, security policy enforcement is completely integrated. Any number of Firewall Modules can be set-up, monitored and controlled from a single workstation, but there is still only one enterprise-wide security policy that is defined and updated from a centralized management interface.

Logging/Report Generation

A wide variety of event analysis and reporting tools have been integrated with FireWall-1 using the OPSEC API set. These tools allow you to fully integrate FireWall-1 into your enterprise management, reporting and accounting infrastructures, as well as extract specific and concise information from the FireWall-1 log files. Additional information regarding vendors and products can be found at on the OPSEC alliance web site at http://www.opsec.com.

The FireWall-1 log viewer provides the ability to review FireWall-1 log files for unauthorized attempts to access protected networks. Additionally, FireWall-1 can be configured to alert administrators via a screen based alert, e-mail, pager, or any other type of user defined action, when an unauthorized access attempt occurs.

An extension to FireWall-1, in the Q3 1999 timeframe, will be the Reporting Module. As an optional component of FireWall-1, the Reporting Module will allow creation of easy-to-read and easy-to-comprehend reports on user/group activity, network traffic activity, and suspicious activity, as well as cost estimation for various services. The Reporting Module allows reporting on all attributes included in the FireWall-1 log files. Reports can be displayed as List Reports (textual) or Graphs (single and multi-graphs).

Proposed Configuration

The configuration Check Point is proposing consists of the following quantities and FireWall-1 components:

  • (4) FireWall-1 Firewall Modules in total, deployed as follows...
    • (2) FireWall-1 Firewall Modules for the central site Internet connections
    • (2) FireWall-1 Firewall Modules for each of the remote site Internet connections
  • (1) Centralized FireWall-1 GUI Client
  • (1) Centralized FireWall-1 Management Server
Each FireWall-1 Firewall Module is located as shown on Diagram 1, in Happy Pharmaceuticals' Firewall RFP. The centralized GUI Client and Management Server are located within the protected network at the central site.

FireWall-1 system requirements are as follows:

Platforms

HP-PA 9000/700 and 800
IBM RS-6000 and PowerPC
Intel x86 or Pentium
Sun SPARC-based systems
Operating systems

HP-UX 10.10 and 10.20
IBM AIX 4.2.1 and 4.3
Solaris 2.5 and 2.6
Windows NT 4.0
Window systems

Windows NT
Windows 95
X11R5
Disk space

30 MB

Memory

64 MB

Network interface

All standard network interfaces for UNIX platforms
3Com or Intel network interface card recommended for NT platforms

Media

CD-ROM

Cost

A price breakdown follows (all prices are list price and are in U.S. Dollars):

  Unit Total
(1) FireWall-1 Enterprise Security Console $18,990 $18,990
(1) FireWall-1 Firewall Module - Unlimited $ 6,995 $6,995
(2) FireWall-1 Firewall Module - 100 IP Addresses $ 4,995 $9990
Total list price to secure Happy Pharmaceuticals' network is $35,975.

Note, pricing does not include the cost of the underlying hardware platforms needed to run the software. It also assumes that the remote sites have 100 or fewer IP addresses at each site. If the number of IP addresses is less or more, there will be a corresponding price adjustment. Also note, a FireWall-1 Enterprise Security Console includes one unlimited FireWall-1 Firewall Module. An unlimited Firewall Module allows an unlimited number of IP addresses to be protected behind the firewall.

For Happy Pharmaceuticals' Consideration

Happy Pharmaceuticals should consider setting up a VPN between the central and remote sites. The VPN could save money for Happy Pharmaceuticals by replacing the existing frame relay service used to connect the remote sites to the central site. FireWall-1 Encryption Modules could be added to the FireWall-1 firewalls at any point in the future to enable encryption and decryption of traffic at the firewall gateway. Once a FireWall-1 gateway is upgraded with the Encryption Module, it is then called a VPN-1 Gateway(tm). The VPN-1 Gateway encrypts traffic leaving the gateway and decrypts traffic entering the gateway, as long as the FireWall-1 firewall allows that traffic to enter the internal network. This highlights one of the strengths of having the firewall perform encryption and decryption of traffic - traffic can first be inspected before it is encrypted, or decrypted and then inspected, to see if that traffic should be forwarded, or rejected. Performing VPN and firewall services in one software package reduces administration costs.

Another option, for consideration, is to use the Check Point Open Security Extension(tm) to manage the router access control lists, thereby simplifying management and reducing administration costs. This extension to FireWall-1 allows the use of the same FireWall-1 GUI to not only manage the firewall security policies, but also to manage the access control lists of the routers connecting Happy Pharmaceuticals to the Internet.

Summary

Check Point FireWall-1 provides the availability, performance, network address translation, centralized management, and logging that Happy Pharmaceuticals requires to secure its central and remote site networks. In addition, the FireWall-1 product suite offers many advantages Happy Pharmaceuticals can exploit to expand its network security infrastructure.

When it comes to network security, organizations require the ability to define a single enterprise-wide policy that integrates all aspects of network security. This includes:

  • Access Control
  • Authentication
  • Virtual Private Networking (VPN)
  • Third-party Device Management
  • Network Address Translation (NAT)
  • Content Security (anti-virus, URL and Java/ActiveX screening)
  • LDAP User Directory Support
  • Server Load Balancing
  • Auditing
  • Enterprise Security Management
Once an overall security policy is defined, companies require the ability to distribute it to multiple enforcement points (Internet/intranet servers, routers, switches, hardware encryption devices, etc.) throughout the enterprise to cover worldwide offices, remote and mobile users, business partners, and customers. A complete enterprise security solution must be able to deliver all this functionality across multiple platforms, without restricting connectivity in any way. This presents many new challenges, taking enterprise security far beyond the traditional "firewall for Internet access control" approach. Check Point Software Technologies offers a comprehensive solution to meet these new and expanding requirements.

The FireWall-1 product suite is unified by Check Point's OPSEC (Open Platform for Secure Enterprise Connectivity) policy management framework, which provides central integration, configuration and management for Check Point FireWall-1 as well as other third-party security applications.

About Check Point Software Technologies

Check Point Software Technologies Ltd. is the worldwide leader in secure enterprise networking solutions. The company's integrated architecture includes network security (FireWall-1, VPN-1, Provider-1, and Check Point RealSecure), traffic control (FloodGate-1 and ConnectControl), and IP address management (Meta IP). Check Point Software solutions enable customers to implement centralized policy-based management with enterprise-wide distributed deployment. Via the OPSEC Alliance, Check Point Software's products seamlessly integrate with "best-of-breed" products from more than 200 leading industry partners. The company has U.S. headquarters in Redwood City, California and international headquarters in Ramat-Gan, Israel. For more information, please call (800) 429-4391 or (650) 628-2000 or visit http://www.checkpoint.com or http://www.opsec.com.

# # #

(c) 1999 Check Point Software Technologies Ltd. All rights reserved.

Check Point, the Check Point logo, FireWall-1, FloodGate-1, INSPECT, IQ Engine, Meta IP, Open Security Manager, Open Security Extension, OPSEC, Provider-1, User-to-Address Mapping, VPN-1 Accelerator Card, VPN-1 Certificate Manager, VPN-1 Gateway, VPN-1 RemoteLink, VPN-1 SecuRemote, and ConnectControl are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners.

The RFP
Vendor responses:
  • Axent
  • BorderWare
  • Check Point
  • Cisco
    		•
  • CyberGuard
  • Elron
  • LanOptics
  • Livermore
    		•
  • Lucent
  • NetScreen
  • Radguard
  • Sun

    • RELATED LINKS

    Firewall RFP
    See what the vendors are responding to. Includes links to all the RFP responses.

    Review: Firewalls
    Raptor Firewall 6.0 takes top honors in our testing. Network World, 7/19/99.

    Issues and trends
    Where the firewall market is headed and what to look for. Network World, 7/19/99.

    Interactive buyer's guide
    Detailed specs on 52 models. Find the one that meets your criteria or compare two or more models on different specs.

    Forum: Firewalls
    Post your firewalls questions and discuss their use in this forum.

    Firewalls to the rescue
    Interviews with firewall users. Network World Fusion, 7/19/99.


    NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
    Click here to sign up!
    New Event - WANs: Optimizing Your Network Now.
    Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
    Attend FREE
    Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
    * HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

    Contact us | Terms of Service/Privacy | How to Advertise
    Reprints and links | Partnerships | Subscribe to NW
    About Network World, Inc.

    Copyright, 1994-2006 Network World, Inc. All rights reserved.