Information security management in enterprise networks.
Information security management in enterprise networks
Internet technologies have changed not only the approaches of organizations to doing business, but also their attitude to ensuring network security. The boundaries of corporate networks are no longer defined by the installed equipment. Now these boundaries are determined mainly by the security policy that the participants in the information exchange adhere to. In order for such a security policy to be effective, it must include a wide range of information security technologies that manage access to information resources, control the integrity and authenticity of information and network connections passing both through the Internet and through the internal networks of the organization and its partners
A comprehensive solution in the field of information security in computer networks must at least provide the following functions:
• authenticate computer network users using reliable and proven methods before they are granted access to network resources;
• provide selective access to network resources for authenticated users;
• ensure the security and integrity of information exchange over open networks such as the Internet;
• ensure the content of data streams passing through gateway systems is checked to detect and prevent inappropriate information from entering the network. Neutralize computer viruses and malicious Java/ActiveX applets;
• detect and prevent intruder attacks in real time;
• mask the internal address space of the enterprise and economically use the allocated address space of the global network;
• provide the ability to build highly reliable systems for tasks that require uninterrupted operation of the entire computer network;
• ensure the collection and processing of detailed information about any installation attempts and successful network connections.
Check Point Software Technologies Ltd., a leading provider of IP network security solutions based on the presentation of security policy in the form of uniform rules, offers a leading set of FireWall-l security tools and a family of VPN solutions, VPN-G, which is the only solution in the industry integrated with a bandwidth management system, directly for solving the above tasks.
A wide range of basic and service functions of the basic FireWall1/VPN-1 products makes it possible to implement an integrated solution for ensuring network and information security that fully meets the modern requirements of any organization, both large and small.
In addition to the basic elements of protection, Check Point has developed the concept of the “Open Platform for Secure Enterprise Connectivity” (OPSEC – Open Platform for Secure Enterprise Connectivity), which can serve as a basis for combining various information security technologies and creating a single comprehensive security policy. This approach allows for closer integration of products from other manufacturers based on FireWall-l/VPN-1. Only the solution from Check Point allows an organization to create a single security policy for all these systems. The company's approach makes it possible to extend the security policy to all elements of the enterprise network's protection and provides remote and centralized control over the functioning of the systems included in it, management and configuration.
Check Point solutions are based on its proprietary Stateful Inspection technology, which is currently the industry's leading method of traffic control. It enables data inspection down to the application level, without the need for a separate intermediary application or proxy for each protected protocol or network. The result is unique performance, high flexibility, and the ability to quickly and easily adapt the system to new requirements. 1
Access control is a basic element of protection
Internet technologies make it possible to create a cost-effective global communications infrastructure that will provide access to the network on a global scale to enterprise employees, customers, equipment manufacturers, suppliers and key business partners. This significantly expands the possibilities for exchanging shared information, but increases the risk of exposing your corporate network to new dangers and threats.
How can an organization resist unauthorized access and protect its resources and information? Access control is a fundamental element of any security policy, directly aimed at solving this problem.
What information do enterprise networks exchange?
Access control protects an organization from potential threats by clearly specifying and controlling which information flows and communications can pass through the enterprise network's border gateways. The key feature of devices that provide real access control is their full awareness of all communications, network services, and applications. Early implementations of packet filter-based security tools (usually implemented on routers) have no information about the application state, and as a rule, cannot process UDP traffic, much less dynamic protocols.
Second-generation network protection tools based on the use of proxy applications often require very powerful computers and are quite slow to adapt to new Internet network services that appear regularly. In contrast, the stateful inspection technology implemented in Check Point FireWall-l/VPN-I provides the gateway with complete information about communications. This, along with the object-oriented approach to describing network resources and services, allows the system to be quickly and easily adapted to new Internet services. FireWall-l/VPN-I provides comprehensive access control capabilities for more than 160 predefined Internet services and has the means to conveniently specify new user services.
In addition to the listed capabilities, FireWall-l/VPN-I allows you to regulate access to network resources, taking into account time. This makes it possible to significantly detail the processes of working with network resources, creating rules that provide access to resources at certain intervals of time (minutes, hours, days of the month, days of the week, month, year can be taken into account). For example, an organization decides to restrict Internet access for browsing the Web during working hours and, accordingly, allow it during non-working hours. Another example is to prohibit access to critical servers during the time of full backup of server information.
Creating a security policy
The process of describing access control rules in a well-designed system such as Check Point FireWall-l/VPN-I is quite simple and straightforward. All aspects of an organization's information security policy can be specified using the award-winning FireWall/VPN-I graphical interface.
It uses an object-oriented approach to describe network elements. The created object is then used to define a security policy using the rules editor. Each rule can operate with any combination of network objects and services, and also contains a definition of the actions to be taken and the methods of notification about the triggering of this rule. Additionally, you can specify which information security elements it should apply to. By default, the rules apply to all gateways with FireWall-l or VPN-1 installed. Security elements can be deployed on various platforms, including UNIX (Solaris, HP-UX, AIX) and NT, as well as various OPSEC gateway equipment from Check Point partners.
The unique advantage of Check Point FireWall-l/VPN-I is the ability to create a single security policy for the entire enterprise. After that, FireWalll/VPN-I checks it for consistency, compiles it and distributes it to all traffic control nodes in the network,
Distributed access
The FireWall-l/VPN-I architecture allows for seamless expansion of the system's capabilities as the organization's needs for implementing various elements of information security grow. On the other hand, the FireWall1/VPN-1 administrative functions are also oriented toward multi-user access and allow the enterprise to delimit the functions of security system administrators. After authorization, the FireWall-l/VPN-I system administrator inherits the rights that the security administrator set for a specific FireWall-l/VPN-1 and that are defined by the rule editor. This allows you to administer several FireWall-l/VPN-I systems from one workstation simultaneously.
FireWall-l/VPN-I supports various levels of administrative access:
— Read/Write: full access to all functional capabilities of administrative tools;
— User Edit: the ability to change only user accounts, other capabilities are limited to read rights;
— Read Only: read-only access to security policy and statistics;
— Monitor Only: read access to statistics display tools only.
Unauthorized access protection elements:
— IP Spoofing — is a method of influencing elements of network infrastructure in order to gain unauthorized access. To do this, the hacker replaces his IP addresses in the packets sent in order to make them look like packets from a more privileged source. For example, packets coming from the Internet may look like they were received from a local network. FireWall-l/VPN-I protects against this type of influence, easily recognizes such attempts and immediately notifies the security operator about them.
— Denial of Service Attack — exploits weaknesses in the TCP protocol implementation in specific systems. When a TCP connection is initialized, the client sends a — request packet to the server with the SYN flag set in the TCP header. In a normal case, the server responds with a SYN/ACK acknowledgment addressed to the client, whose address the server takes from the IP header of the received request. After that, the client sends a notification about the start of data transfer – a packet with only the ACK flag set in the TCP header. If the client's address is spoofed, for example, to one that does not exist on the Internet, then this connection setup option cannot be completed, and attempts will continue until the time limit is exhausted. These conditions form the basis of this type of attack, which usually leads to the inability of the operating system of the attacked computer to process further connection requests, and sometimes to worse consequences.
Solutions based on the use of proxy programs are not able to protect against this type of attack by themselves. Therefore, the gateway can be attacked to create conditions for denial of service. Packet filters are also not able to protect against this type of attack, since they do not have the necessary information about the state of connections and cannot inspect packets taking this state into account. FireWall-l/VPN-I provides protection against such attacks, having all the necessary means for analyzing the state of connections. – Ping of Death – almost every operating system, as well as some routers, have various limitations related to a specific implementation of the TCP/IP protocol. The discovery of these limitations is often associated with the emergence of new types of attacks. Thus, most operating systems are sensitive to PING (1CMP), the size of the data field of which is greater than 65,508 bytes. As a result, ICMP packets after adding the necessary headers become larger than 64k (the header length is 28 bytes) and, as a rule, cannot be processed by the operating system kernel without errors, which manifests itself in the form of random crashes or reboots of computers.
FireWall-l/VPN-I, having a Stateful Inspection mechanism, provides protection against such attacks.
Examples of protection methods:
1. Gateway Hiding. Under normal circumstances, any user on the corporate network can potentially access the gateway with FireWall. This situation must be avoided by hiding the gateway device. Check Point FireWall-l/VPN-I allows you to do this by adding one simple rule to the security policy. Hiding the gateway thus prevents various attempts by any user or application to interact with the security gateway and makes the latter invisible. The only exception is security system administrators.
2. Using Network Address Translation mechanisms allows you to completely hide or disguise the internal network structure.
3. Setting up a Demilitarized Zone involves separating publicly accessible network resources into special segments, access to which is controlled by a firewall. This allows you to protect your company's internal network from attacks even if an intruder uses a publicly accessible server as a springboard for an attack. Unfortunately, this is possible, since it is not always possible to guarantee that the software used on these servers is free of errors, backdoors, or that the server administrator has not made a mistake when setting it up or designing it. Installing such public servers in front of a firewall without any protection is also inadvisable, since this significantly increases the risk of intruders.
Due to the almost complete absence of restrictions on the number of network interfaces supported by FireWall-l/VPN^I elements, it is possible to implement a Distributed Demilitarized Zone. In this case, distribution of public servers across separate network interfaces guarantees the resistance of individual servers to attacks even in the event of a configuration error or a backdoor in the software of one of the servers. If an attack on one of the servers is successful, access to all the others will still be protected by the FireWalM/VPN-I module.
Advanced statistics collection and alert generation
The FireWall-l/VPN-I system collects detailed information about each network session. This includes information about the user, network service and addressee, session duration, start time, and much more. These statistics can be further used for intelligent processing, for which Check Point provides a special statistics export interface.
In addition, in FireWall-l/VPN-I, the security system administrator can, using the same tool for viewing and analyzing statistics, track active connections through firewall and VPN modules. These statistics are processed in real time and provided to the operator in the same way as regular records. For the latter, the same event selection mechanisms can be used as when working with regular statistics. At the same time, using the option to collect additional information about connections ensures continuous updating of the integrated statistics data, and the security administrator can track not only the fact of the presence of a connection, but also the intensity of information exchange on it in real time.
The FireWall-l/VPN-I system includes a variety of different options for notifying operators: from email to sending SNMP exceptions (traps) for integration with network management platforms such as HP OpenView, SunNet Manager, IBM NetView 6000, etc. Additionally, it is possible to create your own options for handling situations that require notification, which allows you to integrate the security system with paging services or special rapid response systems.
User authentication.
One of the most important tasks of the information security system in networks is to establish the authenticity of users working in it and provide them with the appropriate access privileges. Check Point FireWalll/VPN-I provides remote users and users connecting to the network via dial-up lines with secure access to the organization's network resources with the establishment of their authenticity using various verification schemes.
The user will not have access rights until he/she successfully authenticates using a secure method. Many of the implemented schemes do not require any modifications or installations on the user's computer or servers.
Like all FireWall/VPN-I system tools, the elements that ensure user authentication are fully integrated into the enterprise-wide security policy system and, accordingly, can be centrally managed via the security administrator's graphical interface. The statistics collection and processing system also includes user authentication events in the general statistics log.
The FireWall-l/VPN-I system has three main options for using user authentication, which are called by the following names:
1. User authentication.
2. Client authentication.
3. Transparent session authentication.
User authentication
This is a transparent method of establishing the authenticity of a FireWall/VPN-I user, which provides the ability to determine the access privileges of each user individually, even if it is carried out from a multi-user computer. This method is implemented for such protocols as FTP, TELNET, HTTP and RLOGIN, and does not depend on the IP address of the client computer. As a rule, it is used if the user is forced to work with the organization's servers remotely. To do this, the security administrator can allow him access to the internal network. In this case, the privileges obtained as a result of authentication will not be distributed to other applications running on the user's computer.
To do this, FireWall-l/VPN-I performs authentication using a special Security Server running on the gateway computer. FireWall-l/VPN-I intercepts all user authorization attempts on the server and forwards them to the appropriate Security Server. Once authentication is established, the FireWall-l/VPN-I Security Server opens a second connection to the required application server. All subsequent session packets are also intercepted and inspected by FireWall/VPN-I on the gateway. At first glance, it may seem that the Security Server in this case is nothing more than a “proxy” process, with all the shortcomings inherent in these elements of network protection. However, this is not the case for FireWall-l/VPN-I. On the one hand, not a single packet from the network will reach the security server without being inspected by the FireWall-l/VPN1 protection module. This eliminates the usual shortcomings of proxy programs, which result in the need to use specially modified operating system kernels to “harden” the IP protocol stack. On the other hand, this is a special “proxy-proxy” process that interacts more closely with the security system kernel, which, in turn, eliminates the shortcomings inherent in many network applications, which result in the potential for gaining access to the computer system if it is overloaded correctly.
Client Authentication
Allows the administrator to grant access privileges to specific computers on the network; users of which have passed the appropriate authentication procedures. Unlike User Authentication, this option is not limited to specific services and can provide authentication for any application, both standard and specific.
However, Client Authentication is not transparent to the user, but at the same time, it does not require any additional software or modification of the existing one.
Before starting work on the network, the user is authorized on the corresponding FiTeWall1/VPN-1, using either the telnet program or a regular “Internet browser”, after which the system provides him with access to network resources.
For this type of authentication, the administrator can specify: how each user should be authorized, what password schemes to use, what server and what services will be available, how long, at what time and how many sessions can be opened.
Transparent Session Authentication
This mechanism can be used for any services. In this case, authentication will be performed for each session separately. After the user has initiated a connection by contacting the server directly, the gateway with FireWall-l/VPN-I installed recognizes that authentication is required for this session and initiates a connection to the Session Authentication Agent, which performs it. FireWall-l/VPN-I then allows this connection if the client's identity is successfully established.
Organizations may have special requirements for user authentication elements, so Check Point FireWall-l and VPN-1 products support a wide range of authentication options, in particular:
• RADIUS servers (vl.O and v2.0) – the requested password is compared with the one stored in the RADIUS server;
• TACACS/TACACS+ servers – the requested password is compared with the one stored on the TACACS servers;
• one-time password/key option (S/Key);
• regular operating system password;
• internal password known only in the FireWall-l or VPN-1 system;
• Axent server – the requested password is compared with the one stored in the Axent Defender server;
• securlD – the user enters the number currently displayed by the Security Dynamics SecurlD card as a password;
• X.509 digital certificates – the user authenticates by submitting their certificate signed by a trusted certification authority.
Network Address Translation
Internet technologies are based on the use of the IP protocol, and to ensure interaction via the IP network, each device must have a unique address. This requirement is easily satisfied in corporate networks, which are limited to internal enterprise networks that are not connected to global networks. But when an organization connects to the global network (Internet), there is a requirement to ensure the uniqueness of addresses for the entire global network, that is, throughout the world. At this stage, problems arise associated with the limitation on the number of addresses available for use.
Organizations are usually allocated a range of addresses that is significantly smaller than necessary, which makes it impossible to assign a real address to each device participating in network exchange.
On the other hand, even if you can provide all network resources and users with real addresses, this option is not preferable, since each user of the global network can potentially interact with your resources. Moreover, thoughtlessly publishing the IP addresses of your network devices: can lead to attacks on these devices and the network as a whole.
Protecting your IP space
FireWall-l's ability to perform address translation allows for complete isolation of the internal address space from the Internet and prevents the dissemination of address information as publicly available. By reducing the required registered address pool and using internal addresses from specially designated address spaces for private networks, the problems of shortage of these spaces are easily solved.
FireWall-l maintains the integrity of the internal address space, broadcasts it to the officially registered addresses of the organization on the Internet to ensure full access to it.
FireWall-l has two main ways of displaying such addresses – static and dynamic.
Dynamic mode: 1) provides users with access to the Internet, saving registered address space and hiding internal network resource addresses; 2) uses a single IP address to display all connections passing through a secure access point; 3) uses the IP address only for outgoing connections, but not for real resources, which makes it impossible to spoof the address or hack.
Is this translation option really completely dynamic?
Indeed. The FireWall-l mechanism allows an unlimited number of addresses to be dynamically mapped to a single IP address.
Although there are some implementations where address substitution is performed according to the scheme of choosing a free address from the range of assigned ones, however, for such implementations, in the event of a lack of a free address, further communications are impossible.
Static modeis designed to meet the need to provide Internet users with access to an organization’s resources (for example, for company employees working remotely or strategic partners) by unambiguously assigning a real address to a resource address in the global network. This translation option is used: 1) if the administrator does not want to use real addresses on network servers; 2) if, for historical reasons, the network uses illegal (illegal) addresses that need to be created real ones so that Interapt users can access them.
In both cases, for both dynamic and static address translation modes, Check Point FireWall-l provides unlimited control capabilities and ease of configuration in enterprise networks.
A simple configuration example
FireWall-l offers two methods of configuring address translation: 1) use automatically created address translation rules by setting the required properties of network objects; 2) create address translation rules directly in the translation rules editor. When defining them, you can use all network objects. FireWall-l has a unique ability to check the logical consistency of the created rules, which significantly simplifies the creation of complex scenarios.
