Access Control


 


Internet technology provides a cost effective, global communications infrastructure that enables world-wide access for employees, customers, vendors, suppliers and key business partners. This is a critical enhancement to collaborative information sharing, but it also exposes an organization's network to new risks and threats. How can an organization keep its resources and information protected from unauthorized network access, from both inside and outside the organization? Access control, a fundamental building block in any security policy, addresses this issue.

What Goes In and Out of The Network

Access control protects an organization from security threats by specifying and enforcing what can go in and out of an organization's network. A key element of access control is an awareness of all underlying services and applications. First generation packet filters were not aware of applications, nor could they handle UDP or dynamic protocols. Second generation application proxies required a tremendous amount of CPU overhead, and were slow to provide support for new services appearing regularly on the Internet, such as multimedia services. Check Point FireWall-1's stateful inspection technology, combined with a powerful object oriented approach, provides full application-layer awareness as well as quick and easy support of new Internet services. FireWall-1 provides comprehensive access control with over 160 pre-defined applications, services and protocols as well as the flexibility to specify and define custom services.

In addition to understanding the full state and context of a communication,
FireWall-1 includes the ability for rules within a security policy to be enforced using a time parameter. This provides extensive granularity in access control allowing rules to be valid for specific hours, days, months or years. For example, an organization may decide to limit HTML or web traffic to the Internet during working hours, allowing access only during lunch time, after normal working hours and on weekends. Another example is to disallow access to critical servers while system backups are being performed.

Defining a Security Policy

Implementing access control parameters is simple and straight forward with a well-defined graphical user interface such as that provided by Check Point FireWall-1. In fact, all aspects of an organization's security policy can be specified using FireWall-1's award winning user interface. All elements are specified using an object oriented approach. Once defined, these objects are used to define the security policy within the Rule-Base Editor. Each rule can be comprised of any combination of network objects, services, actions, and tracking mechanisms. Once a rule is defined, FireWall-1 provides the ability to define which network enforcement points it should be distributed to across the network. Supported platforms include UNIX and NT servers, and internetworking equipment (routers, switches, edge devices) from Check Point's many OPSEC Alliance partners. A distinct advantage of Check Point FireWall-1 is the ability to define an enterprise security policy once, distribute it to multiple access points throughout the network, and manage it locally and remotely from a single centralized console. Click on the thumbnail below to see a full screen sample of a security policy.

Distributed Access

FireWall-1's architecture is fully scalable so that it grows as an organization's security requirements grow. The system is capable of providing multi-level concurrent user access. This allows the assignment of different access privilege levels to FireWall-1 administrators. Upon authentication, each FireWall-1 administrator inherits the access rights assigned by the security manager and are indicated within the Rule-Base Editor. This feature also provides the ability for a single desktop to connect to multiple management modules concurrently.

Supported access levels are defined as follows:

  • Read/Write: access to all functionality of FireWall-1 management tools
  • User Edit: the ability to modify user information only; access to all other functionality is read-only
  • Read Only: read-only access to the Security Policy Editor
  • Monitor Only: read-only access limited to the Log Viewer and the System Status tools

Secure Access

IP Spoofing - A technique where an intruder attempts to gain unauthorized access by altering a packet's IP address to make it appear as though the packet originated in a part of the network with higher access privileges. For example, a packet originating on the Internet may be disguised as a local packet. FireWall-1 has integrated protection and logging against this type of attack.

Denial of Service Attack - A TCP connection is initiated with a client issuing a request to a server with the SYN flag set in the TCP header. Normally the server will issue a SYN/ACK back to the client identified by the 32-bit source address in the IP header. The client will then send an ACK to the server and data transfer can commence. When the client IP address is spoofed (changed) to be that of an unreachable host, however, the targeted TCP cannot complete the three-way hand-shake and will keep trying until it times out. This is the basis for the attack.

Application gateway based solutions by themselves are not able to defend against SYN flooding attacks. In fact, the firewall itself may be attacked to create a denial of service condition. Packet filtering based solutions are also not able to guard against SYN flooding attacks since they lack the necessary capability to perform Stateful Inspection of connections. FireWall-1 with Stateful Inspection can protect against this attack using SYNDefender.

Ping of Death - On almost every OS, including some routers, PING (ICMP) packets larger than 65508, become larger than 64k (because of the header additions of 28 bytes) and therefore are not handled well by kernels, making some systems crash or reboot. FireWall-1 with Stateful Inspection can protect against this attack by defining a service object and adding a rule to the security policy that prevents packets larger than 64K from passing.

Defenses

Stealth the Firewall - Under normal situations, anyone on the corporate network could potentially access the firewall gateway or security access point. This can be prevented by stealthing the firewall or hiding its access point. Check Point FireWall-1 provides this capability with the addition of one simple rule in the security policy. Protecting the gateway in this manner makes it inaccessible to any user or application, except for management and configuration purposes, effectively making the device invisible.

Network Address Translationcan conceal or hide the internal network addresses from the Internet, avoiding their disclosure as public information.

Advanced Logging and Alerting

Connection Accounting - FireWall-1 allows the security manager to monitor accounting data on selected connections. For each connection handled by the rule an accounting log entry is then generated which includes the usual fields as well as the connection's duration, the number of bytes and the number of packets transferred.

The accounting log records are generated when the monitored connection ends, so they can be viewed in the Log Viewer. In addition, when running the Log Viewer to show the live connections (see below), the Active Connections View can be used to monitor ongoing connections.

Active Connections - With FireWall-1, the security manager can use the Log Viewer in active connection mode to view in real time all connections currently active through the Firewall Modules. The live connections are stored and handled in the same way as ordinary log records, but are kept in a special file that is continuously updated as connections start and end. In this way, all the standard Log Viewer features, such as selection, search engine, etc., can be used to monitor current network activity.

When using the accounting option, the connection accounting data (time elapsed, bytes and packets transferred) is continuously updated, so the security manager can monitor not only the fact of the connection but also its activity.

Multiple Alerting Capabilities - FireWall-1 provides integration of multiple alert options including email notification and SNMP traps for integration with SNMP-based network management systems such as HP OpenView, SunNet Manager, or IBM's NetView 6000. A User Defined alerting mechanism is also available to integrate with paging, trouble-ticketing and help desk systems providing a great deal of flexibility in how security alerts are integrated into current management systems.

 

@1999 Check Point Software Technologies Ltd. All rights reserved. Used with permission