Check Point halts application threats

Application-layer (or layer 7), firewalls generally work by using multiple application proxies that reside between servers and end points. Each proxy is typically dedicated to certain protocols, specific applications, or specific attacks, allowing layer 7 firewalls to inspect packets utilizing complex protocols such as SIP (Session Initiation Protocol), H.323, and SOAP. Proxies decide whether traffic looks suspicious, and whatever doesn’t smell right gets dropped.

Because layer 7 firewalls differ significantly from traditional stateful inspection boxes, most are designed to layer on top of existing firewall installations. However, Check Point’s solution allows you to implement layer 7 protection in the same box that handles layer 2 and layer 3 security.

Check Point has incorporated application-aware proxies in its firewall software since Version 4.0. In its newest NG (Next Generation) version, Check Point has combined Firewall-1/VPN-1 with a host of application proxies under the banner of SmartDefense. The result is a highly effective defense against most application layer attacks. However, companies using the Web for critical applications should consider additional safeguards, such as full application proxies available from vendors such as KaVado and Sanctum.

Check Point shipped us pre-loaded hardware to our Advanced Network Computing Laboratory at the University of Hawaii. The box was based on a SuperMicro rack-mount server chassis running Firewall-1

/VPN-1 on top of a hardened Linux platform. To test SmartDefense’s layer 7 capabilities, we used a Spirent WebAvalanche 220 to run a variety of DoS attack configurations, including ARP Flood, PingSweep, ResetFlood, Smurf, Syn Flood, TCP PortScan, UDP Flood, UDP PortScan, and XMASTree. Not only did SmartDefense thwart known and unknown attacks, but it maintained high performance levels even while under attack, indicating that Check Point has managed to work out performance bottlenecks that have plagued application proxies since they were invented.

Building the Wall

Basic setup was as simple as booting the machine from the bundled CD and stepping through a series of configuration questions. We especially liked the way Firewall-1 will generate an internal CA (certificate authority), which means you can configure SSL connections without the expense of buying a CA from a third party such as VeriSign.

Once basic setup is accomplished, we have only one recommendation: Read the manual. Attempting to configure Firewall-1 the way you may have configured previous firewalls is a mistake. We know because we went that route and temporarily turned our firewall into a paper weight.

Beneath the installation routine, you’ll find that Check Point has included advanced features such as multiple log-in shells for daily firewall administrators as well as an “expert” mode that allows more access to the Linux base, but simultaneously gives you more ways to get in trouble. It was from expert mode that we initiated troubleshooting processes that allowed us to revive our Firewall-1 and make it productive again.