Documente Academic
Documente Profesional
Documente Cultură
For additional technical information about Check Point products, consult Check Points SecureKnowledge at:
http://support.checkpoint.com/kb/
See the latest version of this document in the User Center at:
http://www.checkpoint.com/support/technical/documents/
docs_r55.html
Part No.: 00000
June 2004
2003-2004 Check Point Software Technologies Ltd. OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
All rights reserved. This product and related documentation are protected by copyright OTHER DEALINGS IN THE SOFTWARE.
and distributed under licensing restricting their use, copying, distribution, and The following statements refer to those portions of the software copyrighted by The OpenSSL
decompilation. No part of this product or related documentation may be reproduced in Project. This product includes software developed by the OpenSSL Project for use in the
any form or by any means without prior written authorization of Check Point. While every OpenSSL Toolkit (http://www.openssl.org/).
precaution has been taken in the preparation of this book, Check Point assumes no
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *
responsibility for errors or omissions. This publication and features described herein are
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
subject to change without notice.
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS
RESTRICTED RIGHTS LEGEND: CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
Use, duplication, or disclosure by the government is subject to restrictions as set forth in EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
DFARS 252.227-7013 and FAR 52.227-19. PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
TRADEMARKS: NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Check Point, the Check Point logo, ClusterXL, ConnectControl, FireWall-1, FireWall-1 The following statements refer to those portions of the software copyrighted by Eric Young.
GX, FireWall-1 SecureServer, FireWall-1 SmallOffice, FireWall-1 VSX, FireWall-1 XL, THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR
FloodGate-1, INSPECT, INSPECT XL, IQ Engine, MultiGate, Open Security Extension, IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OPSEC, Provider-1, SecureKnowledge, SecurePlatform, SecureXL, SiteManager-1, OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
SmartCenter, SmartCenter Pro, SmartDashboard, SmartDefense, SmartLSM, SmartMap, DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
SmartView Tracker, SmartConsole, TurboCard, Application Intelligence, SVN, UAM, DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Net, GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
SmallOffice and VPN-1 VSX are trademarks or registered trademarks of Check Point IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
Software Technologies Ltd. or its affiliates. All other product names mentioned herein are OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
trademarks or registered trademarks of their respective owners. ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright 1998 The Open Group.
The products described in this document are protected by U.S. Patent No. 6,496,935,
5,606,668, 5,699,431 and 5,835,726 and may be protected by other U.S. Patents, foreign The following statements refer to those portions of the software copyrighted by
patents, or pending applications. Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and
Mark Adler. This software is provided 'as-is', without any express or implied
THIRD PARTIES: warranty. In no event will the authors be held liable for any damages arising from
the use of this software. Permission is granted to anyone to use this software for
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other any purpose, including commercial applications, and to alter it and redistribute it
countries. Entrusts logos and Entrust product and service names are also trademarks of freely, subject to the following restrictions:
Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of
1. The origin of this software must not be misrepresented; you must not claim that
Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management
you wrote the original software. If you use this software in a product, an
technology from Entrust.
acknowledgment in the product documentation would be appreciated but is not
required.
Verisign is a trademark of Verisign Inc.
2. Altered source versions must be plainly marked as such, and must not be
The following statements refer to those portions of the software copyrighted by University of
misrepresented as being the original software.
Michigan. Portions of the software copyright 1992-1996 Regents of the University of
Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted 3. This notice may not be removed or altered from any source distribution.
provided that this notice is preserved and that due credit is given to the University of The following statements refer to those portions of the software copyrighted by the
Michigan at Ann Arbor. The name of the University may not be used to endorse or promote Gnu Public License. This program is free software; you can redistribute it and/or
products derived from this software without specific prior written permission. This software is modify it under the terms of the GNU General Public License as published by the
provided as is without express or implied warranty. Copyright Sax Software (terminal Free Software Foundation; either version 2 of the License, or (at your option) any
emulation only). later version. This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
The following statements refer to those portions of the software copyrighted by Carnegie MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Mellon University. General Public License for more details.You should have received a copy of the
Copyright 1997 by Carnegie Mellon University. All Rights Reserved. GNU General Public License along with this program; if not, write to the Free
Permission to use, copy, modify, and distribute this software and its documentation for any Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
purpose and without fee is hereby granted, provided that the above copyright notice appear The following statements refer to those portions of the software copyrighted by Thai Open
in all copies and that both that copyright notice and this permission notice appear in Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers.
supporting documentation, and that the name of CMU not be used in advertising or publicity Permission is hereby granted, free of charge, to any person obtaining a copy of this software
pertaining to distribution of the software without specific, written prior permission.CMU and associated documentation files (the "Software"), to deal in the Software without
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL restriction, including without limitation the rights to use, copy, modify, merge, publish,
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the
CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR Software is furnished to do so, subject to the following conditions: The above copyright notice
ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, and this permission notice shall be included in all copies or substantial portions of the
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
THIS SOFTWARE. MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
The following statements refer to those portions of the software copyrighted by The Open IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
Group. CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-
IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR distribute or represent the code as your own. Any re-distributions of the code MUST
reference the author, and include any and all original documentation. Copyright. Bruce
Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998,
1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-
Introduction to Connectra
The Need for Connectra 9
The Check Point Solution 10
Overview - What is Connectra? 10
How Connectra Works 11
Commonly Used Concepts 11
Connectra Security Features 13
Special Considerations 14
Planning Connectra Deployment 14
Administration Workflow 16
User Workflow 20
Connectra Administration Portal 22
Overview 22
Using the Administration Portal 22
Configuring Device, Network and Administrator Settings 25
Configuring Device and Network Settings 25
Configuring Administrator Settings 35
Defining Applications
The Need for Defining Applications 37
The Check Point Solution 37
What is a Web Application? 38
What is a mail service 40
What is a File Share 44
Configuring Connectra Applications 44
Configuring Web Applications 44
Configuring Email Services 46
Configuring File Shares 50
Associating Applications with User Groups 51
Table of Contents 5
Authenticating Users in Connectra 65
Authorization in Connectra 65
Configuring Authentication and Authorization 66
Configuring Authentication via LDAP 67
Configuring Authentication via RADIUS 68
Authentication via Certificates 69
SecurID 70
Configuring Protection Levels 71
Using Certificates
The Need for Certificates 75
The Check Point Solution 75
Automatically Generated Server Certificate 76
Login with Client Certificate 76
Configuring Server Certificates 77
Installing a New Server Certificate 77
Configuring Client Certificates 79
Importing a Client Certificate to Internet Explorer 79
Client Certificate Verification 82
Security
The Need for Security 83
The Check Point Solution 83
General Security Issues 84
Web Intelligence Protections 85
Client Side Security 86
Configuring Session Time-Outs 86
Configuring Web Intelligence 87
Configuring Malicious Code Protection 87
Configuring Application Layer Protection 89
Configuring HTTP Protocol Inspection 93
Updating SmartDefense and Web Intelligence 95
Using Client Side Security 95
Screened Software Types 96
Administrator Configuration of CV 97
End-User CV Experience 99
6
The Need for Customization 113
Customizing Look & Feel 113
Changing the Language 114
Changing the Title 114
Changing the Company Logo 114
Changing the Companys URL 114
114
Troubleshooting
SecurePlatform CLI
Check Point SecurePlatform Overview 121
Managing SecurePlatform 121
Standard Mode 122
Expert Mode 122
Secure Shell 122
SecurePlatform Shell Commands 123
Expert Mode Command 123
Backup and Restore 123
Snapshot Image Management 124
Web Administration Server Control 125
Check Point Commands 126
Network Diagnostics Commands 126
Copying Files Using SCP 126
Table of Contents 7
8
CHAPTER 1
Introduction to
Connectra
In This Chapter
9
The Check Point Solution
10
How Connectra Works
Authentication
All remote users accessing the Connectra portal must be authenticated by one of the
supported authentication methods. As well as being authenticated through the internal
Connectra database, remote users may also be authenticated via LDAP, RADIUS, ACE
(SecurID), or certificates.
Authorization
Authorization determines if and how remote users access the internal applications on
the corporate LAN. If the remote user is not authorized, he/she will not be granted
access to the services provided by the Connectra server.
After being authenticated, the user will attempt to use an application. To access a
particular application, the user must be authorized to do so. The user must belong to a
group that has been granted access to the given application. In addition, the user must
satisfy the security requirements of the application, such as authentication method.
Client Verification
Client Verification (CV) may be used to scan endpoint computers for potentially
harmful software before allowing them to access the internal application. When end
users access the User Portal for the first time, they are prompted to download an
ActiveX component that scans the end user machine for Malware. The scan results are
presented both to the Connectra and to the end user. Portal access is granted/denied to
the end user based on the compliance options set by the administrator.
Cookies
Cookies, in the web browsing context, provide a way of maintaining state information
between clients and servers. A cookie is a text file placed on the clients hard drive by
the web server. Cookies contain information, such as login or registration information.
Cookies issued by applications that are not security oriented, if stolen can reveal
sensitive information or contain harmful code.
Protection Levels
Protection levels are introduced in order to balance between connectivity and security.
The protection level represents a security criterion that must be satisfied by the remote
user before access is given. For example, an application may have a protection level,
which requires users to satisfy a specific authentication method. Out of the box,
Connectra has three pre-defined protection levels standard, high, and advanced,
with standard being the weakest and advanced the strongest.
Session
Once authenticated, remote users are assigned a Connectra session. The session provides
the context in which Connectra processes all subsequent requests until the user logs
out, or the session ends due to a time-out. Each session has two configurable time-outs:
Passive time-out. If the connection remains idle for this period, the session is
terminated.
12
Connectra Security Features
Active time-out. The maximum length of session. When this period is reached,
the user must login once more.
2 Connectra controls browser caching. You decide what web content may be cached
by browsers, when accessing web applications, associated with a given protection
level. Disabling browser caching can help prevent unauthorized access to sensitive
information.
3 Connectra captures cookies sent to the remote client by a web server. Cookies
provide a way of maintaining state information between clients and servers. If
cookies are stolen they may be used to impersonate a user. For this reason,
Connectra captures the cookies and maintains them on the server. Connectra
simulates user/web server cookie transmission by appending the cookie
information, stored on Connectra, to the request that Connectra makes to a web
server, in the name of the remote user.
4 Connectra supports strong authentication methods using SecurID tokens and SSL
client certificates.
Special Considerations
In This Section:
In This Section:
Deployment Overview
In general, it is recommended to deploy Connectra in the DMZ. Connectra can,
however, also be deployed in other configurations, such as on the internal LAN. In
both scenarios, SSL termination takes place at the Connectra Gateway. Web
Intelligence on the Connectra Gateway inspects the traffic for harmful content before it
reaches the internal servers.
14
Planning Connectra Deployment
When Connectra is placed in the DMZ, sensitive applications are decoupled from
remote users. Remote users initiate an SSL connection to the Connectra Gateway. The
firewall should be configured to allow traffic from the user to the Connectra server,
where SSL termination and web security inspection takes place. Requests are then
forwarded to the internal servers, via the firewall, which inspects the traffic for harmful
content.
Internal requests from Connectra to LAN web servers can also be SSL encrypted.
The remote user opens a browser and initiates an HTTPS request to the Connectra
server. The SSL connection is terminated within the LAN, and the clear text requests
forwarded to the internal servers. The internal servers reply in the clear to
Connectra, which encrypts the back connection to the remote user. In the scenario
shown in FIGURE 1-2, the perimeter firewall must be configured to allow encrypted
SSL traffic to Connectra.
Administration Workflow
In This Section:
16
Administration Workflow
Deploying Connectra
After installation, the administrator must perform initial configuration and deployment
of Connectra.
Configure the firewall according to the chosen deployment. The exact rules depend on
your setup, for example, for VPN-1 Pro, a typical Security Rule Base configuration is
as follows:
To deploy Connectra in a DMZ
The following rules apply to the deployment shown in Figure 1-1, Connectra
deployment in the DMZ, on page 15.
18
Administration Workflow
To send logs to a remote log server, Connectra may need access to the
SmartCenter Server or to a Customer Log Module (CLM).
For authentication, Connectra may need access to LDAP, RADIUS and ACE
servers.
For clock synchronization, Connectra may need access to an NTP server.
To deploy Connectra in a LAN
If you choose to deploy Connectra in the LAN:
Rules 3 and 5 are not needed.
In Rules 2 and 4, make the Source: Any and Destination: LAN.
Configuring Connectra
This section discusses initial configuration and managing access.
Connectra requires only minimal user input of basic configuration elements, such as IP
addresses, routing information, etc. The initial configuration of Connectra must be
performed using a First-Time Configuration Wizard. Configure the Network
Connections, Routing Table, DNS Servers, Host and Domain Name and Device Date and
Time Setup windows. In order to complete the initial configuration, Connectra software
components must be initialized. This process may take several minutes.
The administration portal is then used to further configure Connectra.
Managing Access
User Workflow
In This Section:
Signing In page 20
Initial Setup page 21
Accessing Applications page 21
Signing In
Using a browser, the user types in the URL, assigned by the system administrator, for
the Connectra Gateway. The user enters his User Name and Password and clicks Sign In.
Before Connectra gives access to the applications on the LAN, the credentials of
remote users are first validated. Connectra authenticates the users either through its
20
User Workflow
own internal database, LDAP, RADIUS or RSA ACE/Servers. Once the remote users
have been authenticated, and associated with Connectra groups, access is given to
corporate applications such as internal LAN web servers, email servers, and file shares.
NOTE: If the Client Verification feature is enabled, the user may be required to pass a
verification scan on his/her computer, before being granted access to the Connectra
Sign In page.
Initial Setup
The user may be required to configure certain settings, such as credentials for file shares
and mail services. In addition, the user can define favorites for web applications and file
shares.
Accessing Applications
After the remote users have logged onto the Connectra Gateway, they are presented
with a portal, which enables access to all the internal applications that the administrator
has configured as available from within the organization:
FIGURE 1-3 Connectra Portal
Overview page 22
Using the Administration Portal page 22
Overview
Connectra enables secure access to remote users, requiring only minimal user input of
basic configuration elements, such as IP addresses, routing information, etc. An
easytouse Web interface, the Administration portal, enables you to configure
Connectra, thereby managing access to corporate applications via Connectra, and to
audit Connectra performance and usage, via logs and status displays.
In This Section:
The following sections describe how to access the portal for the first time and how to
login to the Connectra Administration Portal. In addition, it introduces you to the
Administration Portal features, with which you will configure Connectra.
3 The login window appears. Login with the default system administrator
username/password: admin/admin, and press Login.
22
Using the Administration Portal
Note - You must run the First Time Configuration Wizard. If you change the machine's IP, not
via the administration GUI, (e.g. using the sysconfig utility) the status screen will appear
blank.
5 Configure the Network Connections, Routing Table, DNS Servers, Host and Domain
Name and Device Date and Time Setup windows.
Menu Purpose
1. Status and Logs View status and audit traffic logs, adjust local and remote log
server settings.
2. Security Configure Web Intelligence protections to protect web
applications, and configure client verifications to scan endpoint
computers for potentially harmful software before allowing them
access. You can set Session Timeouts, configure and update Web
Intelligence, configure Client Verification and set Protection
Levels.
3. Applications Define internal LAN applications (such as Web applications,
Email servers and File shares) which can be made available to
remote users.
24
Configuring Device and Network Settings
Menu Purpose
4. Users and Groups Configure user groups, define the applications for the groups, and
assign users to the groups. Authenticated users can only access an
application if they belong to the appropriate user group or groups,
and satisfy the security restrictions of the application.
5. Administrators Create a Connectra administrator, define a permissible network
for administrators and configure administrator session parameters.
6. Settings Configure device and network settings, server certificate and the
portal look and feel.
Domain
Hosts
WINS Servers
The Administrators options are listed below:
Allowed IPs
Manage
Settings
Device Options
In This Section:
To configure SecurePlatform you must set the options, listed under Device.
Device Control
26
Configuring Device and Network Settings
Adding a License
2 On the Device Date and Time Setup page, enter the date and time manually, or
configure a Primary NTP Server.
3 Click Apply.
The Connectra backup mechanism enables exporting snapshots of the entire dynamic
configuration. Exported configurations can later be imported in order to restore a
previous state in case of failure. The mechanism is also used for seamless upgrades of the
software.
The information backed up includes:
All settings performed by the Admin GUI
Network configuration data
Database of user settings (personal favorites, credentials, cookies etc.)
Two common use cases are:
When the current configuration stops working, a previous exported configuration
may be used in order to revert to a previous system state.
Upgrading to a new Connectra version. The procedure would include:
Backing up the configuration of the current version
Installing the new version
Importing the backed up configuration
Backup can be performed in configurable schedules.
To view the Scheduling Status:
On the navigation tree, select Settings > Device > Backup. The Backup page
appears. The Scheduling Status pane displays the following information:
Enabled
Backup to
Start at
Recur every
To restore the backup, run the restore shell command from the device. The available
options are:
Restore local backup package
Restore local backup package from TFTP server
Restore local backup package from SCP server
To schedule a backup:
1 On the Backup page, click Scheduled backup. The Scheduled backup page appears.
2 Select the Enable backup recurrence checkbox.
28
Configuring Device and Network Settings
To execute a backup:
Click Backup now.
To view the backup log:
Click View backup log. The Backup Log page appears.
Upgrade
The IPs and ports, used, are configurable. Use this section to configure the listening IP
and port of the portal and administration servers.
To view which servers Connectra is currently running:
1 On the navigation tree, select Settings > Device > Servers. The Servers page
appears.
There are three servers:
Portal redirect port: A server which redirects requests from port 80 to port 443,
or 4433
Portal SSL: The server that provides the user portal
Administration Server: The server that provides the administration portal
2 Select a specific server. The Internal Server Definition page for that server appears.
You can manually configure the Portal SSL and the Administration servers. The
Portal redirect port server can not be configured manually.
Network Options
In This Section:
To configure Connectras connectivity to the network, you must set the options,
listed under Network.
An HTTP Proxy can be used by Connectra to access internal and external web servers.
An HTTPS Proxy can be used by Connectra to access sites secured by SSL.
To define an HTTP Proxy:
1 On the navigation tree, select Settings > Network > Http Proxy. The HTTP Proxy
page appears:
30
Configuring Device and Network Settings
NOTE: You should specify separate proxies for HTTP and HTTPS.
2 Select Proxy for HTTP and enter the proxy name, or IP address and port, for
example
proxy.mycompany.com:8080.
3 Select Proxy for HTTPS and enter the proxy name, or IP address and port.
4 Click Apply.
Configuring a Network
You may configure the (primary) IP and network mask of each interface. You may also
configure additional (secondary) IPs on each interface.
Primary IPs may be configured to be obtained automatically using DHCP. This option
is not recommended for deployment in a production environment.
The initial management interface of all three Connectra models is shown in the
following figure:
The logical name of the initial management interface is always eth0.
32
Configuring Device and Network Settings
Configuring Routing
You can add a static route or default route via the administration portal.
To configure routing:
1 On the navigation tree, select Settings > Network > Routing. The Routing Table
page appears.
2 On the Routing Table page, click New. The Add Route drop-down box is displayed.
The options are:
Route
Default Route
3 Select Route. The Add New Route page appears.
4 On the Add New Route page, supply a:
Destination IP Address
Destination Netmask
Gateway
Metric
5 Click Apply.
1 On the navigation tree, select Settings > Network > DNS Servers. The DNS Servers
page appears.
2 On the DNS Servers page:
Provide IP addresses for up to three DNS servers, and click Apply.
NOTE: Changes in the DNS configuration will take effect only after restarting all
Connectra processes, which can be performed via the Device Control page.
Configuring a Domain
To configure a domain:
1 On the navigation tree, select Settings > Network > Domain. The Host and Domain
Name page appears.
Hosts
The host file stores Connectras name and IP address for DNS resolution.
To add additional host names and IP Addresses:
1 On the navigation tree, select Settings > Network > Hosts. The Local Hosts
Configuration page appears:
2 On the Local Hosts Configuration page, click New. The Add Host page appears.
3 Enter the new host name and IP address
4 Click Apply.
34
Configuring Administrator Settings
In This Section:
2 In the Access Scheme panel, select either Allow any address or Allow specific
addresses.
3 If you select Allow specific addresses, click Specify. The Specific Allowed Addresses
page appears.
4 Click Add. The New Allowed Addresses page appears.
5 If you select Host, enter the IP address
6 If you select Network, enter the IP address and network mask of the allowed
network.
7 Click OK.
2 On the Administrator Configuration page, click New. The Add New Administrator
page appears.
3 Provide a name and a password for the Connectra administrator.
4 Click Apply.
Settings
5 Click Apply.
36
CHAPTER 2
Defining Applications
In This Chapter
37
The Check Point Solution
The user must enter his/her Username and Password and click OK.
NOTE: Connectra rejects Java applets that attempt to make direct to HTTP or HTTPS
connections.
38
What is a Web Application?
When creating a Connectra web application, you give the application a name, define
hosts, ports, paths, and a protection level. (See Configuring Protection Levels on
page 71) For example:
TABLE 2-1 Any web site
40
What is a mail service
While the Connectra portal offers a web email interface, many users will prefer to take
advantage of their native email clients, for example: Outlook, Netscape, or Eudora.
Connectras native mail feature supports encrypted mail connectivity from the Internet
to the internal domain, leveraging the ability of the most common mail clients to work
with SSL.
Built-in Webmail
Built-in webmail gives users access to corporate mail servers via the browser. Connectra
provides a web front for any email server that supports the IMAP protocol. The
remote user initiates an HTTPS request to the Connectra Gateway. Connectra uses the
IMAP and SMTP mail protocols to access the mail server.
In Connectra, users securely connect to an IMAP account. IMAP is a mail protocol
which provides a way of accessing electronic mail kept on one or more mail servers.
Email stored on the IMAP server is manipulated through the browser interface without
having to transfer the messages back and forth. Users can connect to several mail servers
depending on the groups to which they belong.
The remote user initiates an HTTPS request to the Connectra web server and views
the Connectra Portal. Users are presented with a login screen and must authenticate
themselves before being given access to the portal. Since Connectra handles the login
procedure, credentials can be automatically reused when authenticating to the mail
server. If the reused credentials are incorrect, Connectra again presents the user with a
login screen. Correct credentials are saved for future logins.
From the portal, the user navigates to the webmail page. Using the mail pages, the user
sends and receives email. Once authenticated, users can not only compose, send and
receive email but also:
Create, delete, rename, and manipulate mail folders
Index messages in various ways
Stores addresses
Search emails according to various criteria, such as body text, subject, senders
address, etc.
Highlight messages with different background colors, enabling quick differentiation
Display preferences
Special Considerations
Connectra webmail is based on SquirrelMail, a PHP-based open source web mail
interface. For Connectra:
A number of default file permissions have been changed
Configuration settings are no longer stored on config.php but managed by the
Connectra gateway.
Currently, there is no mechanism that cleans the directory where attachments are
sometimes stored
Customizing the GUI for webmail is not currently available.
Attachments over 2MB in size cannot currently be sent
LDAP cannot be configured as an address book for webmail users.
Connectra supports Outlook Web Access (OWA). OWA is a Web-based mail service,
with the look, feel and functionality of Microsoft Outlook. It provides a Web
environment for users to access Exchange data, via an Internet browser. OWA combines
the usability of Microsoft Outlook with the ease of operation of a browser.
NOTE: Outlook Web Access is designed to work with any browser that supports
HTML version 3.2 and JavaScript.
Outlook Web Access provides most of the advantages of Microsoft Outlook messaging
while using an Internet browser. OWA functionality encompasses basic messaging
components such as e-mail, calendaring, and contacts.
Native mail
While the Connectra portal offers a web email interface, many users will prefer to take
advantage of their native email clients, for example: Outlook, Netscape, Eudora.
Connectras native mail feature supports encrypted mail connectivity from the Internet
to the internal domain, leveraging the ability of the most common mail clients to work
with SSL.
Connectra runs its own proxy mail server. The Connectra proxy mail server terminates
the SSL encrypted POP3 traffic, performs authentication, and relays the POP3 traffic to
the POP3 mail server on the protected LAN. In this way, remote users are able to
access their mail account within the protected domain using their standard email client.
The same applies when mail is sent using SMTP.
42
What is a mail service
The User activates a mail client and sends/receives mail. The mail client establishes a
secure SSL connection with the Native Mail (NM) Proxy. The NM proxy comprises a
proxy server and a proxy client. The NM proxy server communicates with the mail
client via an SSL connection. Upon successful authentication, the NM proxy client
communicates with the mail server via a SMTP/POP3 clear connection.
To utilize the Native Mail feature, the end user must configure the desired mail client.
See Configuration of Native Mail Clients.
Supported Mail Clients and Servers
The following mail clients are supported:
On PC/Windows:
Outlook Express/Outlook
Eudora
Mozilla
Netscape
On Linux:
Pine
Mutt
Fetchmail
On Macintosh:
OSX Mail (comes with the OSX install)
Entourage (Microsoft)
Eudora (OS 8 or 9 only)
Mozilla
Netscape
The following mail servers are supported:
Exchange 2000
Exchange 2003
Exchange 5.5
Sendmail
One of the following options will be selected for mail server configuration:
Static configuration - The mail server must be configured to accept clear
connections.
Dynamic configuration - Connectra will supply the mail server's
encryption/authentication configuration to the Native Mail proxy per user.
The Add/Edit Web Application page appears. The Application, Security and
Specification sections are displayed in the following figure:
44
Configuring Web Applications
3 Enter:
A name for the web application, such as my_web_application
A protection level
A resolvable host name, for example, www.mycompany.com
List of available ports, separated by a comma
4 If the definition needs to be narrowed, in Paths, click Configure. The Web
Application Paths page appears.
NOTE: There are cases in which the Web server requires the path to be case
sensitive. Then, select Paths are case sensitive.
6 Define a path, for example, /finance/data/, and click OK.
7 Select Enable Favorite and enter the URL, Display name and Tooltip for the web
application that you are designating as a favorite.
8 Click Apply.
46
Configuring Email Services
A display name
3 In the Security section, supply:
A protection level
4 In the SMTP Server section, supply:
A host name, for example, www.mycompany.com
A port number for mail traffic
NOTE: SMTP is required for built-in webmail and for native mail, but not for
OWA.
The Incoming Mail Server and Credentials sections are shown in the following
figure:
FIGURE 2-7 Incoming Mail Server and Credentials sections
8 If the incoming mail protocol was set to IMAP, enter a mail domain and select an
IMAP server type from the drop-down box.
9 In the Credentials section, specify whether to reuse portal credentials, or to prompt
the user for credentials.
10 If the User Name and Password to access the mail account are identical to those
used to access the Connectra Portal, select Reuse portal credentials.
11 If the User Name and Password to access the mail account are different than those
used to access the Connectra Portal, for example, if Pete is the User Name, used to
access the Connectra Portal and Peter is the User Name, to access the mail account,
select Prompt user for credentials. Enter the User Name and Password.
12 Click Apply.
48
Configuring Email Services
The Add/Edit File Share page appears. The Application, Security and Specification
sections are shown in the following figure:
FIGURE 2-10 Add/Edit File Share page
3 Enter:
A name for the file share
A protection level
The NetBios host name, for example, Johnny.company.com
The proper share name, for example, file_folder1
The default windows domain or workgroup
50
Associating Applications with User Groups
The Credentials and Portal Favorite sections are shown in the following figure:
FIGURE 2-11 Credentials and Portal Favorites sections
7 Select Enable Favorite and enter the Path, Display name and Tooltip for the file
share that you are designating as a favorite.
8 Click Apply.
In This Section
52
CHAPTER 3
In This Chapter
53
Configuring Internal Users
For organizations with large numbers of users, employing external databases is a more
scalable solution for user management. It makes sense to use these external databases
where available. By utilizing these external databases, Connectra simplifies the process
of building an access control policy for remote users.
Once these groups, internal or external, have been created or mapped in Connectra,
they can be assigned an access control policy. Providing the users meet the sensitivity
demands of the application, access is given.
NOTE: It should be stressed that users belonging to several groups are assigned the
unified access rights of all the groups. This is true whether the groups are internal or
external.
54
Creating Internal User Groups
56
Working with LDAP Groups
In FIGURE 3-3, the remote user initiates an HTTPS request to the Connectra
Gateway. The Connectra Gateway, via the firewall, performs authentication using the
LDAP server. The LDAP server authenticates the remote user and returns a list of the
remote users groups. These LDAP groups are then matched to an appropriate
Connectra group and with its access policy.
Connectra also provides High Availability for user management by supporting up to
three replicated LDAP servers.
FIGURE 3-4 LDAP failover
In FIGURE 3-4, the remote user initiates an HTTPS connection to the Connectra
Gateway. Connectra terminates the SSL connection and initiates a second encrypted
connection to the LDAP server (the company security policy specifies connections
between LDAP servers on the LAN and machines in the DMZ must be encrypted). If
the first LDAP server fails to respond, Connectra queries the replicated LDAP server to
authenticate the remote user.
58
Working with LDAP Groups
7 On the Mail Access tab, select the mail services to which users of this group will be
granted access. A link to the mail services will automatically appear on the
Connectra portal main page.
8 On the File Access tab:
Select the File Shares that are to be accessible to the LDAP Group members, and
add them to the Shares for this group.
9 Click Apply.
4 Run cpstart.
60
Working with RADIUS Servers
Once the RADIUS group has been retrieved, Connectra maps the RADIUS group to
the appropriate Connectra group and applies a group policy. The group policy supplies
access restrictions and a unique portal with appropriate bookmarks for that user group.
62
CHAPTER 4
Authentication and
Authorization
In This Chapter
The Connectra strategy for identity and access management is two-fold. Remote users
must first prove their identity. Second, authenticated users can only access an
application if they belong to the appropriate user group or groups and satisfy the access
requirements of the application, as specified by the application protection level.
1 Remote users must first prove their identity through an authentication process.
Remote users can authenticate through the Connectra internal database or via:
63
The Check Point Solution
64
Authenticating Users in Connectra
Authorization in Connectra
Authorization is the process that controls the access to the applications on the internal
network. This is done by enforcing an access control policy. Connectra implements a
group based access control policy. An access control policy is applied to groups, not
individual users. During the authentication process, the remote users are associated with
one or more groups. Remote users, once authenticated, can only access those
applications which have been authorized for their groups. In other words, for access to
be granted, Connectra checks for:
Access rights. Does the remote user belong to a group which is allowed to access
the application?
Security requirements. Does the remote user meet the security restrictions as
expressed by the applications protection level?
Connectra can authenticate remote users through its own internal database, LDAP, or
RADIUS Servers. Connectra requests LDAP or RADIUS Servers to return a list of the
remote users groups. Once the LDAP or RADIUS groups are mapped to the users
groups as defined on Connectra, an access control policy is assigned.
Protection Authentication
Level
Standard Username/password
High SecurID
Advanced Client certificate
Each protection level defines what level user authentication is required, for example if
users can identify themselves via a combination of username and password, or need to
provide certificates.
66
Configuring Authentication via LDAP
This section discusses how to configure authentication and authorization, using LDAP,
RADIUS, ACE servers and/or user certificates.
The LDAP page appears. The LDAP Servers section is displayed, as shown in the
following figure:
FIGURE 4-1 LDAP page (LDAP Servers section)
The LDAP Servers section lists your organizations LDAP servers. Each of these
servers should contain the same information, allowing a redundant configuration,
and thereby guaranteeing optimal system performance. The servers are queried in
their order of appearance. If a server can not be reached, the system queries the
next server listed.
2 In the LDAP Servers section, click New. The Add LDAP page appears.
3 Provide the server name or IP Address of the LDAP Server, and click OK.
The Networking and Login to LDAP sections are displayed in the following figure:
FIGURE 4-2 Networking and Login to LDAP sections
6 In the Branches section, select an existing branch, or click New to create a new
branch.
7 Click Fetch Branches to display all the branches of the selected LDAP server.
8 In the Authentication section, select an authentication scheme.
9 Click Apply.
2 Enter:
Host name of the RADIUS Server
68
Authentication via Certificates
A port number for the connection (The RADIUS default port number is UDP
Port 1645.)
From the drop-down box, select which version of RADIUS you are working
with
Enter a shared secret (password)
3 Click Apply.
SecurID
To work with an RSA ACE/Server (Configuring SecurID):
NOTE: Connectra communicates with the ACE server using port 5500/udp.
Depending on your setup, you may need to enable this port on the firewall.
70
Configuring Protection Levels
1 Define the Connectra server on the ACE/Server GUI. For the primary IP setting,
use the Connectra server interface that connects to the ACE/Server. The
ACE/Server GUI generates a sdconf.rec file for the defined Connectra server.
2 Copy the file to the Connectra server under the directory: /var/ace.
3 If /var/ace does not exist, create the directory.
4 In some cases, the SecurID client used by Connectra may use the wrong interface
IP (in case of multiple interfaces) to decrypt the reply from ACE/Server and as a
result authentication will fail. To overcome the problem place a new text file
sdopts.rec next to sdconf.rec with the following line CLIENT_IP=<ip>, where
<ip> is Connectra's primary IP, as defined on the ACE/Server (the IP of the
interface that the server is routed to).
3 Double-click the link of the protection level to be customized, for example High.
The Edit Protection Level page appears. The Protection Level and Authentication
sections are displayed in the following figure:
FIGURE 4-9 Edit Protection Level page
72
Configuring Protection Levels
7 Click Apply.
74
CHAPTER 5
Using Certificates
In This Chapter
The following sections describe the automatically generated Connectra server certificate
and how to login with a client certificate.
75
The Check Point Solution
76
Installing a New Server Certificate
To sign in with a client certificate, the user must first install the certificate on the
computer.
Once signed-in, the system will mark the client as having provided a client certificate
for the entire session and access will be granted accordingly.
2 Click Change Server Certificate. The Change Server Certificate page appears:
FIGURE 5-3 Change Server Certificate page
78
Importing a Client Certificate to Internet Explorer
The following sections describe how to import a client certificate, and verification and
validation of a client certificate.
80
Importing a Client Certificate to Internet Explorer
10 Enter your password, click Next twice and Finish. The Import Successful screen
appears:
FIGURE 5-10 Import Successful screen
11 Click OK. The Certificates window appears. The imported certificate is now listed
in the Personal tab.
12 Click Close and OK.
NOTE: You may need to close and reopen your browser.
82
CHAPTER 6
Security
In This Chapter
83
The Check Point Solution
All connections to the Connectra Gateway from remote users are SSL encrypted to
ensure privacy and data integrity. The connections are subject to authentication and
authorization. In addition, Connectra protects the information and applications to
which authenticated users have access by enforcing a set of security restrictions, both on
the server and client side.
Connectra provides a unified security framework for various components that identify
and prevent attacks. It unobtrusively analyzes activity across your network, tracking
potentially threatening events and optionally sends notifications. It protects
organizations from all known, and most unknown network attacks using intelligent
security technology.
In This Section:
This section discusses how Connectra handles various general security issues. The
Connectra security features may be categorized as server side security and client side
security.
84
Web Intelligence Protections
Chapter 6 Security 85
Configuring Session Time-Outs
Malicious Code Protector: Blocks hackers from sending malicious code to target
web servers and applications. These protections allow you to prevent attacks that
run malicious code on web servers (or clients).
Application Intelligence: Set of technologies that detect and prevent
application-level attacks. Prevents hackers from introducing text, tags, commands,
or other characters that a web application will interpret as special instructions.
HTTP Protocol Inspection: HTTP Protocol Inspection provides strict
enforcement of the HTTP protocol, ensuring these sessions comply with RFC
standards and common security practices.
86
Configuring Malicious Code Protection
1 On the navigation tree, click Security > Timeouts. The Timeouts page appears:
FIGURE 6-1 Timeouts page
2 In the Force active users to re-authenticate after: field, enter the active time-out, in
minutes.
3 In the Terminate non-active sessions after: field, enter the passive time-out, in
minutes.
4 Click Apply.
This section discusses how to configure the supported protections, and how to update
the SmartDefense feature.
Chapter 6 Security 87
Configuring Web Intelligence
Buffer Overflow
Buffer overflow vulnerabilities in web servers and web applications are both common
and dangerous. By formatting special strings that contain assembly code, an attacker can
create a memory corruption that can cause a server to crash or even run arbitrary code.
An attack exploiting a buffer overflow vulnerability does not require user interaction.
This allows the attack to spread easily via reusable exploit scripts or worms. Buffer
overflow attacks can be performed using any space where user input is expected, such
as, URLs, HTTP headers, and HTTP bodies.
The following table defines the Security Levels that may be assigned to the Buffer
Overflow protection. Traffic is considered suspicious when it contains at least one
non-ASCII character.
TABLE 6-1 Buffer Overflow Protection Security Levels
Security Description
Level
Low Inspects any suspicious URL or HTTP header. When
the HTTP header is found to be suspicious, the HTTP
body is also inspected.
Normal Inspects all URLs. Inspects any suspicious HTTP header
or HTTP body. When the HTTP header is found to be
suspicious, the HTTP body is also inspected.
High Inspects all URLs and HTTP headers. Inspects HTTP
body if either the HTTP header of HTTP body is
suspicious.
88
Configuring Application Layer Protection
2 In the Malicious Code Protection section, decide whether to enable General HTTP
Worm Catcher.
4 Before enabling Malicious Code protection, select a Security Level from the Security
Level drop-down box.
Cross Site Scripting attacks exploit the trust relationship between a user and a website
by employing specially crafted URLs that contain malicious scripts. The intention of
the attack is to steal cookies that contain user identities and credentials, or to trick users
into supplying their credentials to the attacker. Typically this attack is launched by
embedding scripts in an HTTP request (both GET and POST) that the user
unwittingly sends to a trusted site.
Web servers are protected by detecting and blocking inbound HTTP requests that
contain threatening scripting code. Alternatively, all inbound HTTP requests that
contain any tags at all, whether script tags or other tags, can be blocked.
Chapter 6 Security 89
Configuring Web Intelligence
The following table defines the Security Levels that may be assigned to Cross Site
Scripting protection. These protections are applied to places where a hacker could place
cross-site scripting characters: URLs, query strings, and HTTP POST request bodies.
TABLE 6-2 Cross Site Scripting Protection Security Levels
Security Description
Level
Low Rejects requests with keywords related to scripts (e.g.,
script, ActiveX object, applet, etc.) when located inside
HTML tags.
Normal Rejects requests that have any HTML tags.
High Rejects requests that have any HTML tags. In addition
checks for Unicode encoding of HTML tags.
SQL Injection
SQL Injection attacks allow a remote attacker to execute SQL commands disguised as a
URL or form input to a database. A successful attack may get the database to run
undesirable commands. This could cause damage by revealing confidential information,
modify the database, or even shut it down.
Web Intelligence can inspect for the presence of SQL commands in web forms or
URLs sent in HTTP requests to a server. The protection looks for several categories of
commands: distinct SQL commands, non-distinct SQL commands, and special SQL
separator characters (e.g., + ' -).
Strings that are unique to SQL and not likely to appear in common language are
considered distinct (e.g., "sql_longvarchar", "sysfilegroups", etc.). Strings that may
appear in common language are considered non-distinct (e.g., "select", "join", etc.).
90
Configuring Application Layer Protection
The following table defines the Security Levels that may be assigned to SQL Injection
protection.
TABLE 6-3 SQL Injection Protection Security Levels
Security Description
Level
Low Rejects forms and URLs that contain special SQL
characters or distinct SQL commands in the path and
form fields.
Normal Rejects forms and URLs that contain special SQL
characters, distinct SQL commands, or non-distinct SQL
commands in the path and form fields.
High Rejects forms and URLs that contain special SQL,
distinct SQL commands, or non-distinct SQL commands
in the entire URL.
Command Injection
Chapter 6 Security 91
Configuring Web Intelligence
The following table defines the Security Levels that may be assigned to Command
Injection protection.
TABLE 6-4 Command Injection Protection Security Levels
Security Description
Level
Low Rejects forms that contain special Shell characters and
distinct Shell commands in the path and form fields.
Normal Rejects forms that contain special Shell characters,
distinct Shell commands, and non-distinct Shell
commands in the path and form fields.
High Rejects forms that contain special Shell characters,
distinct Shell commands, or non-distinct Shell
commands in the entire URL.
Directory Traversal
Directory Traversal attacks allow hackers to access files and directories that should be
out of their reach. Using this attack, a hacker may be able to view a list of directories,
or in some cases allow them to run executable code to the web server with a single,
well-crafted URL.
There are several techniques to launch a directory traversal attack. Most of the attacks
are based on using an HTTP request with a dot-dot-slash sequence "../.." within a file
system. This sequence of characters allows a hacker to move outside of the root
directory of a given web page. For example,
"http://www.server.com/first/second/../../.." is illegal because it goes deeper than the
root directory. "http://www.server.com/first/second/../" is legal because it is equivalent
to "http://www.server.com/first/". In a more advanced form of this attack, a hacker my
use an encoded URL to run the attack.
This protection verifies that the URL does not contain an illegal combination of
directory traversal characters, including encoded URLs. Requests in which the URL
contains an illegal directory request are blocked.
92
Configuring HTTP Protocol Inspection
2 In the Application Layer Protection section, decide whether to enable Cross Site
Scripting.
3 Before enabling Cross Site Scripting, select a Security Level from the Security Level
drop-down box.
4 Decide whether to enable SQL Injection.
5 Before enabling SQL Injection, select a Security Level from the Security Level
drop-down box.
6 Decide whether to enable Command Injection.
7 Before enabling Command Injection, select a Security Level from the Security Level
drop-down box.
8 Decide whether to enable Directory Traversal.
Chapter 6 Security 93
Configuring Web Intelligence
HTTP Format protection restricts URL lengths, header lengths or the number of
headers. These elements can be used to perform a Denial of Service attack on a
web server.
NOTE: These restrictions can also potentially block valid sites.
3 Select the fields that you would like to activate:
ASCII only Request protection can block connectivity to web pages that have
non-ASCII characters in URLs.
Enforce ASCII only HTTP Headers activates ASCII only Request protection on HTTP
Headers.
Enforce ASCII only Form Fields activates ASCII only Request protection on Form
Fields.
HTTP methods protection allows you to block certain standard and non-standard
HTTP methods that can be used to exploit vulnerabilities on a web server. Web
Intelligence divides HTTP methods into three groups: Standard Safe (GET, HEAD
and POST), Standard Unsafe (remaining HTTP methods), and WebDAV. By
default, all methods other than Standard Safe methods are blocked. The other
groups can be individually enabled.
Block unsafe HTTP methods enables blocking Standard Unsafe methods.
94
Updating SmartDefense and Web Intelligence
4 Click Apply.
4 Enter your User Center username and password, and click Upload SmartDefense
update. You are informed that the SmartDefense content was updated successfully.
5 Click OK.
Chapter 6 Security 95
Using Client Side Security
96
Administrator Configuration of CV
Administrator Configuration of CV
The client's behavior will be defined according to the administrator configuration of
the CV. The administrator configuration includes: determining which categories of
undesired software are to be scanned for at the client's computer, and how to deal with
them, in terms of granting or blocking access.
The administrator will be able to set one of 3 options for each category:
Do not scan: The client will not conduct a scan for that specific category.
Moreover, the user will be redirected to the Connectra portal, if the client scan
does not detect items in other categories.
Scan for Malware and ask for user directions: The user receives the findings of the
current scan and be given the ability to proceed, at his/her discretion.
Scan for Malware and prevent user connectivity to site: The user will not be able to
access the Connectra portal until he/she removes the malware, which was detected
on his/her computer.
Chapter 6 Security 97
Using Client Side Security
NOTE: You must have a valid Connectra Client Verification license before
activating this feature.
2 Activate the use of CV. Disabling CV will redirect the user to the Connectra
portal.
3 Select a Log level.
4 Select Malware Protection levels for each type of malware.
5 Click Apply.
CV Session Timeout
After the client finishes the CV procedure, a CV Session Timeout begins. The CV
Session Timeout defines the interval, within which the user can login to the Connectra
portal, without undergoing another software scan. The administrator defines the CV
Session Timeout in the file CVPNDIR\conf\cvpnd.C. The syntax is:
CVSessionTimeout (xxx seconds)
98
End-User CV Experience
End-User CV Experience
In This Section:
This section describes the CV experience, as experienced by the end-user. The User
must have at least POWER USER privileges to download and install ActiveX.
Active scripting
NOTE: If you know in which web content zone the organization's site is located,
enable the following settings in that zone, to download and run the CV ActiveX.
If not, enable the following settings in the Internet, Local intranet and Trusted sites
zones.
2 Click Tools > Internet Options > Privacy. In the Medium setting, select Advanced.
Check Override automatic cookie handling and enable:
Accept 1st party cookies
Accept 3rd party cookies
Server Confirmation
To confirm the CV server:
1 The user enters the URL of the Connectra portal. If this is the first time that the
user attempts to access the Connectra portal, the Server Confirmation window
appears:
Chapter 6 Security 99
Using Client Side Security
The user is asked to confirm that the listed CV server is identical to the
organizations site for remote access.
2 If the user clicks Yes,
the CV client continues the software scan. Moreover, if the
checkbox is selected, the Server Confirmation
Save this confirmation for future use
window will not appear the next time the user attempts to login.
3 If the user clicks No, an error message is displayed and the user is denied access.
100
End-User CV Experience
Each malware is displayed as a link, which, if selected, redirects you to a data sheet
describing the detected malware. The data sheet includes the name and a short
description of the detected malware, that is what it does, and the recommended
removal method/s.
The options available to the user are configured by the administrator. For example, the
option Continue is only available if the administrator has configured the Scan for
Malware and ask for user directions setting for the relevant category. The options are
listed in the following table:
TABLE 6-6 Scan Options
102
CHAPTER 7
In This Chapter
Connectra uses the same proven logging infrastructure available on every Check Point
module. Connectra produces two types of log:
A traffic log, which records events generated by user activity
103
The Check Point Solution
Status
To view the Device Status:
On the navigation tree, click Status and Logs> Status.
The Host ID, operating system, product information, CPU usage, total memory,
available memory, and active sessions are displayed.
104
Audit Log
Audit Log
To view the Audit Log:
On the navigation tree, click Status and Logs > Audit log.
The Audit log records events generated by the administrator, such as when an
administrator logs in, changes policy, etc.
Fields
The fields include:
Date
Hour
Subject, for example, Object Manipulation
Operation, for example, Create Object
Operation name
Administrator
Machine
Color code
Entries in the log appear in various colors. There are two possible subjects to the
"Subject" field. The Audit log subject color code is presented in the following table:
TABLE 7-1 Audit log subject color code
Option Description
Find Allows you to search for a specific log
entry that matches the text criterion that
you set. You can search through all the
columns and rows. You must specify if
you wish to search ahead of or behind
the present cursor position in the log.
Log Number Allows you to navigate to a specific log
entry. Enter the log entry ID number
and click Go.
File 1) Enables you to open a log file. Select
the log file from a list and click OK.
2) Allows you to purge the active log
file, in general the fw.log file.
Filter Allows you to apply a filter on your log
display.
Scope: You can choose to view either All
Connectra Logs or All Logs.
Fields: You can select a field, enable the
Filter checkbox, and configure the filter
for that field.
NOTE: The filters are cumulative.
Clear All: Clears all filters.
106
Traffic Log
Traffic Log
To view the Traffic Log:
On the navigation tree, click Status and Logs > Traffic Log.
Fields
The traffic log displays events generated by users, such as login, web requests, etc.
Color code
The Traffic log category and access status color code is presented in the following table:
TABLE 7-3 Traffic log category and access color code
Description Color
Web BLUE
Native Mail PURPLE
Failure RED
File Shares BLACK
Session Timeout BLACK
Portal Event BLACK
Description Color
Login/Logout BLACK
Success GREEN
Access denied A red X is displayed, as well as a message
in the category color. For example, if
access was denied to a web application,
the access denied message will be in
blue.
108
Setting Log Levels
Configuring Logging
In This Section
The Log Settings page appears. The Traffic Log Levels and Audit Log Level sections are
displayed in the following figure:
FIGURE 7-4 Traffic Log Levels and Audit Log Level sections
Log Capacity
The Log Capacity and Remote Log Servers sections are displayed in the following figure:
FIGURE 7-5 Log Capacity and Remote Log Servers sections
Configure the log capacity by setting the log switching and cyclic logging options.
Log switching
The size of the active log file is kept below a definable limit. When the limit is reached,
i.e. 2GB, the file is closed and a new file opened. This is known as log switching, and
can be performed automatically when the log file reaches the specified limit. The file
that is closed is written to disk and named according to current date/time. The new file
receives the default log file name, fw.log or fw.atdlog
Cyclic logging
Cyclic logging refers to the require free space option, located in the Log Capacity
section.
When there is a lack of sufficient free space, the system stops generating logs. To ensure
the logging process continues even when there is no more space, a process of cyclic
logging is used. This process automatically deletes old files when the specified free disk
space limit is reached so that the modules can continue logging. The cyclic process is
controlled by:
modifying the amount of required free disk space
110
Remote Log Servers
Preventing the module from deleting logs older than a certain value (one day, two
days)
112
CHAPTER 8
In This Chapter:
113
Customizing Look & Feel
The composition of the users portal is determined by selecting Settings > Portal Look
The Portal Look and Feel page appears:
and Feel.
FIGURE 8-1 Portal Look and Feel page
114
CHAPTER 9
Troubleshooting
This chapter provides you with a list of error messages that you may encounter while
working with Connectra, and teaches you how to deal with the issues involved. Most of
the error messages involve field validation errors. The error messages appear in red at
the top of the HTML page, being viewed.
TABLE 9-1 Connectra Error Messages
115
TABLE 9-1 Connectra Error Messages
116
TABLE 9-1 Connectra Error Messages
118
TABLE 9-1 Connectra Error Messages
120
CHAPTER 10
SecurePlatform CLI
In This Chapter
Managing SecurePlatform
This section provides information on how to manage your Connectra system, using the
SecurePlatform Command Shell. The Command Shell provides a set of commands
required for configuration, administration and diagnostics of various system aspects.
SecurePlatform Command Shell uses standard shell command line editing conventions.
121
Secure Shell
SecurePlatform Shell includes two permission levels (Modes): Standard and Expert.
Standard Mode
Standard Mode is the default mode when logging in to a SecurePlatform system. In
Standard Mode the SecurePlatform Shell provides a set of commands required for easy
configuration and routine administration of a SecurePlatform system. Standard Mode
displays this prompt: [hostname]#, where hostname is the host name of the machine.
Expert Mode
Expert Mode provides the user with full system root permissions and a full system shell.
Switching from Standard Mode to Expert Mode requires a password. The first time you
switch to Expert mode you will be asked to select a password. Until then, the password
is the same as the one you set for Standard Mode. To exit Expert Mode run the
command exit. Expert Mode displays this prompt: [Expert@hostname]# where
hostname is the host name of the machine.
NOTE: Expert Mode should be used with caution. The flexibility of an open shell
with a root permission exposes the system to the possibility of administrative errors.
Secure Shell
Connectra enables SSH access, allowing secured, authenticated and encrypted access to the
SecurePlatform system. SSH (or Secure SHell) is a protocol for creating a secure connec-
tion between two systems. In the SSH protocol, the client machine initiates a connection
with a server machine. The following safeguards are provided by SSH:
After an initial connection, the client can verify that it is connecting to the same
server during subsequent sessions.
The client can transmit its authentication information to the server, such as a
username and password, in an encrypted format.
All data sent and received during the connection is transferred using strong
encryption, making it extremely difficult to decrypt and read.
The SSH service runs by default. Granular control of permitted IP addresses that are
allowed access to the SecurePlatform system using SSH can be set using the Connectra
administration portal. SSH login is allowed using the Standard Mode account user name
and password only.
122
Expert Mode Command
Syntax
expert
Description
After issuing the expert command supply the expert password, after password
verification you will be switched into expert mode.
backup
Backup the system configuration. The backup command, run by itself, without any
additional flags, will use default backup settings and will perform a local backup.
Syntax:
backup [-h] [-d] [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth> | <-w
DaysOfWeek>] | off] [[--tftp <ServerIP> [<Filename>]] | [--scp
<ServerIP> <Username> <Password> [<Filename>]] | [--file <Filename>]]
restore
Restore the system configuration.
Syntax:
restore [-h] [-d][[--tftp <ServerIP> <Filename>] | [--scp <ServerIP>
<Username> <Password> <Filename>] | [--file <Filename>]]
revert
Reboot the system from a snapshot file. The revert command, run by itself, without
any additional flags, will use default backup settings and will reboot the system from a
local snapshot.
Syntax:
revert [-h] [-d] [[--tftp <ServerIP> <Filename>] | [--scp <ServerIP>
<Username> <Password> <Filename>] | [--file <Filename>]]
124
Web Administration Server Control
parameter meaning
-add Adds an IP or network to the list of allowed
addresses.
-rem Removes an IP or a network from the list of
allowed addresses.
-allowAll If True, would allow to connect from any
address. If False, would allow only addresses,
specified in the list of allowed addresses.
-print Shows the allowed IPs (all, or a list).
Syntax: cpstart
cpstop
cpstop stops all the Check Point applications running on a machine (other than cprid,
which is invoked upon boot and keeps on running independently). cpstop implicitly
invokes fwstop (or any other installed Check Point product, such as etmstop, uagstop,
etc.).
Syntax: cpstop
cplic
Show, add or remove Check Point licenses.
Syntax: cplic { put | del | print | check }
126
APPENDIX A
Configuration of Native
Mail Clients
To utilize the Native Mail feature, you must configure the desired mail client. This
appendix describes how to configure various common mail clients:
Microsoft Outlook 2000
To configure Microsoft Outlook 2000:
1 Select Tools > Options > Mail Services tab.
2 Click Reconfigure Mail Support. The e-mail Service Options window appears.
3 If Internet Only is configured, continue configuration as specified for Microsoft
Outlook Express 6.
4 If Corporate or Workgroup is configured, continue configuration as follows:
5 Select Tools > Services. The Services window appears.
6 Click Add. Select Internet E-mail and click OK.
127
4 In the Outgoing Server tab, select the My outgoing server (SMTP) requires
authentication checkbox.
5 In the Advanced tab, select the This server requires a secure connection (SSL)
checkbox for both Incoming server (SMTP) and Outgoing server (POP3).
6 Click OK and click Next.
7 Click Finish.
4 In the User Information section, fill in Your Name and E-mail address.
5 In the Logon Information section, fill in your User name and Password.
NOTE: Use the same user name and password that you use for Connectra.
6 In the Server Information section, enter the Connectra IP address in both Incoming
mail server (POP3) and in Outgoing mail server (SMTP).
7 Click More Settings.
8 In the Outgoing Server tab, select the My outgoing server (SMTP) requires
authentication checkbox.
9 In the Advanced tab, select the This server requires a secure connection (SSL)
checkbox for both Incoming server (SMTP) and Outgoing server (POP3).
10 Click OK.
NOTE: You can test the connection to the mail server by clicking Test account
Settings. All categories should be green.
128
3 In the Servers tab, select My server requires authentication in the Outgoing mail
server section.
4 In the Advanced tab, select the This server requires a secure connection (SSL)
checkbox for both Incoming mail (SMTP) and Outgoing mail (POP3).
5 Click OK and click Close.
Eudora 6
To configure Eudora 6:
1 Select Tools > Options.
2 In the Getting Started tab, select Allow authentication for the SMTP Server
(Outgoing).
3 In the Checking Mail tab, select Required, Alternate port in the Secure Sockets when
receiving section.
4 In the Incoming Mail tab, select Passwords in the Authentication style section.
5 In the Sending Mail tab, select Required, Alternate port in the Secure Sockets when
receiving section.
6 Click OK.
1 Quit Eudora.
2 Open eudora.ini using Notepad.
3 Add the following settings to eudora.ini under the Settings section:
SMTPSSLAlternatePort=
POPSSLAlternatePort=
IMAPSSLAlternatePort=
4 Place the desired port number after the "=" sign.
3 In the Outgoing Server tab, select Use name and password and fill in the port
number 25.
NOTE: The port number may be left blank.
4 In the same tab, under Use secure connection (SSL), select Always.
5 Click OK.
130
APPENDIX B
Establishing Trust
between Connectra and
a SmartCenter Server
After adding a Remote Log Server to Connectra, you must establish trust between
Connectra and the SmartCenter server, in order to enable log forwarding.
c Add the following line directly beneath the above mentioned line:
ANY; ANY; ANY ; log; ssl
131
On the Connectra machine:
Parameter Description
[one time password] A temporary password, which will be
used to establish trust with the
Connectra machine.
[Connectra machine IP] IP of the Connectra machine from
which logs will be forwarded.
NOTE: You must remember the one time password, in order to use it when
configuring the Connectra machine.
Step 6) Enter the cpstart command in order to start all of the servers anew.
Step 2) In the Remote Log Servers section, add the IP of the machine to which you
would like to forward Connectra's logs, and click Apply.
Step 3) Using an SSH console, login to the Connectra machine.
Step 4) Enter a cpstop command in order to stop all of the running servers.
NOTE: If users are currently connected to the Connectra machine, they will
be disconnected.
Step 5) Edit the file: $CPDIR/conf/sic_policy.conf
NOTE: If log forwarding has been configured previously on the Connectra
machine (i.e. the SIC policy file has already been configured), there is no
need to repeat the changes to the SIC file. Please skip to step 7.
a Scroll down to the Outbound rules section and then to the Logs
subsection.
132
b Change the line:
ANY; Log_Server; ANY; log; sslca
to:
ANY; ANY; ANY; log; ssl, sslca
Parameter Description
[one time password] A temporary password, which will be
used to establish trust with the remote
machine.
[Connectra machine IP] IP of the machine to which Connectra
will forward its logs.
NOTE: The one time password must be identical to the one used when the fw
command was issued on the remote server.
putkey
Step 8) Enter the cpstart command in order to start all of the servers anew.
Once the above procedures have been performed, logs, created on the Connectra
machine, will also be forwarded to the remote SmartCenter server.
134
Index
Configuring Authentication 66
Accessing Applications 21 Configuring Authentication via
Active Directory 60
Active time-out 13
LDAP 67
Configuring Authentication via
F
Administration Concepts 16 Radius 68
Application Intelligence 86 Configuring Connectra 19 File shares
Associating Mail Services with User Configuring Connectra configuration of 50
Groups 50 Applications 44 File shares in Connectra 44
Audit log 105 Configuring Server Certificates 75
Audit Log Options 106 Connectra
Auditing Using Logs 20
Authenticating Users in
Need for 9
what is it? 10 G
Connectra 65 Connectra Email Services 40
Authentication 11 Connectra Security Features 13 General HTTP Worm Catcher 87
Authentication & Authorization 63 Cookie capture 86 General Security Issues 83
Authentication via Certificates 69 Cookies 12
Authorization 12 Creating a Protection Level 71
Cross Site Scripting 89
Customizing H
Changing the Companys
B URL 114 How Connectra Maps LDAP
Changing the Language 114 groups 65
Built-in Webmail 41 Changing the Title 114 How Connectra Maps Radius
Customizing Look & Feel 113 Groups 65
Customizing the User Portal 113 HTTP Protocol Inspection 86, 93
Cyclic logging 110
C
Changing the Company Logo 114 I
Client Certificate D
importing 79 Initial Configuration of
login 76 Debug log 111 Connectra 19
verification 82 Defining Applications 37 Initial Setup 21
Client Certificate Verification 82 Deploying Connectra in the Internal User groups
Client Side Security 85, 95 DMZ 15 creating 55
Client Side Security Highlights 13 Directory Traversal 92 Internal Users
Client Verification 12 adding 54
command configuring 54
expert 123
Command Injection 91 E
Command Line Interface 121
Commonly Used Concepts 11
Compliance
Email services L
configuration of 46
client side security 97 Eudora 6 129 LDAP
Compliance Options 97 Expert Mode 123 configuring 58
External User group LDAP Group
135
creating 59
LDAP Groups S
working with 57
Log Capacity 109 Screened Software Types 96
Log switching 110 Security 13, 83
Server Certificate
automatically generated 76
changing 78
M installing 77
viewing 76
mail Server Side Security 84
what is it 40 Server Side Security Highlights 13
Malicious Code Protectio 87 Session 12
Malicious Code Protector 86 Session Time-Outs 86
Managing Access 19 Session timeouts 86
Managing Users & Groups 53 Setting Protection Level 20
Microsoft Outlook 2000 127 Signing In 20
Microsoft Outlook 2002 127 Spyware 86
Microsoft Outlook Express 6 128 SQL Injection 89, 90
Status 104
Status & Logging 103
N
Native mail 42
T
Need for Customization 113
Need for Status and Logging Time-out
Information 103 active 86
Netscape 7.1 130 passive 86
Traffic log 107
Trouble shooting 115
O
Outlook Web Access 42 U
Understanding Authentication &
Authorization 63
P Understanding the Connectra
Logging Solution 103
Upgrade 29
Passive time-out 12 User Workflow 20
Protection Level 12
Protection-levels
configuring 71
understanding 66 W
Web application explained 38
R Web applications
configuration of 44
Web Intelligence 87
Radius
working with 61
Remote Log Servers 111