Documente Academic
Documente Profesional
Documente Cultură
R73
User Guide
14 April, 2010
More Information
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=10580 For additional technical information about Check Point visit Check Point Support Center (http://supportcenter.checkpoint.com).
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to us (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Endpoint Security R73 User Guide).
2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Please refer to our Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Please refer to our Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights.
Contents
Introduction to Endpoint Security .........................................................................8 Tour of the Endpoint Security Main Page ............................................................ 8 The Endpoint Security Main Page ................................................................... 8 System Tray Icons .......................................................................................... 9 Panels ............................................................................................................ 9 Overview Panel..............................................................................................10 Responding to Alerts ..........................................................................................10 New Program Alerts .......................................................................................10 New Network and VPN Alerts ........................................................................11 Compliance Alerts..........................................................................................11 Anti-malware .........................................................................................................12 Endpoint Security Anti-malware ..........................................................................12 Enabling Anti-malware ...................................................................................12 Viewing Anti-malware Protection Status.........................................................12 Updating Anti-malware...................................................................................13 Scanning ............................................................................................................13 Understanding Scan Results..........................................................................13 Treating Files Manually ..................................................................................14 Submitting Infected Files and Spyware to Check Point ..................................14 Viewing Quarantine Items ..............................................................................15 Viewing Logs .................................................................................................16 Advanced Options ..............................................................................................16 Scheduling Scans ..........................................................................................16 Updating Malware Definitions ........................................................................17 Specifying Scan Targets ................................................................................17 On-Access Scanning .....................................................................................18 Enabling Automatic Infection Treatment.........................................................18 Repairing Archived Files ................................................................................19 Infected File Scan Options .............................................................................19 Infected File Exceptions List ..........................................................................19 VPN ........................................................................................................................21 VPN Basics ........................................................................................................21 Types of Endpoint Security VPNs ..................................................................21 Legacy VPN Client .............................................................................................22 Compact and Extended VPN Interfaces .........................................................22 Authentication in the Legacy VPN Client ........................................................23 Creating Profiles and Sites in the Legacy VPN Client ....................................26 Connecting and Disconnecting Using the Legacy Client ................................30 Advanced Configuration Options in the Legacy Client....................................35 Switching to Endpoint Connect ......................................................................37 Check Point Endpoint Connect VPN Client .........................................................37 Authentication in Endpoint Connect ...............................................................37 Creating Sites in Endpoint Connect ...............................................................42 Connecting and Disconnecting Using Endpoint Connect ...............................42 Advanced Configuration Options in Endpoint Connect ...................................46 Switching to the Legacy VPN client................................................................47 WebCheck .............................................................................................................49 Understanding WebCheck ..................................................................................49 WebCheck Protection ....................................................................................49 Suspicious Site Warnings ...................................................................................49 Yellow Caution Banner ..................................................................................50 Blue "May Be Unsafe" Warning .....................................................................50 Blue Warning Alerts .......................................................................................51
Firewall ..................................................................................................................52 Understanding Firewall Protection ......................................................................52 Understanding Zones .........................................................................................52 Zones Manage Firewall Security ....................................................................53 Zones Provide Program Control.....................................................................53 Configuring New Network Connections ..............................................................53 Integrating with Network Services .......................................................................54 Enabling File and Printer Sharing...................................................................54 Connecting to Network Mail Servers ..............................................................54 Enabling Internet Connection Sharing ............................................................54 Choosing Security Levels ...................................................................................54 Setting Advanced Security Options ....................................................................55 Setting Gateway Security Options..................................................................56 Setting ICS Options .......................................................................................56 Setting General Security Options ...................................................................56 Setting Network Security Options...................................................................57 Blocking and Unblocking Ports ...........................................................................58 Default Port Permission Settings....................................................................58 Adding Custom Ports .....................................................................................59 Configuring VPN Connection for Firewall ............................................................60 Supported VPN Protocols ..............................................................................60 Configuring VPN Connection .........................................................................60 Program Control ...................................................................................................62 Understanding Program Control .........................................................................62 Program Access Control ................................................................................62 Program Authentication .................................................................................62 Setting Program Control Options ........................................................................63 Setting Program Control Level .......................................................................63 Enabling Automatic Lock ...............................................................................63 Configuring Program Access ..............................................................................64 Setting Program Access Permissions ............................................................64 Customizing Program Control Settings ..........................................................65 Setting Specific Permissions ..............................................................................65 Using the Programs List .................................................................................66 Adding Programs to the Programs List ..........................................................66 Granting Internet Access Permissions to Programs .......................................67 Granting Server Permission to Programs .......................................................67 Granting Send Mail Permission to Programs .................................................67 Advanced Program Control ............................................................................67 Disabling Outbound Mail Protection ...............................................................68 Setting Authentication Options .......................................................................68 Allowing Others to Use Programs ..................................................................68 Managing Program Components ........................................................................68 Using Programs with the Client ..........................................................................69 Using Antivirus Software ................................................................................69 Using Browsers..............................................................................................69 Using Chat .....................................................................................................69 Using E-mail ..................................................................................................69 Using Internet Answering Services ................................................................70 Using File Sharing .........................................................................................70 Using FTP......................................................................................................70 Using Streaming Media ..................................................................................70 Using Games .................................................................................................70 Using Remote Control....................................................................................71 Using VNC .....................................................................................................71 Using Voice over IP .......................................................................................71 Using Web Conferencing ...............................................................................71 Full Disk Encryption .............................................................................................72 Authenticating to Full Disk Encryption.................................................................72 Ensuring That Your Computer Has Not Been Tampered With ............................72
Authenticating for the First Time .........................................................................72 Using a Fixed Password ................................................................................73 Using a Dynamic Token .................................................................................73 Using a Smart Card/USB Token ....................................................................74 What if I forget my password? ........................................................................75 What if I don't have access to my token/smart card? .....................................75 Optional Full Disk Encryption Features ...............................................................75 Synchronizing Passwords ..............................................................................75 Single Sign-on and OneCheck Logon ............................................................76 Windows Integrated Logon ............................................................................77 Using the Full Disk Encryption Panel ..................................................................78 Viewing Status and Encryption Information ....................................................78 Changing Authentication Credentials .............................................................79 Changing the Language Used in the Interface ...............................................80 Characters Supported in the Preboot Environment ........................................83 Media Encryption ..................................................................................................84 Features .............................................................................................................84 Encryption Policy Manager ............................................................................84 Removable Media Manager ...........................................................................84 Device Manager.............................................................................................85 Program Security Guard ................................................................................85 Cached Passwords ........................................................................................85 Using the EPM Client .........................................................................................86 Encrypting Media ...........................................................................................86 Encrypting CDs and DVDs .............................................................................88 Accessing Encrypted Media ...........................................................................88 Accessing Encrypted Media from non-Media Encryption Computers .............89 Erasing CDs or DVDs ....................................................................................90 Changing the Encrypted Device Password ....................................................90 Using the Removable Media Manager ................................................................90 Authorizing Removable Media .......................................................................90 Using the Device Manager .................................................................................91 Using the Program Security Guard .....................................................................91 Maintenance Section ..........................................................................................91 File Encryption ......................................................................................................92 Before You Start .................................................................................................92 About Passwords and Keys ...........................................................................93 Working with File Encryption ..............................................................................93 Accessing File Encryption for the First Time .......................................................93 Using a Certificate and Setting a Password ...................................................94 Setting a Password ........................................................................................94 Authenticating to and Logging Off from File Encryption ......................................95 Authenticating with a Certificate .....................................................................95 Authenticating with a Password .....................................................................96 Logging Off from File Encryption ....................................................................96 Information and Help on File Encryption .............................................................96 Using File Encryption..........................................................................................96 File Encryption Options ..................................................................................97 Protected Information in Windows Explorer ...................................................99 Protecting Information Locally ............................................................................99 Encrypting Information ...................................................................................99 Accessing Protected Information Stored Locally ..........................................100 Decrypting Information .................................................................................100 Securely Deleting Information Stored Locally ...............................................101 Working with Encrypted Packages ...................................................................101 About Encrypted Packages ..........................................................................101 Creating an Encrypted Package ..................................................................101 Opening Encrypted Packages......................................................................104 PKCS7 Encryption .......................................................................................105 Securely Deleting Packages ........................................................................106
Protecting Information on Removable Media ....................................................106 Protecting Information on Removable Media ...............................................106 USB Sticks, Firewire/USB Hard Drives, Floppy/CD/DVD Disks ....................107 CD/DVDs .....................................................................................................108 Accessing Protected Information .................................................................109 Working in a Stand-alone Access Environment............................................110 Managing Passwords and Keys........................................................................111 Changing Your Local Password ...................................................................111 Changing Passwords on Removable Media .................................................112 Sharing Media/Floppy Disks and Managing Keys ........................................112 Securely Deleting Information ...........................................................................113 Secure Delete Basics...................................................................................113 Forgot your Password? ....................................................................................114 What if I forget my password? ......................................................................114 Policies ................................................................................................................ 116 Policy Types .....................................................................................................116 Understanding Policy Arbitration.......................................................................116 Viewing Available Policies ................................................................................116 Using the Policies Panel ...................................................................................117 Alerts and Logs................................................................................................... 118 Understanding Alerts and Logs ........................................................................118 About Alerts .................................................................................................118 About Event Logging....................................................................................119 Setting Basic Alert and Log Options .................................................................119 Setting Alert Event Level ..............................................................................119 Setting Event and Program Logging Options ...............................................119 Showing or Hiding Alerts ..................................................................................119 Showing or Hiding Firewall Alerts ................................................................119 Setting Event and Program Log Options...........................................................120 Formatting Log Appearance.........................................................................120 Customizing Event Logging .........................................................................120 Customizing Program Logging .....................................................................120 Viewing Log Entries .....................................................................................121 Viewing the Text Log ...................................................................................122 Archiving Log Entries ...................................................................................123 Using Alert Advisor ......................................................................................123 Alert Reference ................................................................................................... 124 Informational Alerts...........................................................................................124 Firewall Alert/Protected ................................................................................124 MailSafe Alert ..............................................................................................125 Blocked Program Alerts ...............................................................................125 Internet Lock Alerts ......................................................................................126 Compliance Alerts........................................................................................126 Program Alerts .................................................................................................127 New Program Alerts .....................................................................................127 Repeat Program Alerts ................................................................................127 Changed Program Alerts .............................................................................128 Program Component Alerts..........................................................................128 Server Program Alerts .................................................................................129 Advanced Program Alerts ............................................................................130 Manual Action Required Alerts.....................................................................131 New Network Alerts .....................................................................................131 Troubleshooting ................................................................................................. 133 VPN Troubleshooting .......................................................................................133 Configuring Client for VPN Traffic ................................................................133 VPN Auto-Configuration and Expert Rules...................................................133 Automatic VPN Detection Delay ..................................................................134 Network Troubleshooting ..................................................................................134 Making Your Computer Visible on Local Network ........................................134 Sharing Files and Printers Locally ................................................................134
Resolving Slow Startup ................................................................................135 Internet Connection Troubleshooting ................................................................135 Connecting to the Internet Fails after Installation .........................................135 Allowing ISP Heartbeat Messages ...............................................................136 Connecting Through an ICS Client...............................................................136 Connecting Through a Proxy Server ............................................................137 Glossary of Terms .............................................................................................. 139 Index .................................................................................................................... 145
Chapter 1
Introduction to Endpoint Security
Check Point Endpoint Security is the first and only single agent that combines all essential components for total security on the endpoint: highest-rated firewall, Anti-malware, Full Disk Encryption, Media Encryption with port protection, network access control (NAC), program control and VPN. Check Point Endpoint Security protects PCs and eliminates the need to deploy and manage multiple agents, reducing total cost of ownership. In This Chapter Tour of the Endpoint Security Main Page Responding to Alerts 8 10
Page 8
Attention needed (for example: client is out of compliance with policy, application error, or reboot needed).
Panels
Your Endpoint Security Client may have any or all of the possible panels, depending on the installation and configuration that the administrator created for you.
VPN
Shows whether you are connected to the VPN, if you have VPN installed on your Endpoint Security client.
Anti-malware
Shows whether the protection is turned on, and if so, how many infected files or spyware were treated.
Firewall
Indicates whether your firewall is on and displays the number of firewall alerts and Internet Lock alerts that have occurred since the last reset. If a warning is displayed, click the underlined warning text to go immediately to the panel where you can adjust your settings.
Program Control
Indicates whether program control is configured safely and displays the number of program alerts that have occurred since the last reset. Endpoint Security client will warn you if program control is disabled.
Media Encryption
Provides access to Media Encryption options and the EPM (Encryption Policy Manager) client.
WebCheck
Indicates which WebCheck options have been provided to this client by the administrator.
Introduction to Endpoint Security Page 9
Policies
Shows a table of the available Policies and the details of the currently active policy.
Overview Panel
The Overview panel provides quick access to the most urgent issues and offers quick scanning of the status of different areas of protection and connection.
Responding to Alerts
When you first start using the client, it is not unusual to see a number of alerts. Endpoint Security client is learning your program and network configurations, and giving you the opportunity to set up your security the way you want it. How you respond to an alert depends upon the type of alert displayed.
Page 10
Note - Select the Remember this answer check box to give permanent permission to programs you trust. Few programs or processes actually require server permission in order to function properly. Some processes, however, are used by Microsoft Windows to carry out legitimate functions. Some of the more common ones you may see in alerts are: lsass.exe spoolsv.exe svchost.exe services.exe winlogon.exe
If you do not recognize the program or process that is asking for server permission, search the Microsoft Support Web site (http://support.microsoft.com/) for information on the process to determine what it is and what it is used for. Be aware that many legitimate Windows processes, including those listed above, have the potential to be used by hackers to disguise worms and viruses, or to provide backdoor access to your system for Trojan horses. If you were not performing a function (such as browsing files, logging onto a network, or downloading files) when the alert appeared, then the safest approach is to deny server permission. At any time, you can assign permissions to specific programs and services from the Programs List, accessed by selecting Program Control Programs tab. If you are seeing many server program alerts, you may want to run an anti-malware scan as an added precaution.
Compliance Alerts
Compliance alerts occur when Endpoint Security server operating in conjunction with Endpoint Security client determines that your computer is non-compliant with enterprise security requirements. Depending on the type of non-compliance, your ability to access the corporate network may be restricted or even terminated. Computers that are running the correct types and versions of required software are said to be compliant with enterprise security requirements. When on the other hand Endpoint Security determines that a computer is non-compliant, it: Displays a Compliance alert (but only if the display of Compliance alerts is enabled in the currently active enterprise security policy) Directs you to a Web page that tells you how to make the endpoint computer compliant
What happens next depends on your company's security Policies. If you do not make your computer compliant in the time allotted by the security policy, your access to the corporate network may be restricted or terminated. If your computer is restricted, you can continue to access some corporate network resources before you perform the steps necessary to make your computer compliant. If your computer is terminated, you may only be able to access the Web page that tells you how to make your computer compliant with corporate security requirements.
Page 11
Chapter 2
Anti-malware
The integrated Anti-malware feature protect your computer against infected files and spyware in a single powerful operation. Multiple scanning options automatically detect infected files and spyware and render them harmless before they can damage your computer. In This Chapter Endpoint Security Anti-malware Scanning Advanced Options 12 13 16
Enabling Anti-malware
To enable Anti-malware protection:
1. Open Anti-malware Main. 2. In the Anti-malware area, click On.
For information on the status information found on the Overview panel, Using the Status tab (see "Using the Overview Main Tab" on page 10).
Page 12
Updating Anti-malware
Every anti-malware application contains a definition file, with information to identify and locate infected files and spyware on the computer. As new infections or spyware applications are discovered, the client updates its databases with the definition files it needs to detect these new threats. Therefore, the computer is vulnerable to infections and spyware whenever its database of definition files becomes outdated. In Anti-malware Main, you can see if the Anti-malware protection needs to be updated.
Scanning
There are several ways you can initiate a scan of your computer. In Anti-malware Main tab, click Scan Now. Right-click a file on your computer and choose Scan with Check Point Anti-malware. Schedule a system scan to run once or at regular intervals. Open a file (if On-Access scanning is enabled).
System scans provide another level of protection by allowing you to scan the entire contents of your computer at one time. System scans detect infections that may be dormant on your computer's hard drive. Because of the thorough nature of full-system scans, they can take some time to perform. As a result, your system's performance may be slowed down while a full-system scan is in progress. To avoid any impact on your workflow, you can schedule system scans to run at a time when you are least likely to be using your computer. Note - Clicking Pause in the Scan dialog while a scan is being performed will stop the current scan only. On-Access scanning will not be disabled. Click Resume again to resume the current scan.
Risk
Path Type
Location of the infected file/spyware. Specifies whether the infection was caused by a virus. Status: Indicates whether the file has been repaired, deleted, or remains infected. Information: Provides more details.
Anti-malware
Page 13
Data Detail
Description Active Items: Infections/spyware found during the scan that could not be treated automatically. To accept the suggested treatments in the Treatment column, click Apply. Auto Treatment: Items already treated; you do not need to take further action.
Rename
Ignore Always
Ignore Once
If the results of a scan contain Error, No treatment available, or Treatment failed, there is not yet a way to automatically remove the infection without risking the integrity of your computer or other files. To find manual treatment procedures, enter the name of the infection, with the word "removal" into a search engine, such as Google or Yahoo, to locate removal instructions. Check Point is constantly researching infections and developing safe ways to remove them.
For help with creating a password-protected archive, refer to the Help for WinZip. 2. Send the .zip file to malware@checkpoint.com mailto:malware@checkpoint.com. Use this e-mail address only for sending malware to the Check Point Security Team. Important - Do not send malware files if you feel you cannot do so safely or if it would increase the risk of infection or damage to your system. Do not e-mail suspected malware files to others.
Path
Table 2-4 Quarantine Information for Spyware Information Type Name Risk Description Type of spyware: keylogging or cookie. Name of the spyware. The risk level of the infection: whether Low, for adware; or a serious threat, for keylogging software. Number of days the file has been in quarantine.
Days in Quarantine
Anti-malware
Page 15
Viewing Logs
By default, all infected file and spyware events are recorded in the Log Viewer.
Infection Name
The common name of the infection (for example, iloveyou.exe) or spyware (for example, NavExcel). The name of the infected file, the name of files being scanned, or the name and version number of update and/or engine. How the infected file was handled by the client:
Updated, Update canceled, Update Failed Scanned, Scan canceled, Scan Failed File Repaired, File Repair Failed Quarantined, Quarantine Failed Deleted, Delete Failed Restored, Restore Failed Renamed, Rename Failed
Filename
Action
Mode E-mail
Whether the action was manual or automatic. If the infected file was detected in e-mail, the e-mail address of the sender.
1. Click Clear List to reset the list. 2. Click Add to Zone to add the site to either the Trusted or Internet Zone.
Advanced Options
The Advanced Options button is enabled if the only active policy is the Personal Policy (see Policies). If an Enterprise, Corporate, or Disconnected Policy is active, the features of this option are controlled by your system administrator. Therefore, you will be able to control the Advanced Options of your own client only if the Enterprise Policy was not yet received and there is no contact with the Endpoint Security server, or the assigned policy consists only of an Enterprise Policy and your client is disconnected from the server.
Scheduling Scans
Scanning your computer for infected files and spyware is one of the most important things you can do to protect the integrity of your data and computing environment. Scanning is most effective when performed at regular intervals, so it often makes sense to schedule it as a task to run automatically. If your computer is not on when the scheduled scan is set to occur, the scan will occur fifteen minutes after your computer is restarted.
To schedule a scan:
1. Open Anti-malware Main.
Anti-malware Page 16
2. Click the Advanced Options button. The Advanced Options window appears. 3. Select the Scan for viruses check box, then specify a day and time for the scan. 4. In the Scan Schedule options, select the Scan for infected files check box, then specify a day and time for the scan. 5. Specify the scan frequency: daily, weekly, or monthly. 6. Specify the scan frequency. 7. Click OK. Note - If you select a weekly repeating schedule, the scan will run on the day of the week based on the starting date. For example, if the starting date is November 4, 2009; the scan will run every subsequent Wednesday.
The following table provides an explanation of the icons shown in the Scan Targets window.
Anti-malware
Page 17
Table 2-5 Icons Indicating Scan Targets Icon Description The selected disk and all sub-folders and files will be included in the scan. The selected disk and all sub-folders and files will be excluded from the scan. The selected disk will be included in the scan, but one or more sub-folders or files will be excluded from the scan. The selected folder will be excluded from the scan, but one or more sub-folders or files will be included in the scan. The selected folder will be included in the scan. A gray check mark indicates that scanning of the folder or file is enabled because scanning has been enabled for a higher level disk or folder. The selected folder will be excluded from the scan. A gray "x" mark indicates that scanning of the folder or file is disabled because scanning has been disabled for a higher level disk or folder. Other RAM DISK and any unknown drives. Specify other drives to scan.
On-Access Scanning
On-Access scanning protects your computer by detecting and treating infections that may be dormant on your computer. On-Access scanning is enabled by default and supplies the most active form of protection against infections. Files are scanned for infections as they are opened, executed, or closed, allowing immediate detection and treatment of infections. Note - On-Access scan will only scan for infections in an archive (compressed file, such as those with a *.zip extension) when the file is opened. Unlike other types of files, archives are not scanned when moved from one location to another. On-Access scanning does not support other Anti-virus providers, and is disabled if you are not using Check Point Anti-malware.
Anti-malware
Page 18
2. Click Advanced Options. 3. Open Anti-malware Management Automatic Treatment. 4. Select the auto treatment option you want: Alert me - Do not treat automatically Try to repair, and alert me if repair fails
Enable heuristics scanning: Scans for malware not found in the malware database based on characteristics of the file in question. 6. Click OK.
Anti-malware
Page 19
Anti-malware
Page 20
Chapter 3
VPN
In This Chapter VPN Basics Legacy VPN Client Check Point Endpoint Connect VPN Client 21 22 37
VPN Basics
Endpoint Security VPN lets you connect securely to your enterprise network when working remotely. You can then access private files over the Internet knowing that unauthorized persons cannot view or alter them. The VPN connection can be made directly to the server or through an Internet Service Provider (ISP). Remote users can connect to the organization using any network adapter (including wireless adapters) or modem dialup. The Endpoint Security VPN feature authenticates the parties and encrypts the data that passes between them. The VPN feature uses standard Internet protocols for strong encryption and authentication. Encryption ensures that only the authenticated parties can read the data passed between them. In addition, the integrity of the data is maintained, which means the data cannot be altered during transit. The VPN Main panel displays information about any current VPN connection (if any) and about the status of your remote connection to VPN enabled security gateway. From the Main panel, you can click VPN Settings > New to launch the Site Wizard to create a VPN site, connect to or disconnect from a VPN site, or open the VPN Settings window to configure profiles and sites, configure any special connection options, or manage certificates.
The options that you have to choose from depend on which VPN is provided in your client.
Page 21
The VPN client is the legacy Check Point client. For managing options in this client, see: Legacy VPN Client (on page 22) If you see only two tabs, one for Sites and one for Advanced Figure 3-2
Endpoint connect VPN settings
The VPN client is Check Point Endpoint Connect. For managing options in this client, see: Check Point Endpoint Connect VPN Client (on page 37)
Extended view is for more advanced users who need to connect to different VPN sites and who want to manage their VPN configuration in greater detail.
VPN
Page 23
Managing Certificates
It is recommended to use digital certificates for authentication when establishing a VPN connection. Certificates are more secure than other methods such as user name and password. When authenticating with certificates, the client and the VPN site each confirm that the other's certificate has been signed by a known and trusted certificate authority, and that it has not expired or been revoked. You or your administrator must enroll with a certificate authority. You can use any third-party OPSEC (Open Platform for Security) PKI (Public Key Infrastructure) certificate authority that supports the PKCS#12, CAPI, or Entrust standards. Endpoint Security client lets you create or renew Check Point certificates and manage Entrust certificates.
No long substrings of the user name 4. Specify your profile parameters by entering the Reference Number and Authorization code supplied by your system administrator. 5. Click OK. 6. In the confirmation window that appears, click OK again.
VPN
Page 24
Mark this key exportable: the key can be backed up or transported at a later time. 4. Click Next, and either allow the file to be automatically stored or browse to a specific storage folder. 5. Click Finish to complete the certificate import wizard.
For this reason, your system administrator may switch from using the certificate stored in the CAPI and to require you to authenticate using a PKCS#12 certificate directly, stored on a floppy disk or USB drive. If this happens, a message displays when you try to connect to the active site. Browse to the drive where the certificate is stored.
using Office mode or Hub mode. Endpoint Security client automatically downloads new profile information when you perform a site update. If you have more than one profile, contact your administrator to find out which one to use. The functions described in this section are only available in extended view. (For details on compact versus extended view, see Compact and Extended VPN Interfaces (on page 22).)
Creating Profiles
If you are using VPN extended view, your system administrator might require you to create a new connection profile for a particular site. Note that you can only create a new connection profile if you have already defined at least one site.
2. In the Connections tab, click New Profile. The Profile Properties window opens. 3. Provide a profile name and description. 4. Select a site from the Site drop-down list. 5. Select a gateway from the Gateway drop-down list. 6. Open the Advanced tab, and select any configuration options specified by your administrator. 7. Click OK to close the Profile Properties window and then click OK to close the VPN Settings window.
To export a profile:
1. Open VPN Main and click VPN Settings. 2. In the Connections tab, do one of the following: Select the desired profile and then click Options Export Profile. Right-click the desired profile and select Export Profile. The profile is saved as a file with srp extension.
To import a profile:
Click New Import Profile.
Cloning Profiles
You can clone profiles and then modify and save them as new profiles.
To clone a profile:
1. Open VPN Main and click VPN Settings. 2. In the Connections tab, do one of the following: Select the desired profile and then click New Clone Profile. Right-click the desired profile and select Clone Profile. The Profile Properties window appears. 3. Modify the profile properties as desired. For example, change the name, the description, or the gateway. 4. Click OK.
Changing Profiles
If you are using VPN extended view and if you have configured more than one profile, you can change the profile with which you connect. Note - You cannot change profiles while connected a VPN site.
VPN
Page 27
To switch profiles:
1. If you are connected to a VPN site, disconnect by doing one of the following: Right-click the Endpoint Security system tray icon and select Disconnect from VPN. Open VPN and click Disconnect. 2. Open the VPN Connection window by doing one of the following: Right-click the Endpoint Security system tray icon and select Connect to VPN. Open VPN and click Connect. The VPN Connection window opens. 3. In the Location Profile drop-down list, choose the desired profile. 4. Provide your password and click Connect. The selected profile is now default.
Deleting Profiles
If you use VPN extended view, you can delete profiles when they are no longer useful. Note - You can only delete a profile that you created; you cannot delete a profile provided by your network administrator.
To delete profiles
1. Open VPN Main and click VPN Settings. 2. In the Connections tab, do one of the following: Select a profile and then click Delete. Right-click a profile and select Delete Profile. 3. In the confirmation window, click Yes.
VPN
Page 28
Defining Sites
If you have configured the client to display the extended version of the VPN interface, you can define additional sites as needed. Using the instructions in this section, follow the Site Wizard to define a new site. Before defining a site, make sure your administrator gives you: Information about your method of authentication (user name and password, certificate, or similar). If you are planning to use a certificate for authentication, you should already have created the certificate or received one from your administrator (see Managing Certificates (on page 24)). The name or IP address of the security gateway that provides remote access to the corporate network.
Preparing:
If you are using Endpoint Security VPN functionality for the first time, and have not defined a site: 1. Open VPN Main and click Connect. 2. In the window that opens, click Yes. If you have already defined a VPN destination site, and now want to define another: 1. Open VPN Main and click VPN Settings. 2. Open the Sites tab. 3. Do one of the following: If you are in extended view, click New Site. If you are in compact view, click Define Server. If you are in the Sites tab, click New.
To define a site:
1. Provide the VPN site IP address or host name. 2. Select Display Name and provide a display name. 3. Click Next. The client takes a moment to identify the site. 4. Select the method of authentication. The choices and subsequent actions are: User name and Password: Click Next to advance to the User Details window. Provide your user name and password, and click Next. Certificate: Click Next to advance to the Certificate Authentication window. Browse and select your certificate and then provide the certificate password. Click Next. SecurID: Click Next to advance to the SecurID Authentication window. Choose Use Key FOB hard token, Use PinPad card, or Use SecurID Software token. Click Next. Provide the necessary information for your authentication type. Click Next.
Challenge Response: Click Next to advance to the Challenge Response window. Provide your user name and click Next. 5. If prompted, choose the desired connectivity setting (Standard or Advanced) and click Next. After a short wait, the Please Validate Site window displays your certificate's fingerprint and distinguished names (DN). If your administrator gave you the site's fingerprint and DN, compare them to those in the window. If they match, click Next. The Site Created Successfully window appears. 6. Click Finish.
VPN
Page 29
Updating Sites
When you update a site, you download any new client settings and any updated information about the site and its associated profiles, including any new profiles your administrator has configured. To update a site, you must first be connected to the site. If you are not connected when you attempt to update, the client prompts you to connect.
To update a site:
1. Open VPN Main and click VPN Settings. 2. In the Connections tab or Sites tab, select a site and click Options Update Site. If you are already connected to the site, a progress window indicates when the update is complete. If you are not connected, the client prompts you to connect. You must do so to complete the update.
Disabling Sites
You can disable a site, and then enable it later. Note that by disabling a site, you also disable all associated profiles.
To disable a site:
1. Open VPN Main and click VPN Settings. 2. In the Connections tab, disconnect your VPN connection. 3. Do one of the following: Select the desired site and then click Options Disable Site. Right-click the desired site and select Disable Site. A red "x" appears on the icons for the site and associated profiles indicating they are disabled.
To re-enable a site:
Select the site and then click Options Enable Site. Right-click the site and select Enable Site.
Deleting Sites
You can delete sites when they are no longer useful. Important - If you delete a site, you also delete all associated profiles.
To delete sites:
1. Open VPN Main and click VPN Settings Connections tab. 2. Disconnect your VPN connection. 3. Do one of the following: Select the site and then click Delete. Right-click the site and select Delete Site. 4. In the confirmation window that appears, click Yes.
VPN
Page 30
The VPN Connection window opens. Depending on your authentication method, the window displays different fields. For example, if you authenticate using certificates, the certificate path is displayed and you are prompted to provide your password. 2. Provide the appropriate information and click Connect. Endpoint Security displays a window showing progress and whether the connection is successful.
To disconnect:
1. Do one of the following: Right-click the Endpoint Security icon in the system tray and select Disconnect from VPN. In Endpoint Security, open VPN Disconnect. A confirmation window appears. 2. Click Yes.
Connection Status
You can view different types of connection status information.
Connections
Gateway information More Gateway information. UDP Encapsulation Enables Endpoint Security client to overcome problems created by a Hide NAT device. Enables Endpoint Security client to connect through a gateway that limits connections to port 80 or 443. Prevents IP address conflicts on remote networks by ensuring that the client receives a unique IP address from the gateway. Indicates whether the VPN tunnel is open. Indicates whether data is compressed for slow links, such as dialup. Indicates whether IKE negotiation is over TCP or not (if not, it is over UDP). Enable for complex IKE. Current Maximum Transmission Unit (MTU). When the client is communicating across multiple routers with a site, it is the smallest MTU of all the routers that is important.
Visitor Mode
Office Mode
VPN
Page 31
Description Current computer's connection status and other connection information. Summary of current profile, including: site to connect to, gateway hostname, protocol specifications. Name of the connection profile, as it appears in the VPN Connection window. It might be an IP Address. Descriptive name for the profile, showing additional information. Name of the site to connect to. Name of the gateway specified in the connection profile. Actual gateway chosen for the connection; may differ from the gateway defined in the connection profile. Name of the defined gateway.
Description
Support Office mode Indicates whether Office Mode is supported. Support IKE over TCP Force UDP Encapsulation Indicates whether the tunnel negotiation is taking place over TCP instead of UDP to avoid packet fragmentation. Indicates whether UDP encapsulation is being used to overcome problems created by hide NAT devices that do not support packet fragmentation. Indicates whether Visitor Mode is active. Indicates whether Hub Mode is active.
Visitor Mode Route all traffic through gateway (Hub mode) Tunnel MTU Discovery
Indicates whether the process that discovers the MTU from Endpoint Security to the gateway is active.
Enabling Logging
For trouble-shouting purposes, your system administrator may ask you to create a report log. The report log contains site-specific information and should be treated as strictly confidential. Send the report only to your system administrator or other authorized authority.
To enable logging:
1. Open VPN Main and click VPN Settings 2. In the Advanced tab, select Enable Logging.
To send logs:
1. In the Advanced tab, click Save Logs If a message appears (Send this report only to your system administrator.) click OK. 2. Wait while the logs are connected. A confirmation message will appear; click OK. The folder, where the logs are saved, opens. 3. Send the CAB or TGZ file to the administrator.
VPN
Page 32
Auto-Connect
This option is available in Legacy Endpoint Security VPN only. Auto-connect prompts you to establish a VPN connection when you first try to access a private network, such as the company intranet. This saves you the time of navigating through Endpoint Security and initiating the connection yourself. In Auto-Connect mode, the client prompts you to establish a VPN connection every time it detects traffic destined for your corporate network or intranet site. If you choose to connect, the client encrypts traffic to the site. If you do not connect, the client prompts you to indicate how long to wait before reminding you again to connect. During this time, traffic to the site is sent unencrypted. However, if your site is configured to drop all unencrypted traffic, you will not be able to communicate with servers behind the site's gateway. If Office Mode is also enabled, you must re-initiate the connection after the Auto-Connect connection has succeeded.
To activate Auto-Connect:
1. Open VPN Main and click VPN Settings. 2. In the Options tab, select the Enable Auto-Connect checkbox and click OK. The Enable Auto Connect window appears. 3. Select a re-launch option. 4. Click OK.
A message displays stating that your change will be applied after the next reboot. 4. When the window closes, click OK to close the VPN Settings window.
for HTTP and port 443 for HTTPS. The remote client needs to perform an IKE negotiation on port 500 or send IPSec packets (instead of the usual TCP packets); therefore, a VPN tunnel cannot be established in the usual way. This issue is resolved using Visitor Mode (also known as TCP Tunneling), through a proxy server. Before you configure proxy settings, contact your system administrator for a valid user name and password to use to access the proxy. You may also need the proxy server IP address and port number.
Manually define proxy: If the proxy's settings cannot be automatically detected, you may be required to configure the Microsoft Internet Explorer settings according to the instructions, IP address, and port number provided by your system administrator. 4. In the Proxy Authentication section, provide the user name and password for proxy authentication. 5. Click OK.
Dial Up Support
The option to configure and use dialup connections through Endpoint Security is available if you have the Endpoint Connect VPN client. If no network is available when you try to connect to a site, and no dialup connection has been configured, the Endpoint Connect client displays a message: Connection Failed No network detected Click here to activate dialup Click the link to open the New Connection Wizard and configure a dialup connection. If a single dialup connection is already defined, click the link to dial and connect. If multiple dialup connections are defined, a list is displayed. Choose a connection and Endpoint Connect dials it. If Transparent Network and Interface Roaming is enabled, and the VPN is in the Reconnecting state, Endpoint Connect displays a Reconnecting message with the link to activate dialup.
VPN
Page 35
NAT Traversal
To use NAT (Network Address Translation) with VPN, you need to configure your VPN client to support NAT-T. You must do this in cooperation with the administrator of the firewall gateway, as NAT-T ports and options must be configured in both your client and the gateway to support each other.
Force UDP Encapsulation: Solves the problem of large UDP packets by wrapping them in IPSec headers. The administrator must enable port 2746 for source and destination. 4. Click OK. To use NAT (Network Address Translation) with VPN, you need to configure your VPN client to support NAT-T. Do this with your system administrator. NAT-T ports and options must be configured in both your client and the gateway to support each other.
To enable NAT-T:
1. Open VPN Main and click VPN Settings. 2. Select the Site and click Properties. 3. On the Advanced tab, select Enable NAT-T protocol. Note - Enable NAT-T should be the default option. 4. Click OK.
scc connect
scc connectnowait
scc disconnect scc erasecreds scc listprofiles scc numprofiles scc restartsc scc passcert
VPN
Page 36
Command
Explanation
scc setmode <mode> Switches the SecuRemote/SecureClient mode. scc setpolicy scc sp scc startsc scc status scc stopsc Enables or disables the current default security policy. Displays the current default security policy. Starts SecureClient services. Displays the connection status. Stops SecureClient services.
scc suppressdialogs Enables or suppresses dialog popups. By default, suppressdialogs is off. scc userpass Sets the user's authentication credentials -- username, and password. Displays the current SecureClient version. Enrolls a certificate with the internal CA, and currently receives 4 parameters - site, registration key, filename and password.Currently the command only supports the creation of p12 files. Enables HotSpot/Hotel registration support.
scc sethotspotreg
Are lengthy A 15-character password composed of random letters and numbers is much more secure than an 8-character password composed of characters taken from the entire keyboard. Each character that you add to the password increases the protection that the password provides. Combine letters, numbers, and symbols A mixture of upper and lower case letters, numbers, and symbols (including punctuation marks not on the upper row of the keyboard). Avoid sequences or repeated characters For example 12345, or aaaaa. Avoid look-alike substitutions of numbers or characters For example replacing the letter "i" with the number "1", or zero with the letter "o". Avoid your login name Avoid dictionary words in any language
These authentication credentials are stored either in the security server database, on an LDAP or RADIUS server.
Understanding Certificates
A certificate is the digital equivalent of an ID card issued by a trusted third party known as a Certification Authority (CA). While there are well known external CAs such as VeriSign and Entrust, Endpoint Connect typically uses the digital certificates issued by the site's security gateway, which has its own Internal Certificate Authority (ICA). The digital certificate used by Endpoint Connect contains: Your name A serial number Expiration dates A copy of the certificate holder's public key (used for encrypting messages and digital signatures) The digital signature of the certificate-issuing authority, in this instance the ICA, so that the security gateway can verify that the certificate is real and (if real) still valid. A certificate is a file in the PKCS#12 format with the .p12 extension.
Certificates are either supplied by your system administrator, or obtained through the enrollment and renewal process. See Certificate Enrollment and Renewal (on page 40) Certificates can either be imported to the CAPI store or saved to a folder of your choice.
VPN
Page 38
3. Click Next, and enter the password for the private key. This is the key you obtained from your system administrator. If you: Enable strong private key protection you will be prompted to enter the password each time the private key is used by the client.
Mark this key exportable, the key can be backed up or transported at a later time. 4. Click Next, and either allow the file to be automatically stored or browse to a specific storage folder. 5. Click Finish to complete the certificate import wizard.
SecurID
The RSA SecurID authentication mechanism consists of either hardware (FOB,USB token) or software (softID) that generates an authentication code at fixed intervals (usually one minute) using a built-in clock and an encoded random key. The most typical form of SecurID Token is the hand-held device. The device is usually a key FOB or slim card. The token can have a PIN pad, onto which a user enters a Personal Identification Number (PIN) to generate a passcode. When the token has no PIN pad, a tokencode is displayed. A tokencode is the changing number displayed on the key FOB. The Endpoint Connect site wizard supports both methods as well as softID. For more information, see: SoftID (on page 39) Endpoint Connect uses both the PIN and tokencode or just the passcode to authenticate to the security gateway.
SoftID
SoftID operates the same as a passcode device but consists only of software that sits on the desktop.
VPN
Page 39
The Advanced view displays the tokencode and passcode with COPY buttons, allowing the user to cut and paste between softID and the VPN client.
Key Fobs
A small hardware device with built-in authentication mechanisms that control access to network services and information is known as a key fob. While a password can be stolen without the owner's knowledge, a missing key fob is immediately apparent. Key fobs provide the same two-factor authentication as other SecurID devices: the user has a personal identification number (PIN), which authenticates them as the device's owner; after the user correctly enters their PIN, the device displays a number which allows them to log on to the network. The SecurID SID700 Key Fob is a typical example of such a device: When the Endpoint connect window opens for a user that has identified securID as the preferred method of authentication, a field for the PIN is displayed:
Challenge Response
Challenge-response is an authentication protocol in which one party presents a question (the challenge) and another party provides an answer (the response). For authentication to take place, a valid answer must be provided to the question. Security systems that rely on smart cards are based on challenge-response.
g) Challenge Response
Enrolling During Site Creation To enroll for a certificate while creating a site:
1. Open the VPN panel > open VPN Settings 2. On the Sites tab, click New. The Site wizard opens. Follow the wizard until you reach the Certificate Authentication window 3. Select Check this if you don't have a certificate yet (only works with ICA certificates). 4. Click Next.
VPN Page 40
When the Site Created Successfully Message appears, click Finish. 5. When asked if you would like to create a certificate now, click Yes. The client's enrollment window opens, either for CAPI or PCKS#12. 6. Enter the required authentication details, such as the registration key, and click Enroll. If you have a PCKS#12 certificate, the SAVE AS window opens. Save the certificate to an appropriate directory. (i) You are asked if you want to connect. Click Yes. (ii) When the main connection window opens, browse to the location of your PCKS#12 certificate. CAPI certificates are automatically entered into the CAPI store. (i) The RSA window opens. (ii) Click OK. The certificate will be a protected item. Each time the client uses the certificate, you will be required to manually grant permission. The Enrollment window opens. When prompted, add the certificate to the root store. After the Enrollment succeeded message, the connection window opens with the certificate selected. Click Connect.
7. 8. 9. 10.
Enrolling After Site Creation To enroll for a certificate after the site has been created:
1. Open the VPN panel and click VPN Settings. 2. On the Sites tab, select the site and click Properties. The Properties dialog opens. 3. On the Settings tab, under Authentication, select the relevant certificate option, CAPI or P12 and click on Enroll. 4. Do one of the following: If you selected P12, enter and confirm a password for your certificate. If you selected CAPI, select the relevant certificate provider. 5. Enter your registration key and click Enroll. 6. Do one of the following: If you selected P12 certificate: Enter a file name for the certificate and save it to an appropriate directory. If you selected CAPI certificate, the RSA window opens. Click OK, and confirm that you want to install the certificate. 7. In the Enrollment succeeded window, click Connect. The connection window opens with the certificate selected. 8. For P12 certificates, enter the password you chose for your certificate. Click Connect.
Certificate Renewal
A certificate can be renewed at any time.
To renew a certificate:
1. In the VPN window, click VPN Settings. 2. Select the site and click Properties. 3. Click Renew.
VPN Page 41
The authentication window opens. 4. Using the drop-down box, select your certificate. 5. When prompted, grant access to the protected item (your certificate). 6. Wait while the certificate is renewed. A Renewal Succeeded message appears, followed by the connection window.
8. 9. 10. 11.
12.
3. Enter your authentication credentials. If you are using a certificate, the last certificate is automatically selected. 4. Click Connect. The Connection Status window displays: During this time: You are authenticated using your chosen method Network topology information is downloaded from the gateway to your local client Virtual network adapters are loaded
IP Address
Last time connected Day, date, and time that you last connected to this site. Last office mode IP Address IP address of the VPN gateway office mode, if relevant.
VPN Tunneling
Authentication
2. Click Disconnect from VPN. A tooltip appears above the system tray informing you that the client is disconnected.
Staying Connected all the Time To ensure that you remain connected to the active site:
1. Right-click the client icon in the system tray and select Settings. 2. In the VPN window, select VPN Settings. The Options window opens. 3. On the Sites tab, select the site to which you wish to remain connected, and click Properties. The Properties window for the site opens. 4. In the Always-Connect area of the window, select Enable Always-Connect.
Proxy Settings
From time to time you may need to change your proxy server settings.
VPN
Page 44
The Proxy Settings window opens. 4. Configure your Proxy Definition and Proxy Authentication credentials according to the new settings. No proxy/transparent proxy: No proxy is defined. Detect proxy from Internet Explorer settings: This is the default setting. The client takes proxy settings from Microsoft Internet Explorer. Before selecting this setting, verify that the proxy settings are defined manually: In Microsoft Internet Explorer, open Tools > Internet Options > Connections tab > LAN Settings, then select Use a proxy server for this connection.
Manually define proxy: You may be required to configure the proxy settings manually. In Microsoft Internet Explorer, open Tools > Internet Options > Connections tab > LAN Settings, then select Use a proxy server for this connection. Your administrator can provide the IP address and port number. 5. In the Proxy Authentication section, provide the user name and password for proxy authentication.
Dial Up Support
Endpoint Connect supports dialup connections for a number of scenarios: If no network is available when you try to connect to a site, and no dialup connection has been configured, the client displays a connection failed message: Connection Failed No network detected Click here to activate dialup Click the link to configure a dialup connection. The link opens the New Connection Wizard. Complete the wizard to configure a dialup connection.
If a single dialup connection is already defined, then clicking the activate dialup link instructs the client to dial it. If more than a single dialup connection is configured, then choose which connection to choose from the displayed list. If Transparent Network and Interface Roaming is enabled, and the client is in a state of "reconnecting", the option to configure a dialup connection is displayed.
Tunnel Idleness
If you see a VPN tunnel has disconnected. Tunnel inactivity timeout reached message, this means that no traffic has passed between you and the site during a period set in minutes by your system administrator.
VPN
Page 45
Your organization may have specific security requirements, such that an open VPN tunnel should be transporting work-related traffic to the site at all times. An idle or inactive tunnel should be shut down. A mail program such as OUTLOOK performing a send-receive operation every five minutes would be considered work-related, and the tunnel kept open.
Function Starts the Endpoint Connect service Stops the Endpoint Connect service Prints status information and lists current connections Lists all connections or prints site name information
connect -s <sitename> [-u Connects using the given connection. <username> -p <password> | <sitename> parameter is optional. If no site is -d <dn> | -f <p12> | -pin <PIN> defined, the client connects to the active site. If -sn <serial>] no active site is defined, an error message
appears. Optional credentials can be supplied.
Disconnects the current connection Creates a new connection, and defines an authentication method. Valid authentication values are:
username-password certificate p12-certificate challenge-response securIDKeyFob securIDPinPad SoftID
Note - An administrator can specify a particular authentication method. If the wrong method is entered, you will be prompted to enter an alternative. delete -s <site name> help / h list Deletes the given connection Shows how to use the command Lists user Domain Names stored in the CAPI
VPN
Page 46
Command ver log enroll_p12 -s <sitename> -f <filename> -p <password> -r <registrationkey> [ -l <keylength> ] renew_p12 -s <sitename> -f <filename> -p <password> [ -l <keylength>]
Function Prints the version Prints log messages Enroll a p12 certificate
enroll_capi -s <sitename> -r Enroll a capi certificate <registrationkey> [ -i <providerindex> -l <keylength> -sp <strongkeyprotection> ] renew_capi -s <sitename> -d <dn> [ -l <keylength> -sp <strongkeyprotection> ] Renew a capi certificate
To enable Logging:
1. Right-click the client icon in the system tray and select Settings. 2. In the VPN window, select VPN Settings. The Options window opens. 3. On the Advanced tab, select Enable logging.
If no email address has been configured, the log files are gathered into a single compressed file which you can save. 4. Send the contents of the compressed file to your site administrator.
VPN
Page 47
SAA Authentication
The administrator will provide the command line tool called: changeVPN.exe. 1. Copy changeVPN.exe to a folder on your local machine. 2. Open a command prompt Start > Run > cmd 3. Change directory to the folder where you saved changeVPN.exe 4. Run: ChangeVPN SC Executing this command terminates existing VPN connections, and prevents additional connections until the client machine is rebooted. 5. Reboot the client machine.
VPN
Page 48
Chapter 4
WebCheck
WebCheck provides comprehensive protection against various Internet threats for your computer and your corporate network. If your administrator has configured your Endpoint Security policy to include WebCheck, this feature is included in your Endpoint Security client. In This Chapter Understanding WebCheck Suspicious Site Warnings 49 49
Understanding WebCheck
WebCheck adds a layer of protection against Web-based threats to the Endpoint Security Anti-malware and firewall functionality, which protect against PC-based threats.
WebCheck Protection
Your administrator determines which WebCheck settings are deployed to protect your computer against Web-based threats. The following list explains WebCheck features. Trusted sites versus non-trusted sites: When you visit Web sites that your administrator deems trustworthy, "Check Point WebCheck - Trusted Site" appears in the browser's title bar. This means that WebChecks features are inactive because these Web sites do not pose the same risk as the Internet at large. If you visit a Web site that the administrator has not configured as a trusted site, all WebCheck protection features are active, and the text "Check Point WebCheck displays in the browser's title bar. Virtualization: WebCheck traps malware and other uninvited programs that are downloaded to your computer without your permission or knowledge in a virtual file system and blocks them so that they never reach your real computer hard disks. Anti-phishing (signature): WebCheck tracks the most recently discovered phishing and spy sites. If you go to one of these sites, WebCheck interrupts your browsing with a warning so you can leave the site immediately. Anti-phishing (heuristics): WebCheck also uses heuristics, which look for certain known characteristics of fraudulent sites, to detect phishing sites that were created even seconds before you encountered them.
In the WebCheck section of the Endpoint Security client main page, you can see if the feature is turned on or off. If it is on, a list of trusted domains is shown.
Page 49
MEDIUM for entering data or downloading files from this site. With WebCheck active, viewing the site should be safe, but do not enter any sensitive data or download files at this site. Click the Read more link in the warning dialog box to get security related information about the site.
Recommendation
MEDIUM to HIGH for entering data or downloading files from this site. The site may not be a phishing site, but we recommend you click Avoid this Site if any of the following are true: Did you get to this site by clicking a link in an e-mail? Does the address start with http instead of https? (Sites that ask for private data should be secured by extra encryption and authentication, indicated by https.) Is there a misspelling in the site address, such as "yahooo" instead of "yahoo"? Was the site created very recently? Is the site hosted in a country you weren't expecting?
Recommendations
Heuristic detection has found some characteristics common to phishing, but the site is not officially reported as a phishing site at his time.
If you believe that the site is safe to access, you can click the Stay on Site button. If you do not want any more warning messages from this site, click the Click here link and you will not get a warning message the next time you access the site.
WebCheck
Page 50
VERY HIGH If you are not very sure that this site is legitimate, you should leave this site immediately to protect your computer and network. Click Avoid this Site in the message to get out safely.
If you are sure that the site is safe to access, you can click the Stay on Site button. If you do not want any more warning messages from this site, click the Click here link and you will not get a warning message the next time you access the site.
WebCheck
Page 51
Chapter 5
Firewall
Firewall Protection is your front line of defense against Internet threats. The client's default zones and security levels give you immediate protection against the vast majority of threats. In This Chapter Understanding Firewall Protection Understanding Zones Configuring New Network Connections Integrating with Network Services Choosing Security Levels Setting Advanced Security Options Blocking and Unblocking Ports Configuring VPN Connection for Firewall 52 52 53 54 54 55 58 60
The answers to these questions determine whether the traffic is allowed or blocked.
Understanding Zones
Endpoint Security client keeps track of the good, the bad, and the unknown out on the Internet by using virtual containers, called Zones, to classify the computers and networks that connect to your computer. The Internet Zone (on page 141) is the "unknown." All the computers and networks in the world belong to this Zoneuntil you move them to one of the other Zones. The Trusted Zone (on page 144) is the "good." It contains all the computers and networks you trust and want to share resources withfor example, the other machines on your local or home network. The Blocked Zone (on page 139) is the "bad." It contains computers and networks you distrust. When another computer wants to communicate with your computer, the client looks at the Zone it is in to help decide what to do.
Page 52
By granting access or server permission for the Trusted Zone, you enable a program to communicate only with the computers and networks you have put in that Zone. This is a highly secure strategy. Even if a program is tampered with, or given permission accidentally, it can only communicate with a limited number of networks or computers. By granting access or server permission for the Internet Zone, however, you enable a program to communicate with any computer or network, anywhere.
Firewall
Page 53
Placing a network in the Internet Zone prevents you from sharing resources with other computers on that network and protects you from the security risks associated with resource sharing. Unknown networks should go in the Internet Zone. When your computer connects to a new network, an alert appears, displaying the IP address of the detected network and is usually placed in the Internet Zone by default. To enable your computer to connect to the Internet through a proxy server, add the proxy to your Trusted Zone. See Adding to the Trusted Zone.
To configure the client for mail servers with collaboration and synchronization:
1. Add the network subnet or IP address of the mail server to your Trusted Zone. 2. Set the Trusted Zone security level to Medium. This allows server collaboration features to work. 3. Set Internet Zone security level to High. This makes your computer invisible to non-trusted machines.
resources with trusted computers on your local network. In most cases, you do not have to make any adjustment to these defaults. You are protected as soon as Endpoint Security client is installed. To set the security level for a Zone, open Firewall Main and drag the sliders to the setting you want. Table 5-10 Internet Zone Security
HIGH
This is the default setting. Your computer is in stealth mode, making it invisible to other computers. Access to Windows NetBIOS (Network Basic Input/Output System) (see "NetBIOS" on page 142) services, file and printer shares is blocked. Ports are blocked unless you have provided permission for a program to use them.
MED
Your computer is visible to other computers. Access to Windows services, file and printer shares is allowed. Program permissions are still enforced.
LOW
Your computer is visible to other computers. Access to Windows services, file and printer shares is allowed. Program permissions are still enforced.
HIGH
Your computer is in stealth mode, making it invisible to other computers. Access to Windows (NetBIOS) services, file and printer shares is blocked. Ports are blocked unless you have provided permission for a program to use them.
MED
This is the default setting. Your computer is visible to other computers. Access to Windows services, file and printer shares is allowed. Program permissions are still enforced.
LOW
Your computer is visible to other computers. Access to Windows services, file and printer shares is allowed. Program permissions are still enforced.
Firewall
Page 55
Firewall
Page 56
Table 5-12 General Settings Options Field Block all fragments Description Blocks all incomplete (fragmented) IP data packets. Hackers sometimes create fragmented packets to bypass or disrupt network devices that read packet headers. Caution: If you select this option, The client will silently block all fragmented packets without alerting you or creating a log entry. Do not select this option unless you are aware of how your online connection handles fragmented packets. Block trusted servers Prevents all programs on your computer from acting as servers to the Trusted Zone. Note that this setting overrides permissions granted in the Programs panel. Prevents all programs on your computer from acting as servers to the Internet Zone. Note that this setting overrides permissions granted in the Programs panel. Blocks all incoming ARP requests except broadcast requests for the address of the target machine. Also blocks all incoming ARP replies except those in response to outgoing ARP requests. Filters FireWire traffic. You must restart your computer if you select this option. Allows the use of VPN protocols (ESP, AH, GRE, SKIP) even when High security is applied. With this option disabled, these protocols are allowed only at Medium security.
Allow uncommon protocols Allows the use of protocols other than ESP, at high security AH, GRE, and SKIP, at High security. Lock hosts file Prevents your computer's hosts file from being modified by hackers through spyware or Trojan horses. Note that some legitimate programs need to modify the hosts file to function. Detects and disables Windows Firewall.
Automatically moves new networks into the Trusted Zone. This setting provides the least security. Automatically blocks new networks from being added to the Trusted Zone and places them in the Internet Zone. This setting provides the most security. The client displays a New Network alert or the Network Configuration Wizard, which gives you the opportunity to specify the Zone.
Table 5-14 Default Access Permissions for Traffic Types Security levels Traffic Type HIGH DNS outgoing DHCP outgoing broadcast/multicast ICMP incoming (ping echo) incoming (other) outgoing (ping echo) outgoing (other) IGMP incoming outgoing block block allow allow allow allow block block block block allow allow allow allow allow allow allow allow block block allow MED n/a n/a allow LOW allow allow allow
Firewall
Page 58
Security levels Traffic Type HIGH NetBIOS incoming outgoing n/a n/a block allow allow allow MED LOW
UDP (ports not in use by a permitted program) incoming outgoing block block allow allow allow allow
TCP (ports not in use by a permitted program) incoming outgoing block block allow allow allow allow
Firewall
Page 59
Firewall
Page 60
Firewall
Page 61
Chapter 6
Program Control
Program control protects you by making sure that only programs you trust can access the Internet. You can use the Program alerts to configure program permissions as they are needed, or use the Programs tab to establish permissions ahead of time. Advanced users can also control the ports that each program is permitted to use. In This Chapter Understanding Program Control Setting Program Control Options Configuring Program Access Setting Specific Permissions Managing Program Components Using Programs with the Client 62 63 64 65 68 69
Program Authentication
Whenever a program on your computer attempts to access the network, Endpoint Security client authenticates it with its Smart Checksum. If the program has been altered since the last time it accessed the Internet, the client displays a Changed Program alert. You decide whether the program should be allowed access or not. For added security, the client also authenticates the components, for example, DLL (on page 140) files, associated with the program's main executable file. If a component has been altered since the last time permission was granted, the client displays a Program Component alert, similar in appearance to the Changed Program alert.
Page 62
HIGH
Advanced program and component control and Application Interaction Control are enabled. You may see a large number of alerts. Programs and components are authenticated. Program permissions are enforced and Application Interaction Control is enabled.
MED
Advanced program control and Application Interaction Control are disabled. Fewer alerts display. Component learning mode is active. Programs are authenticated; components are learned. Program permissions are enforced. Note: After you have used each of your programs that need Internet access, change your Program Control setting High.
LOW
Advanced program control is disabled. Program and Component Learning Mode is active. No program alerts are displayed.
OFF
Program control is disabled. No programs or components are authenticated or learned. No program permissions are enforced. All programs are allowed access/server rights. No program alerts are displayed.
Program Control
Page 63
When the lock engages, only traffic initiated by programs to which you have given Pass-lock permission is allowed. All traffic to and from your computer is stopped, including DHCP messages, or ISP heartbeats, used to maintain your Internet connection. As a result, you may lose your Internet connection. You can set the Internet lock to engage: When your screen saver engages, or After a specified number of minutes of network inactivity.
Always allow access Always deny access Always ask for permission
Allows all new programs access to the specified Zone. Denies programs access to the specified Zone. Displays an alert asking for permission for the program to access the specified Zone.
Note - Settings for individual programs can be established in the Programs tab. Settings in this panel apply ONLY to programs not yet listed in the Programs tab.
3. In the Server Attempts area, specify your preferences for each Zone. Table 6-18 Server Attempts
Always accept the connection Always deny the connection Always ask before connecting
Displays an alert asking for permission for the program to act as a server.
Displays a Blocked Program alert when the client denies access to a program. To have access denied silently, clear this option. Protects the client application from the rare event of an independent process (such as a Trojan horse) shutting down the client but leaving the TrueVector service running. Prompts you to enter a password to grant access permission. Requires that you be logged in to respond Yes to a Program alert. To allow access without a password, clear this option.
Deny access if permission is set to "ask" and the TrueVector service is running but the client is not. Require password to allow a program temporary Internet access
Program Control
Page 65
Changes Frequency
The client uses only file path information to authenticate the program. The MD5 signature will not be checked. Caution: This is a Low security setting.
Options
Opens the Program Options dialog box, in which you can customize security options and create expert rules for programs. Opens your operating system's properties dialog box for the program. Deletes the program from the list.
Properties
Remove
Program Control
Page 66
Program Control
Page 67
This program may use other programs to access the Internet Allow Application Interaction
Allows the selected program to use other programs to access the Internet.
Allows the selected program to use OpenProcess and CreateProcess functions on your computer.
Program Control
Page 68
Using Browsers
For your browser to work properly, it must have access permission for the Internet Zone and Trusted Zone. Before granting permission, make sure that you understand how to configure your browser's security for optimal protection and have the latest service packs installed for the browser you are using.
Using Chat
Chat and instant messaging programs (for example, AOL Instant Messenger) may require server permission to operate properly. To grant server permission to your chat program: Answer Yes to the Server Program alert. Grant server permission to the program. See Granting Server Permission to Programs (on page 67). Important - It is strongly recommended that you set chat software to refuse file transfers without prompting first.
Using E-mail
For your e-mail program to send and receive mail, it must have access permission for the Zone the mail server is in. In addition, some e-mail client software may have more than one component requiring server permission. For example, Microsoft Outlook requires that both the base application (OUTLOOK.EXE) and the Messaging Subsystem Spooler (MAPISP32.exe) to have server permission.
Program Control
Page 69
Using FTP
To use FTP (File Transfer Protocol) programs, you may need to adjust your FTP client program settings.
Using Games
To play games over the Internet while using the client, you may have to adjust the program permissions and security levels.
Program Control
Page 70
Using VNC
To enable VNC and Endpoint Security to work together:
1. On both the server and viewer (client) machine, do one of the following: If you know the IP address or subnet of the viewer (client) you will be using for remote access, and it will always be the same, add that IP or subnet to the Trusted Zone. See Adding to the Trusted Zone.
If you do not know the IP address of the viewer, or it will change, give the program access permission and server permission for the Trusted and Internet Zones. See Setting Specific Permissions (on page 65). When prompted by VNCviewer on the viewer machine, provide the name or IP address of the server machine, followed by the password. You should be able to connect. 2. On the viewer (client) machine, run VNCviewer to connect to the server machine. Do not run in "listen mode." Important - If you enable VNC access by giving it server permission and access permission, be sure to set and use your VNC password to maintain security. It is recommended to add the server and viewer IP addresses to the Trusted Zone, rather than giving the application Internet Zone permission.
Program Control
Page 71
Chapter 7
Full Disk Encryption
Full Disk Encryption is a policy-based, enterprise security software solution. Full Disk Encryption combines boot protection, preboot authentication and strong encryption to ensure only authorized users are granted access to information stored in desktop and laptop PCs. Full Disk Encryption is deployed and administered across the network. As encryption is both automatic and transparent, security is enforced without requiring special efforts from users. In This Chapter Authenticating to Full Disk Encryption Ensuring That Your Computer Has Not Been Tampered With Authenticating for the First Time Optional Full Disk Encryption Features Using the Full Disk Encryption Panel 72 72 72 75 78
Page 72
temporary user account name and password. Your administrator will inform you of your user account name and of requirements for the password. Instead of a temporary user account, your administrator may have configured your personal user account and a password, or configured a dynamic token or smart card for your authentication. The administrator will inform you how you are to authenticate yourself the first time.
5.
6. 7.
8.
Page 73
Note - If you did not personally start the computer, press CTRL+ALT+DEL to ensure that your computer has not been tampered with. Your computer restarts and Full Disk Encryption re-displays the User Account Identification dialog box. 2. In the User account name field, provide the username you received from your administrator and press TAB. Full Disk Encryption recognizes that you will be using a dynamic token to authenticate yourself and displays the User Account Identification dialog box. 3. In the dynamic token, provide the Full Disk Encryption challenge to generate a response. 4. Provide the response in the Response field and click OK. Full Disk Encryption confirms that you have successfully accessed the computer for the first time using your Full Disk Encryption credentials. 5. Click Continue to close the dialog box. Full Disk Encryption now allows Windows to start.
Important - Do NOT choose the Personal Store certificate; if you do, you will not be able to authenticate yourself after restarting the computer. Full Disk Encryption confirms that your user certificate has been updated. 8. Click OK. 9. Restart the computer when prompted to do so. After restarting, the Token Authentication dialog box opens. 10. Enter your PIN. The PIN is obscured with asterisks (*) when entered. 11. Click OK. Note - Regardless of the keyboard layout used, we recommend that you use smart card PINs that are comprised only of ASCII characters: !"#$%&'()*+,-./ 0123456789:;<=>?@ ABCDEFGHIJKLMNOPQRSTUVWXYZ [\]^_`abcdefghijklmnopqrstuvwxyz{>}~ The space character is also an ASCII character. Full Disk Encryption communicates with the smart card and performs authentication. 12. Click OK.
Synchronizing Passwords
Using Full Disk Encryptions password synchronization, you can synchronize Windows and Full Disk Encryption passwords with each other, assuming that your administrator has enabled password synchronization for your user account. Depending on the settings configured by your administrator, your passwords may be synchronized in one or both of the following ways:
Full Disk Encryption Page 75
Using the Windows password when authenticating to Full Disk Encryption If this synchronization option has been configured for you, the Windows password is also used for Full Disk Encryption preboot authentication. Once synchronized, changing the Windows password will automatically change the Full Disk Encryption password to the new Windows password. (This setting is called Synchronize Windows Password to Preboot in the administrators application.) Using the Full Disk Encryption password when logging on to Windows If this synchronization option has been configured for you, the password used for Full Disk Encryption preboot authentication is used also for Windows authentication. Once synchronized, changing the Full Disk Encryption password will automatically change the Windows password to the new Full Disk Encryption password. (This setting is called Synchronize Preboot Password to Windows in the administrators application.)
You will be prompted to provide your Full Disk Encryption password, and it will be synchronized with the Windows password. When the passwords have been synchronized, changing the Windows password will automatically change the Full Disk Encryption password to the new Windows password.
To synchronize the Full Disk Encryption password with the Windows password:
1. When you have either changed your Windows password or logged on to Windows for the first time after the policy change, the Password Synchronization dialog box opens. 2. Provide your Full Disk Encryption password and click OK. Full Disk Encryption confirms that your password was changed. From now on, use your Windows password when authenticating yourself to Full Disk Encryption.
When the passwords have been synchronized, changing the Full Disk Encryption password will automatically change the Windows password to the new Full Disk Encryption password.
Page 76
If the system detects any indications of these issues, WIL may be disabled automatically. The computer then restarts, and you must authenticate yourself to Full Disk Encryption before the operating system is loaded.
Page 77
MI mode
Page 78
Explanation Date and time of the most recent change to a Local setting; also contains the group and the user account name of the user who made the change. Date and time when the most recent update profile was downloaded and the path, including the profile name, from which it was downloaded. Date when the license expires. Expiration date is only used for evaluation versions of the product. State of the Full Disk Encryption license.
License activation
Encryption Information
The following Encryption information relevant to each volume is displayed: Status Field Encrypting nn% Explanation Displays the progress of encryption and the percentage of encryption completed. States that the volume is fully encrypted. Displays the progress of decryption as the percentage of decryption completed. States that the volume is unencrypted. An error has occurred during encryption or decryption.
Unencrypted Error
Note - If a disk is neither encrypted nor boot-protected, it is not listed in the encryption information box.
To change credentials:
1. Open Full Disk Encryption Other. 2. Click Change. The Full Disk Encryption Authentication dialog box opens. 3. Authenticate in the Full Disk Encryption authentication dialog box. If you use a smart card for authentication, select Use inserted smart card. If you need to use Remote Help to authenticate, contact your Remote Help administrator, who will guide you through the Remote Help procedure. After successful authentication, the Change Credentials dialog box opens. The Change Credentials dialog box displays the logon methods that are available to you. The available methods can be: Fixed Password: Provide and confirm a new password if you authenticate with a fixed password. If the Hide typing checkbox is selected, the characters you enter are disguised as asterisks (*), otherwise the actual characters entered are displayed. The dialog box provides guidance on the validity of the password you enter. Dynamic token: Provide the required information.
Smart card: Provide the required information. 4. Select the available Logon method to which you want to change. 5. Click OK.
Languages Supported
The following languages are supported in Full Disk Encryption: Brazilian Portuguese Canada French Chinese (Simplified) Chinese (Taiwan) Czech English French German Hungarian Italian Japanese Korean Polish Portuguese Russian Spanish Thai
Full Disk Encryption Page 80
These languages are available in: Client preboot interface Client system tray Client single sign-on dialog (if single sign-on is active on that client) Client OneCheck Logon dialog (if it is active on that client)
Fallback Languages
If the operating system language is a non-supported variant of one of the supported languages, for example, French (Canada) or Chinese (Singapore), the language variant that will be used is the fallback language listed in the following table: ID 0x0C04 Selected Language Chinese (Hong Kong S.A. R.) Fallback Language Chinese (Traditional) Chinese (Traditional) Chinese (Simplified) Chinese (Simplified) Chinese (Simplified) Chinese (Traditional) Chinese (Traditional) English (United States) English (United States) English (United States) English (United States) English (United States) English (United States) English (United States) English (United States) ID 0x7C04
0x1404
0x7C04
0x0804
0x0004
0x0004
Chinese (Simplified)
0x0004
0x1004
Chinese (Singapore)
0x0004
0x0404
Chinese (Taiwan)
0x7C04
0x7C04
Chinese (Traditional)
0x7C04
0x0009
English
0x0409
0x0C09
English (Australia)
0x0409
0x2809
English (Belize)
0x0409
0x1009
English (Canada)
0x0409
0x2409
English (Caribbean)
0x0409
0x1809
English (Ireland)
0x0409
0x2009
English (Jamaica)
0x0409
0x1409
0x0409
Page 81
ID 0x3409
Fallback Language English (United States) English (United States) English (United States) English (United Kingdom) English (United States) English (United States) French (France) French (France) French (France) French (France) French (France) French (France) French (France)
ID 0x0409
0x1C09
0x0409
0x2C09
0x0409
0x0809
0x0809
0x0409
0x0409
0x3009
English (Zimbabwe)
0x0409
0x000C 0x080C 0x0C0C 0x040C 0x140C 0x180C 0x100C 0x0007 0x0C07 0x0407 0x1407 0x1007 0x0807 0x0010 0x0410 0x810 0x0011 0x0411 0x0019 0x0419 0x000A
French French (Belgium) French (Canada) French (French) French (Luxembourg) French (Principality of Monaco) French (Switzerland) German German (Austria) German (Germany) German (Liechtenstein) German (Luxembourg German (Switzerland) Italian Italian (Italy) Italian (Switzerland) Japanese Japanese (Japan) Russian Russian (Russia) Spanish
German (Germany) 0x0407 German (Germany) 0x0407 German (Germany) 0x0407 German (Germany) 0x0407 German (Germany) 0x0407 German (Germany) 0x0407 Italian (Italy) Italian (Italy) Italian (Italy) Japanese (Japan) Japanese (Japan) Russian (Russia) Russian (Russia) Spanish (Spain) 0x0410 0x0410 0x0410 0x0411 0x0411 0x0419 0x0419 0x0C0A
Page 82
ID 0x2C0A 0x400A 0x340A 0x240A 0x140A 0x1C0A 0x300A 0x440A 0x100A 0x480A 0x080A 0x4C0A 0x180A 0x3C0A 0x280A 0x500A 0x0C0A 0x380A 0x200A
Selected Language Spanish (Argentina) Spanish (Bolivia) Spanish (Chile) Spanish (Columbia) Spanish (Costa Rica) Spanish (Dominican Republic) Spanish (Ecuador) Spanish El Salvador) Spanish (Guatemala) Spanish (Honduras) Spanish (Mexico) Spanish (Nicaragua) Spanish (Panama) Spanish (Paraguay) Spanish (Peru) Spanish (Puerto Rica) Spanish (Spain) Spanish (Uruguay) Spanish (Venezuela)
Fallback Language Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain) Spanish (Spain)
ID 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A 0x0C0A
Page 83
Chapter 8
Media Encryption
Check Point Media Encryption is a unique solution that provides a policy driven mechanism for securing enterprise information and ensures data integrity. The product includes the following features, which have been defined by your system administrator. Media Encryption is an integral component of the Check Point Endpoint Security Client. The Endpoint Security Client combines firewall, network access control, program control, anti-malware, data security, and remote access protections in a unified application with a common user interface. In This Chapter Features Using the EPM Client Using the Removable Media Manager Using the Device Manager Using the Program Security Guard Maintenance Section 84 86 90 91 91 91
Features
To view or edit Media Encryption settings:
1. Right-click the system tray icon and select Settings. The Check Point Endpoint Security client opens. 2. Click Media Encryption in the panel list. The Media Encryption Main panel opens. Features that have been disabled by your system administrator appear in gray.
Page 84
All removable media (except CD/DVDs and NTFS formatted external hard disks) must be authorized before access is permitted. The process of authorizing removable media involves storing a digital signature on the media itself. This signature must be present in order to access removable media from a protected endpoint computer. Your system administrator has controlled authorization by defining Removable Media Manager rules in a Media Encryption policy installed on your computer. Rules define access rights for each type of removable media including prerequisites such as virus scanning and data authorization. The digital signature is automatically updated when you move data to and from the device when you are within the protected environment. If changes to the media are permitted outside of the organization, the device must be re-authorized, that is, you have to enter a password and Media Encryption has to re-authorize the device before it can be used within the protected environment again. Media Encryption ensures that all your devices are virus-free and prevents unauthorized encryption and decryption of data. Depending on the configuration, Media Encryption may prevent you from gaining access to unauthorized hot-swap and plug-and-play devices.
Device Manager
The Media Encryption Device Manager controls your access to devices connected to various ports on your computer. Your system administrator may have set up rules for the following ports: IrDA, COM, USB, Firewire, and LPT. These rules specify whether you have Read Only, Read/Write, and/or Execute permissions to removable media connected to a port on your computer, such as: CD/DVD drives, PDAs, Blackberries, Bluetooth devices and external hard disks. The Device Manager may also prevent you from connecting unauthorized devices to your computer ports at all.
Cached Passwords
Normally, when your computer is connected to the company network, you can access data on removable media automatically (that is, without having to enter a password). If you try to access the same data when offline from the company network or on a computer which do not have Media Encryption installed, you may be asked to enter a password. If the cached passwords feature is enabled by your system administrator, you can let Media Encryption save the password when entering a password for the first time. The next time you access the device, you can choose to use the saved password instead of entering the password again. When inserting an encrypted device into your computer, the Access Control dialog opens. To save a password: Select the Enter a Password and Cache Password options, then enter a password matching the password policy set up for your organization and click OK. To use an already saved password: Select the Use cached Password option and click OK. You can see the text 'Full Access' or 'Read Only Access' in brackets after Use cached Password. This tells you whether the saved password will give you full access or read-only access to the encrypted media. To change an already saved password: Select the Enter password and Cache Password options, then enter the old password and click OK. A new dialog displays where you can set a new password. Grayed out options
Media Encryption
Page 85
Some of the options in the Password dialog may be grayed out for the following reasons: Grayed out: Both 'Use cached password' and 'Cache password' Reason: The cached passwords feature has not been enabled by your system administrator. or First time access to media, no password has been set before. There is no saved password in the cache. The password might not have been saved before. or The password has just been changed. During a change of password, the old password is erased from the cache and the new one has not yet been saved. You need to change your password. The Cache password checkbox is grayed out since there is no need to save the old password.
'Cache password'
Encrypting Media
The policy in your organization may be configured to allow access only to encrypted media. In that case, an encryption process will start as soon as you insert a non-encrypted media into your Media Encryption-protected computer. You can also start an encryption process manually. In both cases you are guided through the encryption process by a wizard. The process creates an encrypted storage area on the device, this process is called import. You can define, in percentage, how much of the device you want to encrypt. If you, for example, set this to 50%, Media Encryption creates an encrypted container that is half the size of the total disk space. When you import and encrypt files, the files are always placed in this container. Note - If you define an area that is smaller than the data you want to put there, the encryption will fail.
To encrypt a media:
1. Start the wizard by inserting a removable media device or CD/DVD into your computer, or click Import Media into EPM Control in the EPM Client window if the wizard does not start automatically. Click Next.
Media Encryption
Page 86
Important - It is not advisable to encrypt removable media that may be used in external non-computer devices such as: digital cameras, iPods, MP3 players, etc. In such cases, a message appears and the media is granted read-only access. If the encryption process has started, let it finish and then decrypt the media by clicking Export Media from EPM Control. 2. In the Media Properties window, enter a percentage of the media to encrypt. Click Next. Note - For CDs or DVDs, it is not possible to encrypt only a part of the disk, so this setting is grayed out. 3. In the Media Owner Information window, define the owner of the media device by selecting one of the following options: Media owner will be assigned on first use: The first user to insert the media into an endpoint computer will automatically become the owner. Assign media to a user: Assign ownership to the user performing the encryption (that is, yourself) or click Browse to select a user from the active domain. Note -When encrypting CDs/DVDs, only the Assign media to a user option is available. 4. Click Next. 5. In the Password Protection window, enter and confirm an access password. Passwords must conform to rules set up by your system administrator. Click Next. The password enables other users who do not have Media Encryption installed to access information on the device or disk. 6. If you are encrypting a CD/DVD, a window displays where you can add and remove files which will be imported to the encrypted area on the disk. a) Go up one step in the folder structure. b) Add files or add an entire folder to be burnt on the disk. c) Select and delete any file or folder that you do not want to include on the disk. Click Next. The files will be imported, and the disk will be burnt. d) A message displays when the burning process is finished. 7. The Progress window displays the encryption progress. Depending on the type of media and the quantity of data, this process may take a long time. Important - Do NOT remove the storage device during the encryption process. This will destroy your data and may damage the media. 8. When the Finish window opens, click Finish to complete the process. The EPM Client window returns. The encrypted media status now appears as Encrypted, and the Import button is no longer available. The following information is displayed for the selected device: EPM Status: The current status of the selected encrypted device. Media Size: The size of the selected device. Date Created: The date the selected encrypted drive was created. Date Accessed: The date the selected encrypted drive was last accessed. Owner: The user ID of the user who created the encrypted device. Encryption: This field displays the encryption algorithm used to encrypt the media. Note - We recommended that you always use the Safely remove hardware feature to disconnect encrypted media from your computer in order to prevent it from becoming corrupted. Click on the Safely remove hardware icon in the system tray and select the media you want to disconnect.
Media Encryption
Page 87
The process of importing and exporting files to CDs/DVDs is similar to that of other removable media described in Encrypting Media (on page 86). Two differences between CDs/DVDs and other removable media are that you cannot encrypt only a part of a CD/DVD, and you cannot add or delete files once the disk has been burnt. If you wish to remove information on a rewritable disk, you need to use the Erase feature to completely erase it.
Important - Do NOT under any circumstances, remove the media device during the decryption process. This will destroy your data and may damage the media.
Media Encryption
Page 89
Maintenance Section
The Maintenance section of the Media Encryption page allows you to manually update the Media Encryption policy and to test connectivity with the Media Encryption server. To update the Media Encryption policy, click Update. To test network connectivity with the Media Encryption server, click Test. This feature is useful for diagnosing client/server connection problems.
Media Encryption
Page 91
Chapter 9
File Encryption
File Encryption encrypts information stored on your workstation, removable media, Firewire/USB-connected external hard drives, CDs, DVDs and floppy disks. Once encrypted, the information can be accessed only by people who know the correct password. File Encryption also enables you to create encrypted information packages for easy and secure storage and transfer, for example via e-mail. File Encryption is tightly integrated with Windows, so using File Encryption is simple. You access File Encryption by right-clicking on a file folder or volume and selecting the Encrypt with Check Point File Encryption option. In This Chapter Before You Start Working with File Encryption Accessing File Encryption for the First Time Authenticating to and Logging Off from File Encryption Information and Help on File Encryption Using File Encryption Protecting Information Locally Working with Encrypted Packages Protecting Information on Removable Media Managing Passwords and Keys Securely Deleting Information Forgot your Password? 92 93 93 95 96 96 99 101 106 111 113 114
Page 92
For more information see Managing Passwords and Keys (on page 111).
Also depending on your organization's security policy, File Encryption will do one of the following: Prompt you to select your certificate and then set a password. See Using a Certificate and Setting a Password (on page 94). Prompt you to set a password. See Setting a Password (on page 94).
File Encryption
Page 93
Confirm password
1. Click OK to save the password and gain access to File Encryption options.
Setting a Password
If you do not use a certificate to authenticate yourself when logging on, you must set a File Encryption password and re-enter it every time you log on.
To set a password:
1. After your system administrator has installed File Encryption, restart your workstation and log on to Windows. 2. If you are not prompted to set a password during or after Windows start-up, do the following: Open Windows file explorer and right-click a file or folder. In the menu that opens, select Encrypt with Check Point File Encryption > Log on to File Encryption.
File Encryption
Page 94
File Encryption prompts you to set a password. 3. Enter the following information: Table 9-24 Set Password fields Field Password Description Enter a password. You will need to enter this password every time you log on to Windows in order to be able to access encrypted information and File Encryption encryption options. Note - Your organization will require that your password is a certain length and contains certain characters, numbers and upper- or lowercase characters. Ask your administrator for more information. Password guidelines:
Always set a password that is at least 8 characters long Include both numbers, letters and punctuation characters Use both upper and lower case letters Do not use more than two consecutive identical characters
Confirm password
1. Click OK to save the password and gain access to File Encryption options. From now on, whenever you or anyone else logs on to Windows, File Encryption will prompt you for this password. If you have forgotten it or do not know it, you will have to complete a successful Remote Help procedure with the help of your Remote Help administrator in order to access encrypted information stored locally on the workstation or use File Encryption.
Once you have authenticated yourself, you can log off from File Encryption whenever you want, without having to log off from Windows.
File Encryption
Page 95
Note - If you click Cancel, you will not be able to access encryption/decryption functionality or encrypted information.
Information about File Encryption, including version numbers. This manual in online form.
Overview of Options
File Encryption offers the following options:
File Encryption
Page 97
Table 9-26 File Encryption options Option Encrypt folder Available for Folders and volumes Description Adds or removes folders and volumes to or from the protected list. See Protecting Information Locally (on page 99) for more information. Note - Depending on how your administrator has configured File Encryption, you may not be able to add certain folders or volumes and their contents to the protected list. Your administrator may have decided to stop you from encrypting certain information. Create Encrypted Package Files and folders Packs the selected item(s) into an encrypted package. For more information, see Chapter 3, "Working with Encrypted Packages" ("Working with Encrypted Packages" on page 101). Create Encrypted ISO Image Files and folders Packs the selected item(s) into an encrypted ISO 9660 + Joliet image. The resulting file can be burnt onto a CD/DVD-R(W) disk. File Encryption will treat such a disk in the same way as an encrypted floppy or a USB memory stick and authenticated users will be able to access the files transparently. For more information, see Protecting Information on Removable Media (on page 106). Encrypt with PKCS7 Files Packs and encrypts the selected file(s) with approved and selected certificate(s). See Working with Encrypted Packages (on page 101) for more information. Note - This option is only available if you use a certificate to authenticate yourself to File Encryption. Decrypt with PKCS7 Files Unpacks and decrypts files protected by PKCS7. See Working with Encrypted Packages (on page 101) for more information. Securely deletes the selected item(s). For more information, see Securely Deleting Information (on page 113). Change Password Removable media, Opens the Change Password dialog box. Firewire/USB-connected Here you can: external hard drives, and floppy disks change the password used for the
disk/card/floppy disk. access Remote Help options.
Secure Delete
For more information, see Managing Passwords and Keys (on page 111) and Forgot your Password? (on page 114).
File Encryption
Page 98
Available for Removable media, Firewire/USB-connected external hard drives, floppy disks and CDs/DVDs
Description View and edit keys for a disk/card/floppy disk/CD/DVD. Delete keys from a disk/card/floppy disk. For more information, see Managing Passwords and Keys (on page 111).
Select this option to log off from File Encryption. You will no longer have access to encrypted information, and you will not be able to encrypt information until you have logged on to File Encryption again.
Protected files
Encrypting Information
You protect, i.e., encrypt, information stored locally on your workstation by adding the folders and volumes that contain the information to the File Encryption protected list.
File Encryption
Page 99
Decrypting Information
You can decrypt information stored on your workstation in folders and volumes by removing the folders and volumes from the protected list. Once removed from the protected list, File Encryption decrypts the information stored there.
File Encryption Page 100
To decrypt information:
1. In Windows Explorer, right-click on the folder or volume you no longer want to protect and, from the Encryption menu, select Decrypt folder. File Encryption removes the folder or volume from the protected list and decrypts the information. While decryption is proceeding, File Encryption shows a progress bar to display which operations are currently underway. Note - When encrypting or decrypting large amounts of information, the progress bar may display the text "wiping file". You can safely ignore this information. The file being wiped is a temporary file, not the information you are encrypting or decrypting.
File Encryption
Page 101
The maximum file size to include in encrypted packages is 2GB, independent of the file system used. If the files you wish to encrypt comprise more than the maximum file size for the file system you are using, compress the files to less than the maximum file size.
File Encryption
Page 102
Table 9-30 Create Password options Option Password Description Enter a password. Minimum length = 4 alphanumeric characters Maximum length = 80 alphanumeric characters Note - Your organization will require that your password is a certain length and contains certain characters, numbers and upper- or lowercase characters. Ask your administrator for more information. Password guidelines:
Always set a password that is at least 8 characters long Include both numbers, letters and punctuation characters Use both upper and lower case letters Use both upper and lower case letters in passwords Do not use more than two consecutive identical characters
Note - This password is used only to protect this encrypted package. If you intend to send the package via e-mail, the recipient has to know the password to open the package. You can both agree on a password before the e-mail is sent, for example on the phone, or you can use a password you already share. Never send the packages password by e-mail. Confirm password Use default message Re-enter the password to confirm it. Select this option to use your organizations default message as defined by your organizations policy. To view the message, click View. If your organizations security policy allows it, you can define a message that is shown before the encrypted package is opened. This message can tell the recipient what to do or what to expect.
Customized message
File Encryption
Page 103
Option
Description
Specify auto-open If your organizations security policy allows you to, you can specify file that one of the files in the encrypted package be opened automatically when the encrypted package is decrypted.
To specify a file:
1. Click Browse to select the file to open when the encrypted package is opened. The Auto-open dialog box opens. 2. Select which file should be opened automatically. In the Program Arguments field, enter any command switches/arguments to use when the file is opened. 3. Click OK to return to the Create Encrypted Package dialog box. After you have configured the options there, click OK. Create package without extractor Select this option if you want to create an encrypted package which can be opened only on a workstation running File Encryption. By default this option is not selected. This ensures that all recipients, including those without access to File Encryption, can open the package. Note - Not all options may be available. Ask your File Encryption administrator if there are options you want to use that are not available. 4. Click OK. The Save As dialog box opens. 5. Enter a name for the encrypted package and browse to the location on the hard disk where you want to save the package. Note - The file extension depends on the type of package being created: .exe is used by self-extracting encrypted packages. .pcp is used by encrypted package without extractor.
6. Click Save. File Encryption confirms that the package has been saved with the name you entered. 7. Click OK to close the confirmation message. Note - The original files and folders are not deleted when you create an encrypted package. If you need to delete them, select and right-click on the files, select Encrypt with Check Point File Encryption and choose Secure Delete. For more information, see Securely Deleting Information (on page 113). You can now distribute or store the package as required.
File Encryption
Page 104
Table 9-31 Open Encrypted Package options Field/option Password Web Remote Help Description Enter the password for the package. This option enables you to receive Remote Help from your Check Point administrator or helpdesk if you are a legitimate user and have forgotten the password. See Forgot your Password? (on page 114) for more information. Note - This option might not be available, it depends on how File Encryption is configured on your workstation. Overwrite existing files Select this option to overwrite any files with the same name in the location where you want to put the decrypted information. Select this option to create a directory tree that mirrors the tree the files were originally stored in.
Save long names in 8.3 Select this option to store the MS-DOS compatible form of format any long file names.
PKCS7 Encryption
Using File Encryption, you can encrypt information and control access to it using a list of approved authentication certificates. Users whose certificates are listed get immediate access to the information.
Search
3. From the list displayed, select the certificates of the users you want to give access to the packages. Note - Your administrator may have already configured File Encryption to automatically add certain certificates to the package. Ask your administrator for more information.
File Encryption
Page 105
4. Click OK. The Save As dialog box opens. 5. Browse to where you want to save the file(s) and click Save. File Encryption saves the package(s).
File Encryption
Page 106
Protection method Create an encrypted package containing the information and burn it on the disc. See Working with Encrypted Packages (on page 101) for more information. Create an encrypted ISO image containing the information and burn it on the disc. See Creating an ISO Image (on page 108) for more information.
Note - Your organizations security policy may not allow you to use all of these media. Ask your administrator for more information.
To encrypt information:
1. Attach the stick, drive or floppy disk to your workstation. 2. Save or copy the information to it. File Encryption prompts you to enter a password. 3. Do one of the following, depending on whether you wish to encrypt the media: Enter your account name and password, and then confirm the password. Click OK. Select Options. In the window that opens, enter your account name and password, and then confirm the password. Select the Stand-alone access box if you wish to allow stand-alone access. Click OK. Any information you save on this media or floppy disk will now be encrypted. For information on how to access the encrypted information, see Accessing Protected Information (on page 109). If you do not wish to encrypt the media, deselect the Encrypt this media checkbox.
5. Enter account and password information for the user you wish to allow access to the media. 6. If you wish to limit the number of times this user will be allowed to access the media, select Limit usage and enter the maximum number of times they are to be allowed access. Note - The SSO and limit usage features are only applicable to writable media; they cannot be used for CD/DVD or write-protected media. 7. If you wish to enable SSO for this user, select Host using password gets SSO. Note - If you specify that SSO is to be used for a user, File Encryption will save the workstation key when that user logs on to that media. When that media is inserted into the computer the next time, PME will just apply the kept workstation key and not ask for the user's password. 8. Select Add to finalize.
For example: {MyUSBCard}_{2007-02-16_10h43m17s}_{AC396524}_{4ceb7d5c-5c1d-467d-a645-2544505f f080}.prk If you have removed the key file from the media/floppy disk, you can restore it from the backup file.
CD/DVDs
To protect information you want to store on a CD or DVD, you can create an encrypted ISO image or an encrypted package and burn it on the CD/DVD. For information on creating encrypted packages, see Working with Encrypted Packages (on page 101).
File Encryption
Page 108
Note - Names of files or folders must be shorter than 65 characters (including spaces, periods etc.). Otherwise, the file or folder will not be written into the image. 2. From the Encrypt with Check Point File Encryption menu, select Create Encrypted ISO Image. The Create Encrypted ISO Image dialog box opens. 3. Enter the following information: Table 9-34 ISO Image information Field Password Description Enter the password that must be used to decrypt the protected information. Note - Your password must match the criteria stipulated by the administrator when installing File Encryption on your workstation. Confirm password Volume label Re-enter the password to confirm it. Enter a suitable label to be displayed in Windows Explorer.
4. Click OK. The Save As dialog opens. 5. Enter a name for the ISO image and browse to the location on the hard disk where you want to save the encrypted image. Note - We recommend that the total path, including the file name of the ISO image, be less than 120 characters (including spaces, periods etc.). Otherwise, some software may have problems reading the CD. 6. Click Save. If you use a password to authenticate yourself to File Encryption, go to step 10. If you use a certificate to authenticate yourself, a dialog box opens asking you if you would like to select the certificates you want to allow access to the encrypted media. 7. Here you can enable other certificate users to access the encrypted image with their certificates. Click Yes to select the certificates you want to use. 8. In the window that opens, click Search to display a list of user certificates available. From the list displayed, select the certificates of the users you want to have access to the images. Note - Your administrator may have already configured File Encryption to automatically add certain certificates to the image. Ask your administrator for more information. File Encryption creates the image, and you are informed via a dialog box. 9. Click OK to acknowledge the message. 10. The image is saved with the name you entered. Now you can use your burning software to burn it onto a CD/DVD. Note - The original files and folders are not deleted when you create an encrypted image. If you need to delete them, right-click on the files and choose Secure Delete from the Encrypt with ... menu to delete them securely. For information on accessing the information, see Accessing Protected Information (on page 109).
2. Double-click the file you wish to open. If SSO is not enabled for this media and you are not the media creator, you will be prompted to enter the account name and password associated with the media. Once you have authenticated yourself, you have access to the information. If SSO is enabled, you will be prompted only once for authentication and will from that point on have immediate access to the information.
File Encryption
Page 110
Restoring Warnings
Some File Encryption message boxes allow you to hide messages by default. If you want to restore all hidden warnings, select Restore All Warnings from the View menu.
File Encryption
Page 111
Table 9-35 Change Password Information Field Current Password New Password Description Enter the password you currently use. Enter a new password. Note - Your organization will require that your password is a certain length and contains certain characters, numbers and upper- or lowercase characters. Ask your administrator for more information. Password guidelines:
always set a password that is at least 8 characters long include both numbers, letters and punctuation characters use both upper and lower case letters use both upper and lower case letters in passwords do not use more than two consecutive identical characters.
File Encryption
Page 112
Sharing Media
You can share a protected removable media/device so that other users can access it. When you insert the media into the computer you are prompted for your password, which is then associated with the media. This makes you the "owner", allowing you to add accounts to the media for sharing.
To share media:
1. Right-click on the card/drive/floppy disk, and choose the Encrypt with Check Point File Encryption menu. 2. Add the user name(s) and password(s) of the user(s) you want to allow to access the card/drive/floppy disk, and configure SSO if applicable. Note - If you specify that SSO is to be used for a user, File Encryption will save the workstation key when that user logs on to that media. When that media is inserted into the computer the next time, File Encryption will just apply the kept workstation key and not ask for the user's password. 3. Specify a number in the Limit usage field, if applicable. If you do, the user can only log on to the media a limited number of times. The number of allowed logons is displayed in the "Usage limit" control and the number is decreased after each successful logon. The card/drive/floppy disk can now be accessed by the user(s) you added.
Deleting Keys
On cards/Firewire drives/floppy disks, you can force other users to always enter the password by deleting their machines keys from the card/floppy disk. Note - It is not possible to delete keys from a CD/DVD.
File Encryption
Page 113
File Encryption
Page 114
Note that in the case of read-only removable media/devices, Remote Help/webRH only allows access to the media/device and does not allow for changing the password.
To access protected information stored on removable media/devices through the authentication dialog:
1. Attach the media/device to your workstation, browse to it in Windows Explorer and double-click on it. The Authentication dialog box opens. 2. Enter the account name that the media creator has set for this media/device. 3. Call your administrator or helpdesk, who will tell you how to proceed.
To access protected information stored on removable media/devices using the Change Password option:
1. Attach the media/device to your workstation, browse to it in Windows Explorer and right-click on it. 2. From the Encrypt with Check Point File Encryption menu, select Change Password. The Change Password dialog box opens. 3. Enter the account name that the media creator has set for this media/device. 4. Call your administrator or helpdesk, who will tell you how to proceed.
File Encryption
Page 115
Chapter 10
Policies
Policy Enforcement enables Endpoint Security client to protect your enterprise network by enforcing a security policy created by your network administrator. Enterprise policy enforcement occurs when the client is used in an Endpoint Security Server environment. With Endpoint Security, your administrator can send enterprise Policies out to the computer users on the enterprise's local network. In this way, your enterprise can be sure that everyone on the network is adequately protected from Internet threats. In This Chapter Policy Types Understanding Policy Arbitration Viewing Available Policies Using the Policies Panel 116 116 116 117
Policy Types
Personal Security Policy: Settings you choose for your firewall, program control, e-mail protection and other features in Endpoint Security client. Enterprise Security Policy: Settings for the same security features, but created by a your company's security administrator and assigned to users on the enterprise network. Disconnected policy: Created by a security administrator, enforces certain enterprise security settings even when your computer is not connected to the corporate network. A security administrator sends enterprise Policies to the Endpoint Security clients on the corporate network. If you are out of compliance with the enterprise policy, your computer may enforce restricted rules that limit your access. If this occurs, you will be directed to a Web page that provides instructions for getting your computer back into compliance. If you need further assistance, contact your system administrator.
Page 116
Policy Name
Name of the policy. Personal Policy: Settings you have established for the client by using the Endpoint Security Main Page. Other policy names refer to enterprise Policies that your administrator has installed on your computer.
Author
The administrator who created and assigned the security policy. For the personal policy, this is listed as N/A. For example, Local, Lan, etc. This column indicates whether the listed policy is currently active. Personal Policy is always active. The administrator can activate or deactivate an enterprise policy. When both your personal policy and another policy are active, Endpoint Security arbitrates between the two active Policies.
Connection Active
Policy Type
For example, Personal Policy, Corporate Policy, Disconnected Policy. For enterprise security Policies, this column indicates the date and time that the client first established the current connection to an Endpoint Security Server, to enforce the listed enterprise policy. If the connection to the server is down, or the client is not enforcing an enterprise policy, this column displays Disconnected.
Server Address
Address of the Endpoint Security Server to which the Endpoint Security client is connected. Details about the policy that is currently selected in the list. The user can select this check box to receive a notification when his or her personal policy is superseded by an enterprise policy.
Description
Policies
Page 117
Chapter 11
Alerts and Logs
You can be notified by an alert each time the client acts to protect you; or only when an alert is likely to have resulted from malicious activity. You can choose to log all alerts, only high-rated alerts, or alerts caused by specific traffic types. In This Chapter Understanding Alerts and Logs Setting Basic Alert and Log Options Showing or Hiding Alerts Setting Event and Program Log Options 118 119 119 120
About Alerts
Endpoint Security client generates two alert types: enterprise or personal, which correspond to settings or rules contained in the active policy. Both policy types have three categories of alerts: informational, program, and network. To learn how to respond to specific alerts, see Alert Reference (on page 124).
Informational Alerts
Informational alerts tell you that the client has blocked a communication that did not fit your security settings. Informational alerts do not require a decision from you. Click OK to close the alert box.
Program Alerts
Program alerts ask you if you want to allow a program to access the Internet or local network, or to act as a server. Program alerts require a Yes or No response. The most common types of Program alerts are the New Program alert and the Repeat Program alert. Click Yes to grant permission to the program. Click No to deny permission.
Page 118
Page 119
Page 120
Protocol
Source IP
Destination IP
Direction
Source DNS
Destination DNS
Page 121
Description The name of the policy containing the security setting or rule that caused the alert. Endpoint Security client recognizes three policy types: personal, enterprise, and disconnected. In the Alert Type drop-down list choose Firewall to view the Rule column. When an alert was caused by conditions specified in a classic firewall rule, this column contains the name of the rule.
Rule
Time
Source
Destination
192.168.1.101:0
Transport
UDP
Page 122
Page 123
Chapter 12
Alert Reference
There are various types of alerts you may see while using Endpoint Security. This reference describes why Alerts happen, what they mean, and what to do about them. In This Chapter Informational Alerts Program Alerts 124 127
Informational Alerts
Informational alerts tell you that the client has blocked a communication that did not fit your security settings. Informational alerts do not require a decision from you. Click OK to close the alert box.
Firewall Alert/Protected
Firewall alerts are the most common type of informational alert. Firewall alerts inform you that the Endpoint Security firewall has blocked traffic based on port and protocol restrictions or other firewall rules.
Page 124
If the alerts were caused by a source you want to trust, add it to the Trusted Zone. Determine if your Internet Service Provider is sending you "heartbeat" messages. Try the procedures suggested for managing ISP heartbeat. See Allowing ISP Heartbeat messages (on page 136).
MailSafe Alert
MailSafe alerts let you know that Endpoint Security has quarantined a potentially dangerous outgoing e-mail message.
Alert Reference
Page 125
Compliance Alerts
Compliance alerts occur when Endpoint Security server operating in conjunction with the Endpoint Security client determines that your computer is non-compliant with enterprise security requirements. Depending on the type of non-compliance, your ability to access the corporate network may be restricted or even terminated.
Click the link in the alert or corresponding Web page to begin the remediation process. Remediation generally involves installing a newer version of Endpoint Security or approved antivirus software. If you see a Compliance alert and you are unsure of how to make your computer compliant with corporate security, consult your system administrator. Your administrator has the option of configuring Endpoint Security to automatically install any applications required to bring your computer into compliance with corporate guidelines. In some cases, this may result in a program being installed on your computer without warning, and could require a reboot of your computer. If you experience an automatic system reboot or if a program attempts to install itself on your computer, consult with your system administrator.
Alert Reference
Page 126
Program Alerts
Most of the time, you are likely to see program alerts when you are actually using a program. For example, if you've just installed Endpoint Security, and you immediately open Microsoft Outlook and try to send an e-mail message, you'll get a program alert asking if you want Outlook to have Internet access. However, program alerts can also occur if a Trojan horse or worm on your computer is trying to spread.
Alert Reference
Page 127
Alert Reference
Page 128
If you can answer Yes to both questions, it is likely that Endpoint Security has detected legitimate components that your browser or other programs need to use. It is probably safe to answer Yes to the Program Component alert. By clicking Yes, you allow the program to access the Internet while using the new or changed components. If you cannot answer yes both questions, or if you feel unsure about the component for any reason, it is safest to answer No. By clicking No, you prevent the program from accessing the Internet while using those components. Note - If you are unsure of what to do, or if you decide to answer No, investigate the component to determine if it is safe.
Alert Reference
Page 129
If you are using the types of programs described above that require server permission to operate properly, grant permission before you start using the program. See Granting Server Permissions (see "Granting Server Permission to Programs" on page 67). Note - If your browser does not have permission to access the Internet, you will be re-routed to the online help. To access AlertAdvisor, give your browser permission to access the Internet. See Granting Internet Access Permissions to Programs (on page 67).
Alert Reference
Page 130
to the cause of the alert or the expected behavior of the program initiating the request, it is safest to answer No. After denying advanced permission to the program, perform an Internet search on the program's file name. If the program is malicious, it is likely that information about it is available, including how to remove it from your computer.
Alert Reference
Page 131
2. Select Trusted Zone from the Zone drop-down list. 3. Click OK. Use caution if Endpoint Security detects a wireless network. It is possible for your wireless network adapter to pick up a network other than your own. Be sure that the IP address displayed in the New Network alert is your network's IP address before you add it to the Trusted Zone. Important - If you are not certain which network Endpoint Security has detected, write down the IP address displayed in the alert box. Then consult your home network documentation, systems administrator, or ISP to determine what network it is.
Alert Reference
Page 132
Chapter 13
Troubleshooting
In This Chapter VPN Troubleshooting Network Troubleshooting Internet Connection Troubleshooting 133 134 135
VPN Troubleshooting
If you are having difficulty using VPN software with the client, refer to the table for troubleshooting tips provided in this section. Table 13-39 Troubleshooting If... You can't connect to your Virtual Private Network (VPN) You have created expert firewall rules See... Configuring Client for VPN Traffic (on page 133) VPN Auto-Configuration and Expert Rules (on page 133)
You are using a supported VPN Automatic VPN Detection Delay (on client and Endpoint Security client page 134) does not detect it automatically the first time you connect
Page 133
Network Troubleshooting
If you are having difficulty connecting to your network or using networking services, refer to the table for troubleshooting tips provided in this section. Table 13-40 Troubleshooting Network Issues If... You can't see the other computers in your Network Neighborhood, or if they can't see you See... Making Your Computer Visible on Local Network (on page 134)
You can't share files or printers Sharing Files and Printers Locally (on page over your home or local 134) network Your computer is on a Local Resolving Slow Startup (on page 135) Area Network (LAN) and takes a long time to start up when Endpoint Security client is installed
Troubleshooting
Page 134
2. Set the Trusted Zone security level to Medium. This allows trusted computers to access your shared files. See Choosing Security Levels (on page 54). 3. Set the Internet Zone security level to High. This makes your computer invisible to non-trusted computers. See Setting Security Level for Zones (on page 55).
Your computer is an Internet Connecting Through an ICS Client (on page Connection Sharing (ICS) 136) client and you can't connect to the Internet Your computer uses a proxy server to connect to the Internet and you can't connect to the Internet Connecting Through a Proxy Server
Troubleshooting
Page 135
Your Endpoint Security client settings may be the cause of your connection problems. Make sure that your browser has access permission. Your Endpoint Security client settings are not the cause of your connection problems.
Troubleshooting
Page 136
Troubleshooting
Page 137
Glossary of Terms
Symbols & Numeric
1394
A very fast external bus standard that supports data transfer rates of up to 400Mbps (in 1394a) and 800Mbps (in 1394b). Products supporting the 1394 standard go under different names, depending on the company. Apple, which originally developed the technology, uses the trademarked name FireWire.
causes of an alert, and helps you decide whether to respond Yes or No to a Program alert. To use AlertAdvisor, click the More Info button in an alert pop-up. The client sends information about your alert to AlertAdvisor. AlertAdvisor returns an article that explains the alert and gives you advice on what, if anything, you need to do to ensure your security.
Animated Ad
An advertisement that incorporates moving images.
B
Banner Ad
An ad that appears in a horizontal banner across a Web page.
A
Access Permission
Access permission allows a program on your computer to initiate communications with another computer. This is distinct from server permission, which allows a program to "listen" for connection requests from other computers. You can give a program access permission for the Trusted Zone, the Internet Zone, or both.
Blocked Zone
The Blocked Zone contains computers you want no contact with. The client prevents any communication between your computer and the machines in this Zone.
C
Cache Cleaner
Privacy feature that enables you to remove unwanted files and cookies from your computer on demand, or on a scheduled basis.
Act as a Server
A program acts as a server when it "listens" for connection requests from other computers. Several common types of applications, such as chat programs, e-mail clients, and Internet Call Waiting programs, may need to act as servers to operate properly. However, some hacker programs act as servers to listen for instructions from their creators. The client prevents programs on your computer from acting as servers unless you grant server permission.
Challenge Response
Challenge-response is an authentication protocol in which one party presents a question (the challenge) and another party provides an answer (the response). For authentication to take place, a valid answer must be provided to the question. Security systems that rely on smart cards are based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a new code (the response) that the user presents to log in.
ActiveX Controls
ActiveX controls (developed by Microsoft) are a set elements such as a checkboxes or buttons that offer options to users or run macros or scripts that automate a task.
Component
A small program or set of functions that larger programs call on to perform specific tasks. Some components may be used by several different programs simultaneously. Windows operating systems provide many component DLLs for use by a variety of Windows applications.
Ad Blocking
A client feature that enables you to block banner, pop-up and other types of advertisements.
Alert Advisor
Check Point AlertAdvisor is an online utility that enables you to instantly analyze the possible
Cookie
A small data file used by a Web site to customize content, remember you from one visit to the next, and/or track your Internet activity. While there are many benign uses of cookies, some cookies can be used to divulge information about you without your consent.
Cookie Control
Privacy feature that allows you to prevent cookies from being stored on your computer.
D
DHCP
Dynamic Host Configuration Protocol A protocol used to support dynamic IP addressing. Rather than giving you a static IP address, your ISP may assign a different IP address to you each time you log on. This allows the provider to serve a large number of customers with a relatively small number of IP addresses.
Enterprise Policy
A collection of security settings (firewall, program control, e-mail protection, and so forth) designed by a network administrator and delivered to the client by uploading from Endpoint Security Server. The endpoint user cannot change the enterprise policy
DHCP Broadcast/Multicast
A type of message used by a client computer on a network that uses dynamic IP addressing. When the computer comes online, if it needs an IP address, it issues a broadcast message to any DHCP servers which are on the network. When a DHCP server receives the broadcast, it assigns an IP address to the computer.
G
Gateway
In networking, a combination of hardware and software that links two different types of networks. For example, if you are on a home or business Local Area Network (LAN), a gateway enables the computers on your network to communicate with the Internet.
Dial-Up Connection
Connection to the Internet using a modem and an analog telephone line. The modem connects to the Internet by dialing a telephone number at the Internet Service Provider's site. This is in distinction to other connection methods, such as Digital Subscriber Lines, which do not use analog modems and do not dial telephone numbers.
H
Heartbeat Messages
Messages sent by an Internet Service Provider (ISP) to make that a dial-up connection is still in use. If it appears a customer is not there, the ISP might disconnect her so that her IP address can be given to someone else.
DLL
Dynamic Link Library A library of functions that can be accessed dynamically (that is, as needed) by a Windows application.
High-Rated Alerts
An alert that is likely to have been caused by hacker activity. High-rated Firewall alerts display a red band at the top of the alert pop-up. In the Log Viewer, you can see if an alert was high-rated by looking in the Rating column.
DNS
Domain Name Server A data query service generally used on the Internet for translating host names or domain names (like www.yoursite.com) into Internet addresses (like 123.456.789.0).
E
Embedded Object
An object such as a sound file or an image file that is embedded in a Web page.
card number. By selecting Remove Private Header information in the Cookies tab, you prevent this header field from transferring any information about you.
address, usually displayed as four numbers between 0 and 255, separated by periods. For example, 172.16.100.100 could be an IP address. Your IP address may always be the same. However, your Internet Service Provider (ISPs) may use Dynamic Host Configuration Protocol (DHCP) to assign your computer a different IP address each time you connect to the Internet.
I
ICMP
Internet Control Messaging Protocol An extension of the Internet Protocol that supports error control and informational messages. The "ping" message is a common ICMP message used to test an Internet connection.
IPSec
A security protocol for authentication and encryption over the Internet.
ISP
Internet Service Provider A company that provides access to the Internet. ISPs provide many kinds of Internet connections to consumers and business, including dial-up (connection over a regular telephone line with a modem), high-speed Digital Subscriber Lines (DSL), and cable modem.
ICS
Internet Connection Sharing ICS is a service provided by the Windows operating system that enables networked computers to share a single connection to the Internet.
IKE
Internet Key Exchange, a method used in the IPSec protocol for: Authenticating users Negotiating an encryption method Exchanging a secret key used for data encryption
J
Java Applet
A Java applet is a small Internet-based program written in Java, which is usually embedded in an HTML page, and which can be executed within a Web browser.
JavaScript
A popular scripting language that enables some of the most common interactive content on Web sites. Some of the most frequently used JavaScript functions include Back and History links, changing images on mouse-over, and opening and closing browser windows. The default settings allow JavaScript because it is so common and because most of its uses are harmless.
Index.dat
Index.dat files keep copies of everything that was in your Temporary Internet, Cookies, and History folders even AFTER these files have been deleted.
Information Alerts
The type of alerts that appear when the client blocks a communication that did not match your security settings. Informational alerts do not require a response from you.
K
Key Fobs
A small hardware device with built-in authentication mechanisms that control access to network services and information is known as a key fob. While a password can be stolen without the owner's knowledge, a missing key fob is immediately apparent. Key fobs provide the same two-factor authentication as other SecurID devices: the user has a personal identification number (PIN), which authenticates them as the device's owner; after the user correctly enters their PIN, the device displays a number which allows them to log on to the network. The SecurID SID700 Key Fob is a typical example of such a device.
Internet Zone
The Internet Zone contains all the computers in the worldexcept those you have added to the Trusted Zone or Blocked Zone. The client applies the strictest security to the Internet Zone, keeping you safe from hackers. Meanwhile, the medium security settings of the Trusted Zone enable you to communicate easily with the computers or networks you know and trustfor example, your home network PCs, or your business network.
IP Address
The number that identifies your computer on the Internet, as a telephone number identifies your phone on a telephone network. It is a numeric
Page 141
M
Mail Server
The remote computer from which the e-mail program on your computer retrieves e-mail messages sent to you.
Persistent Cookie
A cookie put on your hard drive by a Web site you visit. These cookies can be retrieved by the Web site the next time you visit. While useful, they create a vulnerability by storing information about you, your computer, or your Internet use in a text file.
MD5 Signature
A digital "fingerprint" used to verify the integrity of a file. If a file has been changed in any way (for example, if a program has been compromised by a hacker), its MD5 signature will change as well.
Personal Policy
Your personal policy comprises all the security settings you can control through the client interface. For example, if you use the Zones tab to add a server to the Trusted Zone, that configuration becomes part of your personal policy.
Medium-rated Alert
An alert that was probably caused by harmless network activity, rather than by a hacker attack.
Personal Store
A certificate container on your computer (in contrast to a certificate on a token). It is not available before you have gained access to the operating system.
Ping
A type of ICMP message (formally "ICMP echo") used to determine whether a specific computer is connected to the Internet. A small utility program sends a simple "echo request" message to the destination IP address, and then waits for a response. If a computer at that address receives the message, it sends an "echo" back. Some Internet providers regularly "ping" their customers to see if they are still connected.
Mobile Code
Executable content that can be embedded in Web pages or HTML e-mail. Mobile code helps make Web sites interactive, but malicious mobile code can be used to modify or steal data, and for other malevolent purposes.
Mobile-Code Control
A client feature that enables you to block active controls and scripts on the Web sites you visit. While mobile code is common on the Internet and has many benign uses, hackers can sometimes use it for malevolent purposes.
Pop-under Ad
An ad that appears in a new browser window that opens under the window you are looking at, so you don't see the ad until you close the original browser window.
N
NetBIOS
Network Basic Input/Output System A program that allows applications on different computers to communicate within a local network. By default, the client allows NetBIOS traffic in the Trusted Zone, but blocks it in the Internet Zone. This enables file sharing on local networks, while protecting you from NetBIOS vulnerabilities on the Internet.
Pop-up Ad
An ad that appears in a new browser window that 'pops up' in front of the window you are looking at.
Port
A channel associated with the use of TCP or UDP. Some ports are associated with standard network protocols; for example, HTTP (Hypertext Transfer Protocol) is traditionally addressed to port 80. Port numbers range from 0 to 65535.
P
Packet
A single unit of network traffic. On "packet-switched" networks like the Internet, outgoing messages are divided into small units, sent and routed to their destinations, then reassembled on the other end. Each packet includes the IP address of the sender, and the destination IP address and port number.
Port Scan
A technique hackers use to find unprotected computers on the Internet. Using automated tools, the hacker systematically scans the ports on all the computers in a range of IP addresses, looking for unprotected or "open" ports. Once an open port is located, the hacker can use it as an access point to break in to the unprotected computer.
Page 142
Privacy Advisor
A small display that shows you when the client blocks cookies or mobile code, and enables you to un-block those elements for a particular page.
Private Header
A section of a Web page that contains information about the Web site, which can collect information about visitors to the site. Private header information enables sites you visit by clicking a link from another site to know what site you came from. If a site implements the use of private headers carelessly, private headers can transfer information that you've entered in a web form--for example, Social Security number, credit card, etc.).
S
Script
A series of commands that execute automatically, without the user intervening. These usually take the form of banners, menus that change when you move your mouse over them, and popup ads.
SecurID
The RSA SecurID authentication mechanism consists of either hardware (FOB,USB token) or software (softID) that generates an authentication code at fixed intervals (usually one minute) using a built-in clock and an encoded random key. The most typical form of SecurID Token is the hand-held device. The device is usually a key FOB or slim card. The token can have a PIN pad, onto which a user enters a Personal Identification Number (PIN) to generate a passcode. When the token has no PIN pad, a tokencode is displayed. A tokencode is the changing number displayed on the key FOB.
Programs List
The list of programs to which you can assign Internet access and server permissions. The list is shown in the Programs tab of the Program Control panel. You can add programs to the list, or remove programs from it.
Protocol
A standardized format for sending and receiving data. Different protocols serve different purposes; for example SMTP (Simple Mail Transfer Protocol) is used for sending e-mail messages; while FTP (File Transfer Protocol) is used to send large files of different types. Each protocol is associated with a specific port, for example, FTP messages are addressed to port 21.
Security Levels
The High, Med., and Low settings that dictate the type of traffic allowed into or out of your computer.
Public Network
A large network, such as that associated with an ISP. Public networks are placed in the Internet Zone by default.
Server Permission
Server permission allows a program on your computer to "listen" for connection requests from other computers, in effect giving those computers the power to initiate communications with yours. This is distinct from access permission, which allows a program to initiate a communications session with another computer. Several common types of applications, such as chat programs, e-mail clients, and Internet Call Waiting programs, may need server permission to operate properly. Grant server permission only to programs you are sure you trust, and that require it in order to work. If possible, avoid granting a program server permission for the Internet Zone. If you need to accept incoming connections from only a small number of machines, add those machines to the Trusted Zone, and then allow the program server permission for the Trusted Zone only.
Q
Quarantine
MailSafe quarantines incoming e-mail attachments whose filename extensions (for example, .EXE or .BAT) indicate the possibility of auto-executing code. By changing the filename extension, quarantining prevents the attachment from opening without inspection. This helps protect you from worms, viruses, and other malware that hackers distribute as e-mail attachments.
R
Remote Access Community
Remote Access Community is a type of VPN community created specifically for users that usually work from remote locations outside of the corporate LAN.
Session Cookie
A cookie stored in your browser's memory cache that disappears as soon as you close your browser window. These are the safest cookies because of their short life-span.
Page 143
Skyscraper Ad
An ad that appears in a vertical column along the side of a Web page.
SoftID
SoftID operates the same as a passcode device but consists only of software that sits on the desktop. The Advanced view displays the tokencode and passcode with COPY buttons, allowing the user to cut and paste between softID and the client.
For example, if you have three home PCs that are linked together in an Ethernet network, you can put each individual computer or the entire network adapter subnet in the Trusted Zone. The Trusted Zone's default medium security settings enable you to safely share files, printers, and other resources over the home network. Hackers are confined to the Internet Zone, where high security settings keep you safe.
U
UDP
User Datagram Protocol A connectionless protocol that runs on top of IP networks and is used primarily for broadcasting messages over a network.
Stealth Mode
When the client puts your computer in stealth mode, any uninvited traffic receives no response--not even an acknowledgement that your computer exists. This renders your computer invisible to other computers on the Internet, until a permitted program on your computer initiates contact.
V
Visitor Mode
A Check Point remote access VPN solution that enables tunneling of all client-to-gateway communication over a regular TCP connection on port 443. Visitor mode ensures secure communication through firewalls and proxy servers configured to block IPSec packets.
T
TCP
Transmission Control Protocol One of the main protocols in TCP/IP networks, which guarantees delivery of data, and that packets are delivered in the same order in which they were sent.
VPN
Virtual Private Network A VPN is a network that provides secure, private access to a LAN (such as your organization's network) over public infrastructure (such as the Internet), by tunneling the transmissions and data through encryption protocols and other security measures.
W
Web Bug
An image file, often 1x1 pixel, designed to monitor visits to the page (or HTML e-mail) containing it. Web bugs are used to find out what advertisements and Web pages you have viewed.
Trojan Horse
A malicious program that masquerades as something useful or harmless, such as a screen saver. Some Trojan horses operate by setting themselves up as servers on your computer, listening for connections from the outside. If a hacker succeeds in contacting the program, he can effectively take control of your computer. This is why it's important to only give server permission to programs you know and trust. Other Trojan horses attempt to contact a remote address automatically.
Trusted Zone
The Trusted Zone contains computers you trust want to share resources with.
Page 144
Index
1
1394 139
Blocked Zone 139 Blocking and Unblocking Ports 58 Blue 50 Blue Warning Alerts 51
C
Cache Cleaner 139 Cached Passwords 85 CD/DVDs 108 Certificate Enrollment and Renewal 40 Certificate Renewal 41 Challenge Response 40, 139 Changed Program Alerts 128 Changing Authentication Credentials 79 Changing Authentication Methods 23 Changing Authentication Schemes 40 Changing Passwords on Removable Media 112 Changing Profiles 27 Changing the Encrypted Device Password 90 Changing the Language Used in the Interface 80 Changing Your Local Password 111 Characters Supported in the Preboot Environment 83 Check Point Endpoint Connect VPN Client 37 Checking Encryption Status 99 Choosing Security Levels 54 Cloning Profiles 27 Collecting and Sending Log files 47 Command Line Options 36, 46 Compact and Extended VPN Interfaces 22 Compliance Alerts 11, 126 Component 139 Component Learning Mode 139 Configuring Client for VPN Traffic 133 Configuring Connection Options 33, 44 Configuring Endpoint Security Client to Allow Ping Messages 136 Configuring New Network Connections 53 Configuring Program Access 64 Configuring VPN Connection 60 Configuring VPN Connection for Firewall 59 Connecting and Disconnecting Using Endpoint Connect 42 Connecting and Disconnecting Using the Legacy Client 30 Connecting Through a Hotspot 34, 44 Connecting Through a Proxy Server 136 Connecting Through an ICS Client 136 Connecting to a Site 42 Connecting to Network Mail Servers 54 Connecting to the Internet Fails after Installation 135 Connection Status 31 Cookie 140 Cookie Control 140 Creating an Encrypted Package 101 Creating an ISO Image 108 Creating Check Point Certificate CAPI Token 25 Creating Check Point Certificate PKCS#12 25 Creating Profile Desktop Shortcut 28 Creating Profiles 27
A
About Alerts 118 About Encrypted Packages 101 About Event Logging 119 About Passwords and Keys 93 Access Permission 139 Accessing Encrypted Media 88 Accessing Encrypted Media from non-Media Encryption Computers 89 Accessing File Encryption for the First Time 93 Accessing Options 97 Accessing Protected Information 109 Accessing Protected Information Stored Locally 100 Act as a Server 139 ActiveX Controls 139 Ad Blocking 139 Adding Custom Ports 59 Adding Files and Folders 110 Adding Programs to the Programs List 66 Advanced Configuration Options in Endpoint Connect 46 Advanced Configuration Options in the Legacy Client 35 Advanced Options 16 Advanced Program Alerts 130 Advanced Program Control 67, 139 Alert Advisor 139 Alert Reference 124 Alerts & Logs 10 Alerts and Logs 118 Allowing ISP Heartbeat Messages 136 Allowing Others to Use Programs 68 Allowing VPN Protocols 60 Alternative Ways of Connecting 43 Animated Ad 139 Anti-malware 9, 12 Archiving Log Entries 122 Authenticating for the First Time 72 Authenticating to and Logging Off from File Encryption 95 Authenticating to Full Disk Encryption 72 Authenticating with a Certificate 95 Authenticating with a Password 96 Authentication in Endpoint Connect 37 Authentication in the Legacy VPN Client 23 Authorizing Removable Media 90 Auto Local Logon 33 Auto-Connect 33 Automatic Certificate Renewal 41 Automatic VPN Detection Delay 134
B
Banner Ad 139 Before You Start 92 Blocked Program Alerts 125
Creating Profiles and Sites in the Legacy VPN Client 26 Creating Sites in Endpoint Connect 42 Customizing Event Logging 120 Customizing Program Control Settings 65 Customizing Program Logging 120
D
Decrypting a File with PKCS7 106 Decrypting Files to the Hard Drive 110 Decrypting Information 100 Default Port Permission Settings 58 Defining Sites 29 Deleting Keys 113 Deleting Profiles 28 Deleting Sites 30 De-selecting the SSO Option 77 Device Manager 85 DHCP 140 DHCP Broadcast/Multicast 140 Dial Up Support 35, 45 Dial-Up Connection 140 Disabling Outbound Mail Protection 68 Disabling Sites 30 Disconnecting from a Site 43 DLL 140 DNS 140
First Logon after Enabling SSO or OneCheck Logon 77 Forgot your Password? 114 Formatting Log Appearance 120 Full Disk Encryption 9, 72 Full Disk Encryption License Activation Information 79 Full Disk Encryption Status Information 78
G
Gateway 140 Granting Access Permission to VPN Software 60 Granting Internet Access Permissions to Programs 67 Granting Send Mail Permission to Programs 67 Granting Server Permission to Programs 67
H
Handling Quarantine Items 15 Heartbeat Messages 140 High Security Setting 53 High-Rated Alerts 140 HTTP Referrer Header Field 140
I
ICMP 141 ICS 141 Identifying the Source of the Heartbeat Messages 136 IKE 141 Index.dat 141 Infected File Exceptions List 19 Infected File Scan Options 19 Information Alerts 141 Information and Help on File Encryption 96 Informational Alerts 118, 124 Integrating with Network Services 54 Internet Connection Troubleshooting 135 Internet Lock Alerts 126 Internet Zone 141 Introduction to Endpoint Security 8 IP Address 141 IPSec 141 ISP 141
E
Embedded Object 140 Enabling Anti-malware 12 Enabling Automatic Infection Treatment 18 Enabling Automatic Lock 63 Enabling File and Printer Sharing 54 Enabling Internet Connection Sharing 54 Enabling Logging 32 Enabling Office Mode 34 Encrypting a Package with PKCS7 105 Encrypting CDs and DVDs 87 Encrypting Information 99 Encrypting Media 86 Encrypting Media/Floppy Disks 107 Encryption Information 79 Encryption Policy Manager 84 Endpoint Security Anti-malware 12 Endpoint Security On Demand 140 Endpoint Security Server 140 Enrolling After Site Creation 41 Enrolling During Site Creation 40 Ensuring That Your Computer Has Not Been Tampered With 72 Enterprise Policy 140 Erasing CDs or DVDs 89 Exporting and Importing Profiles 27 Extracting Files to Local Hard Disk 89 Extracting Files to Temporary Secure Location 89
J
Java Applet 141 JavaScript 141
K
Key Fobs 40, 141
L
Languages Supported 80 Legacy VPN Client 22 Location Aware Connectivity 44 Log Viewer Fields 121 Logging Off from File Encryption 96 Logging on with SSO or OneCheck Logon Enabled 77
F
Fallback Languages 81 Features 84 File Encryption 92 File Encryption Options 97 Firewall 9, 52 Firewall Alert/Protected 124
Page 146
M
Mail Server 142 MailSafe Alert 125 Maintenance Section 91 Making Your Computer Visible on Local Network 134 Managing Certificates 24 Managing Check Point Certificates 24 Managing Connection Profiles 26 Managing Entrust Certificates 24 Managing Passwords and Keys 111 Managing Program Components 68 Managing VPN Sites 28 Manual Action Required Alerts 131 Maximum File Size for Encrypted Packages 101 MD5 Signature 142 Media Encryption 9, 84 Medium Security Setting 53 Medium-rated Alert 142 MIME-type integrated object 142 Mobile Code 142 Mobile-Code Control 142
Protecting Information Locally 99 Protecting Information on Removable Media 106 Protocol 143 Proxy Settings 44 Proxy Settings (Visitor Mode) 34 Public Network 143
Q
Quarantine 143
R
Reducing Advanced Program Alerts 131 Reducing Blocked Program Alerts 125 Reducing Changed Program Alerts 128 Reducing Compliance Alerts 126 Reducing Firewall Alerts 124 Reducing Internet Lock Alerts 126 Reducing Manual Action Alerts 131 Reducing New Network Alerts 132 Reducing New Program Alerts 127 Reducing Program Component Alerts 129 Reducing Repeat Program Alerts 128 Reducing Server Program Alerts 130 Remote Access Community 143 Remote Access VPN 143 Remote Help and webRH for Information Stored Locally 114 Remote Help and webRH for Removable Media/Devices 114 Remote Help for Encrypted Packages 115 Removable Media Manager 84 Renewing Check Point Certificates 26 Repairing Archived Files 19 Repeat Program Alerts 127 Resolving Slow Startup 135 Responding to Alerts 10 Restoring Key Files of Media/Floppy Disks 108 Restoring Warnings 111
N
NAT Traversal 36 NetBIOS 142 Network Troubleshooting 134 New Network Alerts 118, 131 New Network and VPN Alerts 11 New Program Alerts 10, 127
O
On-Access Scanning 18 Opening Encrypted Packages 104 Optional Full Disk Encryption Features 75 Overview of Options 97 Overview Panel 10
P
Packet 142 Panels 9 Password Caching for Single Sign On 44 Persistent Cookie 142 Personal Policy 142 Personal Store 142 Ping 142 PKCS7 Encryption 105 Policies 10, 116 Policy Types 116 Pop-under Ad 142 Pop-up Ad 142 Port 142 Port Scan 142 Privacy Advisor 143 Private Header 143 Program Access Control 62 Program Alerts 118, 127 Program Authentication 62 Program Component Alerts 128 Program Control 9, 62 Program Security Guard 85 Programs List 143 Protected Information in Windows Explorer 99
S
Saving the Certificate in Another Location 25 Saving the Certificate to a Folder of Your Choice 39 Scanning 13 Scheduling Scans 16 Script 143 Secure Delete Basics 113 Secure Domain Logon 33 Securely Deleting Extracted Files 111 Securely Deleting Information 113 Securely Deleting Information Stored Locally 101 Securely Deleting Packages 106 SecurID 39, 143 SecurID Authentication Devices 39 Security Levels 143 Server Permission 143 Server Program Alerts 129 Session Cookie 143 Setting a Password 94 Setting Advanced Security Options 55 Setting Alert Event Level 119 Setting Authentication Options 68
Page 147
Setting Basic Alert and Log Options 119 Setting Event and Program Log Options 120 Setting Event and Program Logging Options 119 Setting Gateway Security Options 56 Setting General Security Options 56 Setting ICS Options 56 Setting Network Security Options 57 Setting Program Access Permissions 64 Setting Program Control Level 63 Setting Program Control Options 63 Setting Specific Permissions 65 Sharing and SSO 112 Sharing Files and Printers Locally 134 Sharing Media 113 Sharing Media/Floppy Disks 107 Sharing Media/Floppy Disks and Managing Keys 112 Showing or Hiding Alerts 119 Showing or Hiding Firewall Alerts 119 Single Sign-on and OneCheck Logon 76 Skyscraper Ad 144 Smart Card Removal 45 SoftID 39, 144 Specifying Scan Targets 17 SSO and OneCheck Logon and Password Changes 77 Staying Connected all the Time 44 Stealth Mode 144 Storing a Certificate in the CAPI Store 38 Storing PKCS#12 in CAPI Store 25 Submitting Infected Files and Spyware to Check Point 14 Supported VPN Protocols 59 Suspending Popup Messages 35 Suspicious Site Warnings 49 Switching to Endpoint Connect 37 Switching to the Legacy VPN client 47 Synchronizing Passwords 75 System Tray Icons 9
T
TCP 144 The Endpoint Security Main Page 8 Third Party Cookie 144 Tour of the Endpoint Security Main Page 8 Treating Files Manually 14 Trojan Horse 144 Troubleshooting 133 TrueVector Security Engine 144 Trusted Zone 144 Tunnel Idleness 45 Types of Endpoint Security VPNs 21
Understanding Policy Arbitration 116 Understanding Program Control 62 Understanding Scan Results 13 Understanding the Product Info Tab 10 Understanding WebCheck 49 Understanding Zones 52 Updating Anti-malware 13 Updating Encrypted Information 110 Updating Malware Definitions 17 Updating Sites 30 USB Sticks, Firewire/USB Hard Drives, Floppy/CD/DVD Disks 107 User Name and Password 37 Using a Certificate and Setting a Password 94 Using a Dynamic Token 73 Using a Fixed Password 73 Using a Smart Card/USB Token 74 Using Alert Advisor 123 Using Antivirus Software 69 Using Browsers 69 Using Chat 69 Using E-mail 69 Using File Encryption 96 Using File Sharing 70 Using FTP 70 Using Games 70 Using Internet Answering Services 70 Using Programs with the Client 69 Using Remote Control 70 Using Secure Delete With File Encryption Installed 114 Using Secure Delete With the Stand-alone Utility 114 Using Streaming Media 70 Using the Device Manager 91 Using the EPM Client 86 Using the Full Disk Encryption Panel 78 Using the Full Disk Encryption Password for Windows 76 Using the Overview Main Tab 10 Using the Policies Panel 117 Using the Program Security Guard 91 Using the Programs List 66 Using the Removable Media Manager 90 Using the Windows Password for Full Disk Encryption 76 Using VNC 71 Using Voice over IP 71 Using Web Conferencing 71
V
Viewing Anti-malware Protection Status 12 Viewing Available Policies 116 Viewing Log Entries 121 Viewing Logs 16 Viewing Profile Properties 28 Viewing Quarantine Items 15 Viewing Site Properties 29 Viewing Status and Encryption Information 78 Viewing the Text Log 122 Visitor Mode 144 VPN 9, 21, 144 VPN Auto-Configuration and Expert Rules 133 VPN Basics 21 VPN Troubleshooting 133
U
UDP 144 Understanding Alerts and Logs 118 Understanding Certificates 38 Understanding Connection Details - Endpoint Connect VPN 43 Understanding Connection Details - Legacy VPN 31 Understanding Connection Settings - Endpoint Connect VPN 43 Understanding Firewall Protection 52
Page 148
W
Web Bug 144 WebCheck 9, 49 WebCheck Protection 49 What if I don't have access to my token/smart card? 75 What if I forget my password? 75, 114 What you should do 124, 125, 126, 127, 128, 129, 130, 131 Why Advanced Program Alerts Occur 130 Why Blocked Program Alerts Occur 125 Why Changed Programs Alerts Occur 128 Why Compliance Alerts Occur 126 Why Firewall Alerts Occur 124 Why Internet Lock Alerts Occur 126 Why MailSafe Alerts Occur 125 Why Manual Action Require Alerts Occur 131 Why New Network Alerts Occur 131 Why New Program Alerts Occur 127 Why Program Component Alerts Occur 128 Why Repeat Program Alerts Occur 127 Why Server Program Alerts Occur 129 Windows Integrated Logon 77 With File Encryption Installed 109 Without File Encryption Installed 110 Working in a Stand-alone Access Environment 110 Working with Encrypted Packages 101 Working with File Encryption 93
Y
Yellow Caution Banner 50
Z
Zones Manage Firewall Security 53 Zones Provide Program Control 53
Page 149