AWARD. PROTECTsTAR. Check Point 500 & VPN-1 Edge

Size: px

Start display at page:

Download "AWARD. PROTECTsTAR. Check Point 500 & VPN-1 Edge"

Ashlynn Watkins
6 years ago
Views:

1 Check Point 500 & VPN-1 Edge

SECURITY The Safe@Office 500 and VPN-1 Edge appliance models from the Check Point manufacturer were checked in the series of tests that were carried out.

2 SECURITY The 500 and VPN-1 Edge appliance models from the Check Point manufacturer were checked in the series of tests that were carried out. The integrated Stateful Packet Inspection Firewall from Check Point is identical in all the 500 and VPN-1 Edge appliances and models.the test series were carried out under both laboratory and real life conditions. The appliances were tested in the current software version in the ProtectStar test laboratory (status: September ). The upcoming Version 7.5 (.23x) was also examined. In all other respects, the screenshots illustrated in the test report already show the upcoming Version 7.5, which will be available for all users in the near future. The core item in all appliance models from Office and VPN-1 Edge the integrated Firewall including the SmartDefense (an integrated IDS/ IPS System) from Check Point - successfully passed various attack and security tests during the test procedure with regard to the external protection against all currently known The security tests thereby included all known Denial of Service (DOS) types of attack, as well as the exploitation of all weak points known at the time of the test procedure in all operating systems (Windows, Linux, Unix, etc.), applications, Brute Force, CGI abuses, Useless Services, backdoors and security checks. In detail, the security tests that were carried out included the various hazard levels (low, medium, high) in the area of DOS attacks (241 DOS attacks), for example, Open SSL denial of service, ping of death, RPC DCOM Interface DOS, MS Checkpoint Firewall-1 UDP denial of service, Trend Micro Office Scan Denial of service and Linux : 0 length fragment bug. The area of CGI-Abuses included, for example, HP < 4.4.7/5.2.3 Multiple Vulnerabilities, Socketmail <= Remote File Include Vulnerability and PHPAdsNew code injection. In addition to this, the appliances were also attacked with 33 known and special attack variations for Firewalls.The Check Point Firewall successfully blocked all the security tests that were carried out. In further test phases, the integrated Firewall from Check Point was operated in the available security profiles. LOW, MEDIUM, HIGH and BLOCK ALL, and scans for any open TCP and UDP ports were carried out using standardized port scans. Scanning was carried out over the complete spectrum from ports. In an additional test procedure, a SYN port scan (halfopen) the so-called Stealth Scan was then carried out. The standard rules of the Stateful Packet Inspection firewall block all connection attempts from the Internet and allow any connection from the internal network into the Internet (security level: LOW). With the four security levels LOW, MEDIUM, HIGH and BLOCK, the rules of the firewall can be limited further by the user himself. The available security levels that can be set manually are defined as follows: At the LOW security level, any connection from the internal network to the Internet

Within the context of the port scans (TCP-connect and syn/halfopen) that were carried out, no open ports and no unnecessary services that could normally lead to security problems were found.

3 Within the context of the port scans (TCP-connect and syn/halfopen) that were carried out, no open ports and no unnecessary services that could normally lead to security problems were found. No vulnerabilities or security risks were observed during both the automatically running test series of the in-house ProtectStar security scanner, which carried out further security tests and attack tactics in addition to 9666 (status: ), and the checks that were carried out manually. is permitted. All connections originating from the Internet are blocked. The only exception to this are ICMP packets so-called Pings. At the MEDIUM security level, all connections from the internal network to the Internet are permitted, with the exception of the Windows file releases (NTB ports 137, 138, 139 and 445). All connections originating from the Internet are blocked. The HIGH security level is the highest and most restrictive level. Apart from a few exceptions, all connections from the internal network with the Internet are stopped. Only the connections for standard Internet applications are permitted. These include access to websites (HTTP, HTTPS), (IMAP, POP3, SMTP), FTP, NNTP, Telnet, DNS, IKE, Port 2746/UDP and Port 256/TCP. At the BLOCK ALL security level, all connections from the outside to the inside and from the inside to the outside are completely stopped. The above-mentioned security levels can be set up using a slide control in the main menu ( my.firewall) under the SECURITY menu item. Even though such slide controls for firewalls are not popular among experts, an exception must be made here, because the various security levels are largely adapted to the requirements of companies and small branch offices. The Check Point Firewall completed the four-hour, longterm penetration test successfully and without limitations without any loss in performance worth mentioning. The integrated SmartDefense from Check Point an intrusion detection and prevention System that is based on the Check Point application intelligence technology showed very good results throughout. It pro-actively protects, for example, against network worms and Denial of Service attacks, and recognizes anomalies in the network traffic. In a further test procedure, it was checked whether the Safe@Office 500 and VPN-1 Edge appliances could be manipulated if an attacker/ hacker was directly connected to the LAN port of the Check Point Firewall. In this manner, it is also possible to analyze in a practical manner what could happen if an attacker has already gained access to a trusted network. An attack scenario of this kind was simulated by the ProtectStar test centre. It was thereby observed that the TCP/IP stack was not completely protected with regard to the TCP sequence prediction. As a result of this, an attacker could predict or guess the sequence number, and would thereby be able to manipulate existing connections. Ports 22, 53, 80, 443 and 981 were detected as (internal) open ports. Furthermore, sections of

4 It was, however, found that the 500 and VPN-1 Edge rules in this security profile are insufficient to prevent leak tests. The HIGH profile offers a better protection. The detection or success rate in the leak tests turns out higher through the manual configuration of the Check Point Firewall rules. In this way, a 100% detection of the known leak tests could also be realized. the VPN certificate could be read out, as well as the current time indication of the Safe@Office 500 or VPN-1 Edge appliance. The information that is obtained can be allocated to the low risk category. As the attack scenario was of a rather theoretical nature, it is therefore not necessary to pay too much attention to this. Both in theory and in practice, it would be possible to hack or guess the access password for the Admin console (http[s]:my.firewall) of a Safe@Office or VPN-1 Edge. For this reason, a secure password should be selected as an access password, consisting of special characters, numbers and upper and lower case characters (for further information: Leak tests For software-based firewalls, such as Personal Firewall, leak tests check whether the various techniques for passing information, such as passwords, personal data, etc., from a computer into the Internet past the firewall, will be detected.with a hardware-based firewall such as the Safe@Office 500 or VPN-1 Edge, appropriate caution must be exercised in order not to distort the results. It was therefore checked whether the leak tests were blocked if the standard MEDIUM profile of the Check Point Firewall was activated. In order to be able to test the protection functions of the antivirus scanner (ClamAV), several extensive virus and malware archives were set up. In total, these archives contained more than two thousand different threats, ranging from brand new and current viruses, worms, Trojans, dialer viruses and spyware, up to the old MS-DOS Boot viruses and self-developed unknown threats. In summary, the malware recognition rate was determined to be %, which indicates that the anti-virus scanner integrated in the Safe@ Office 500 and the VPN-1 Edge provides a very good performance. The Automatic Update function (my.firewall -> SERVICES -> SOFTWARE UPDATE) ensures a comprehensive protection against new threats and rapidly expanding attacks. Every 60 minutes, a Safe@Office 500 or VPN-1 Edge appliance automatically searches for any available updates with regard to firmware updates, antivirus signatures, SmartDefense rules or signatures for the web filter. For optimized protection, it is also possible to immediately download appropriate patches from the managed Service Provider as soon as new threats become known. It must be observed, however, that individual security features such as antivirus scanner, SmartDefense, web filter or even the automatic update functions can only be released and used within the context of a corresponding Service Contract.

5 USER FRIENDLINESS The two Check Point appliances 500 and VPN-1 Edge are available in various models. Both models, for instance, are also available with integrated WLAN hotspot and/or an additionally integrated ADSL modem. Once an organization has decided in favor of a particular model, the number of users must be defined. The appliances are available for 5, 25 and an unlimited number of users for Safe@Office 500, and 8, 16, 32 and an unlimited number of users for VPN-1 Edge. The number of users can, of course, be increased at a later date by means of a service contract. The installation of a Safe@Office or VPN-1 Edge is extremely user-friendly and the installation wizard helps the user to configure the appliance in simple steps. In general, users will be impressed right from the start by the multitude of individual configuration options, leaving hardly anything to be desired. Optically, the design of the web interface is attractive and clear, enabling easy access to all functions and settings. As a rule, there should be no complications whatsoever with regard to the installation and configuration. If difficulties nevertheless arise, the very detailed 605-page (Safe@Office) and 633-page (VPN-1 Edge) manuals, which are available in PDF format, together with the Quick Start Guide included in the delivery, will be of assistance by highlighting and clearly answering all relevant steps and questions. In addition, practical online assistance is always available to the user at any time by clicking the Help button on the left side of the web interface. Some improvements should be made here, however, as some of this support relates to previous software versions, or does not offer any assistance with available and/or new set-up options. An additional DMZ (De-Militarized-Zone) port is also provided on the rear panel of the Safe@ Office 500 and VPN-1 Edge. This enables organizations to connect a public server, such as a Webserver, without an additional switch, and to have it protected by the Stateful Packet Inspection Firewall of the appliance at the same time. In addition, further logical DMZs can be set-up manually. Two USB ports with integrated Printserver are also available, allowing up to two printers to be connected using a USB cable. These can then be used by all network users connected to the Safe@ Office / VPN-1 Edge. The additional functions, such as Gateway High Availability, Backup ISP, VPN Server, Dial Backup VLAN Support, Remote Access VPN Gateway, Bridge Mode and Static NAT, are useful tools for organizations that are integrated into all Safe@ Office and VPN-1 Edge appliances as standard. The graphic representation of the computer systems that are connected to the Safe@Office is specially highlighted optically (including the computer name & MAC address) under the Reports -> Active Computers menu item. In addition, under this menu item, the user can find out the IP-address of the corresponding workstation or server, and whether this IPaddress is static or is allocated to the respective

6 system via DHCP. This also applies to all computers that are connected to a Safe@Office or VPN-1 Edge through a wireless LAN. The Log files are adequate, and can also be made available in the form of a clear and graphically presented reports if a corresponding service contract has been concluded. Under Reports -> Event Log, users can access a colored table, in which entries on a red background indicate a successfully-averted attack and entries with a blue background indicate a modification of the Safe@Office configuration. The report can also be saved as an Excel table. From the entries, the Administrator can establish whether an attack has taken place and at what point in time. From the TCP or UDP protocols, it is possible to determine the computer/server and the ports attacked. By clicking the mouse on the IP address of the attacker, a WHOIS window is opened, in which the Administrator can obtain more information about the attacker or his provider. With an additional Reporting-Service contract, Safe@Office or VPN-1 Edge users receive monthly analysis and evaluation reports in a graphical format through a central Service Management Platform (SMP). The antivirus scanner, which is available be obtained as an option at extra cost, is produced by ClamAV. On request, it searches incoming and/or outgoing (SMTP/POP3/IMAP) s for viruses, worms and Trojans. A particularly practical feature here is that, with the help of a wizard, users are able to individually select which specific protocol and which port should search for malware in incoming and/or outgoing connections. It is also possible to select entire port ranges (e.g. from port ). The integrated virus scanner, which can be enabled through a service contract, performed in an outstanding manner, and recognized all test viruses and Trojans that were sent or received by . If, for example, a user receives an with a virus-infected attachment, the antivirus scanner reliably removes this file and inserts a text file containing an appropriate warning with regard to the virus detection into the original message in place of the infected attachment. The Web filtering also performed in a reliable manner. The URL web filter is manufactured by SurfControl, and can be obtained as an option through a corresponding service contract. It is then possible to either switch the filter on or off, as well as to allow or block access to certain categories, by means of the configuration console of the appliance. The user can select from the categories Violence, Drugs & Alcohol, Adult, Criminal Skill, Gambling, Hate Speech, News, Travel, Sport, Unknown Sites and many others. The Adult category, for example, includes the Playboy website, as well as all other known websites with contents that are not suitable for persons under 18 or that have offensive content. The Unknown Sites category is particularly valuable for larger organizations. Here, access to the Google search engine and to the online auction house ebay, among others, is blocked. This can prevent employees from using these services during normal working hours.

Here, however, we did miss the option to switch the web filtering on or off at certain times, enabling, for example, access to search engines or other portals during the daily lunch break in the

7 Here, however, we did miss the option to switch the web filtering on or off at certain times, enabling, for example, access to search engines or other portals during the daily lunch break in the organization, while blocking these again at any other times. PERFORMANCE The 500 and VPN-1 Edge appliances performed quickly and very reliable during the test series that were carried out. No loss of performance or deficiencies in the performance could be observed in any manner. It was even possible to continue working with the and VPN-1 Edge appliances with minimal loss of performance during the fourhour, long-term penetration test. None of the appliances could be brought to crash. The available 500 and VPN-1 Edge appliance models are equipped with different performance characteristics: the data transfer rate for the Firewall is between Mbps and the data transfer rate for the VPN between Mbps. The Check Point manufacturer quotes the maximum number of simultaneous connections as 8,000. SUPPORT With the purchase of a Safe@Office appliance, users obtain a one year guarantee, including software updates. Under the user of a product manufactured by Check Point has access to an extensive knowledge base, and to the most frequently asked questions (FAQ). Interested persons can purchase the appliances from an authorized reseller the latter is then responsible for the support and the legal guarantees, and, if desired, will renew the support contract or directly from the manufacturer, Check Point / Software under www. sofaware.com. Together with the purchase of a Safe@Office or VPN-1 Edge, various services such as web filtering, Dynamic-DNS, antivirus scanner, and many others can also be purchased as an option, Some retailers also offer individual services or comprehensive overall service packages, which can be specifically tailored to the requirements of the user. The online support (Live-Help) of Check Point / Sofaware proved to be outstanding, as it could almost always be reached and was able to provide adequate solutions. The replacement of a faulty VPN-1 Edge appliance also took place without problems; in an international environment, the appliance could be replace within three days. PRICE and PERFORMANCE Depending on model and number of users, the price range of the Safe@Office and VPN-1 Edge series is from Euro to 2, Euro. A Safe@Office 500 appliance that has been designed or licensed for 5 users is available for as little as Euro. A VPN-1 Edge

ADSL WU with an unlimited number of users and integrated wireless LAN hotspot and ADSL modem can be purchased for 2,300.00 Euro.

If required, the costs for the various services, such as antivirus scanner, web filter, SmartDefense service, software updates, exchange service, etc, can be added to this.

8 ADSL WU with an unlimited number of users and integrated wireless LAN hotspot and ADSL modem can be purchased for 2, Euro. 500 and VPN-1 Edge by Check Point were awarded the ProtectStar on the basis of their excellent test results. If required, the costs for the various services, such as antivirus scanner, web filter, SmartDefense service, software updates, exchange service, etc, can be added to this. The Antivirus Service Contract, for example, costs between Euro depending on the provider, and the automatic firmware update service, including dyndns service, costs between Euro and Euro per year. On the basis of the seamless protective effect, the wide range of security functions and the virtually unlimited application possibilities, the and VPN-1 Edge appliances provide good value for money for organizations, branch offices and small offices, particularly in comparison to other hardware firewalls on the ITsecurity market. SUMMARY The test series that were carried out once again impressively demonstrated that, with Office 500 and VPN-1 Edge, the Check Point organization has developed powerful security and Firewall solutions that are secure, modern, userfriendly and, at the same time, State-of-the-Art. The appliances combine comprehensive security with a reliable Internet gateway within a costeffective solution. In particular, the installation within minutes, the security rules that can easily set-up with the help of Configuration Assistants (One-Click-technology), and the protection at the network (Layer 3) and application level (Layer 7) are especially worthy of mention here. The purchase of such optional services as web filtering, antivirus scanner, Dynamic-DND, etc. are also recommended by the security experts of the ProtectStar test centre in every case. PROTECTSTAR Pr o t e c tsta r Inc th Place Suite L 3604 Bradenton, FL USA testcenter@protectstar.com

Training UNIFIED SECURITY. Signature based packet analysis

Training UNIFIED SECURITY. Signature based packet analysis Training UNIFIED SECURITY Signature based packet analysis At the core of its scanning technology, Kerio Control integrates a packet analyzer based on Snort. Snort is an open source IDS/IPS system that