Whats New

in Check Point Enterprise Suite NGX (R60)

5/16/05

In This Document
Unified Software Package Firewall VPN SecuRemote/SecureClient Integrity SSL Network Extender SmartCenter VPN-1 Edge SmartView Monitor Eventia Reporter SmartUpdate SmartLSM SecurePlatform ClusterXL Performance Pack VSX QoS UserAuthority page 2 page 3 page 14 page 18 page 21 page 21 page 22 page 23 page 24 page 25 page 26 page 27 page 27 page 29 page 29 page 29 page 30 page 30

The latest version of the Whats New documentation is available online at http://www.checkpoint.com/techsupport/downloads.jsp.

Copyright 2005 Check Point Software Technologies, Ltd. All rights reserved.

New Features Unified Software Package

Unified Software Package

In previous versions, each product had its own software package (for example, Check Point SVN Foundation - cpshared_R55_<Build_Num>_<platform>.tgz). NGX (R60) binds a number of products into a unified software package to simplify the installation process. The following products are included in the package fw1_R60_<BuildNum>_<platform>.tgz, where <BuildNum> represents the package version and <platform> represents the relevant operating system: Check Point SVN Foundation VPN-1 Pro SecureClient Policy Server SmartView Monitor QoS (previously FloodGate-1) Software packages not included in this list are distributed in their own packages located on the product CD.

Whats New in Check Point NGX R60

Last Update 5/16/05

New Features Firewall

Firewall
In This Section

Web Intelligence Voice over IP (VoIP) Network Security DNS Security Check Point Active Streaming Application Intelligence for Additional Protocols Malicious Activity Prevention General

page 3 page 6 page 7 page 8 page 10 page 10 page 12 page 13

Web Intelligence
1

New web protections have been added to prevent: Directory Listing LDAP Injection Display of web server error messages in the browser, a feature known as Error Concealment Specific behavioral patterns to be blocked by the Cross-Site Scripting, SQL Injection and Command Injection defenses in Web Intelligence can now be defined by the user. Malicious code protector is now supported on SPARC processors. It is now possible to make all protections on specific web servers run in mode, while on other servers the protection will be active. Different HTTP method schemes can now be set for each web server. Server-based Security Policy configuration is enhanced, and completely integrated into SmartDefense. The result is an easy and granular defense configuration that retains the global view that is present in SmartDefense.
monitor only

2 3 4 5 6

Monitor-only Mode
7

Many of the new features have a monitor-only mode where features are activated in a mode that issues logs but does not block traffic. This usability element is helpful in the transition phase, when features are applied for the first time at a customer's site, and will be helpful in discovering configuration problems in the deployment stage. With a single click the defaults of each protection can be restored. Monitor-only mode also supports audit-only deployments.
Whats New in Check Point NGX R60 Last Update 5/16/05

New Features Firewall

SQL Injection
8

VPN-1 Pro rejects HTTP requests containing SQL commands inside the URL or body. An attacker can use flaws in the web application to inject malicious commands that will be run directly in the application database and cause damage or information disclosure. This defense has three levels of protection: low, medium and high. The definitions for these three levels are conveniently displayed as you slide the change bar to select a different mode in SmartDashboard.

Shell Command Injection

9

VPN-1 Pro rejects HTTP requests containing shell commands inside the URL or body. An attacker can use flaws in the scripting engine to inject malicious commands that will be run directly on the host. This defense has three levels of protection: low, medium and high. The definitions for these three levels are conveniently displayed as you slide the change bar to select a different mode in SmartDashboard.

Cross Site Scripting

10 VPN-1 Pro rejects HTTP requests sent using the POST command that contain

scripting code. Attackers can use scripting commands inside URLs and forms to steal an innocent user's identity. This form of stealing is particularly insidious because the administrator and the user do not know they are being tricked. VPN-1 Pro also understands the encoded data sent as part of the URL, which is an alternative way of submitting information. The scripting code is not stripped from the request, but rather the whole request is rejected. The defense has three levels of protection: low, medium and high. Directory Traversal Attacks
11 Directory traversal attacks allow hackers to access files and directories that should be out

of their reach. In many attacks, this leads to running executable code on the web server with one simple URL. Most of the attacks are based on the ".." notation within a file system. VPN-1 Pro blocks requests in which the URL contains an illegal directory request. For example, http://www.server.com/first/second/../../.. is illegal because it goes deeper than the root directory. http://www.server.com/first/second/../ is legal because it is equivalent to http://www.server.com/first/. VPN-1 Pro supports the same capability for URLs that are encoded with Unicode and % encoding. HTTP Format Sizes
12 The sizes of different elements in HTTP request/response are not limited; this can used

to perform DOS attack on a web server. In addition, many buffer-overflow attacks require a considerably large buffer to be sent to the web server. It is good security

Whats New in Check Point NGX R60

Last Update 5/16/05

New Features Firewall

practice to limit these buffers. This reduces the chance for buffer overruns and limits the size of code that can be inserted using the overflow. This defense provides the ability to impose a limit on the following elements: Maximum URL length Maximum Header length Maximum number of headers Specific header length, by giving a regular expression to describe the header name and value. The maximum allowed length is adjustable using SmartDefense. Blocking Non-ASCII Characters Request
13 VPN-1 Pro blocks non-ASCII characters (32-127) in the HTTP request/response

headers. Other than the fact that the HTTP RFC does not allow binary characters anywhere in the HTTP headers, blocking them is good security practice because executables and buffer-overrun exploits usually need binary characters. The defense can be turned on using SmartDefense, in the Request\Response Headers section of the ASCII Only Request window. Allowed HTTP Methods
14 The HTTP RFC allows a restricted set of standard HTTP methods (GET, PUT,

HEAD, POST). Many of the non-standard methods have a very bad security record and so, by default, they are blocked. WebDAV methods are blocked by default but can be added either as a group or individually. Other methods, blocked by default can be added individually too. Header Rejection
15 A web server or application parses not only the URL, but also the rest of the HTTP

header data. Wrong parsing can lead to buffer overrun attacks and other vulnerabilities. Such attacks, while RFC compliant, can be blocked using signatures that are defined using regular expressions. HTTP Header Spoofing
16 One of the first steps an attacker takes before attacking a web site is to fingerprint it.

The attacker analyzes the web server's response in order gather as much information as possible about it. Some information in the response is redundant; this defense removes such information by either removing the relevant header or changing its value. The relevant headers can be added using regular expressions for name and value, each header can be stripped (removed), or replaced from SmartDefense.

Whats New in Check Point NGX R60

Last Update 5/16/05

New Features Firewall

Voice over IP (VoIP)

17 Supported SIP RFCs and Standards

3372 (SIP-T) 3311 (Update message) SIP over TCP

Call forwarding capabilities

18 Supported SIP Advanced Features

Forward on busy Forward on no answer Find me, Follow me Forward unconditional

Registration timeout configuration Third party registration Proxy failover

A maximum number of new VoIP sessions that can be initiated per minute from a specific IP address can be set. This feature is not enforced for Proxies or IP addresses on the White List. H.323 V.2, V.3, V.4 H.234 V.3, V.5, V.7 H.225 V.2, V.3, V.4 Gatekeepers, Gateways and PBX can be installed using Static NAT in the external network, internal network or DMZ. Incoming calls to Hide NAT are supported. H.323-PSTN gateways can be installed anywhere using either Static or Hide NAT. FastStart and NAT support. H.245 Tunneling and NAT support. DoS Protection. A maximum number of new VoIP sessions that can be initiated per minute from a specific IP address can be set. Dynamic management of RTP sessions (open data connection dynamically) Analysis and enforcement of message states
Whats New in Check Point NGX R60 Last Update 5/16/05

DoS Protection.

19 Supported H.323 RFCs and Standards

20 Supported H.323 Network Configurations when NAT is in use

21 Advanced H.323 features

22 MGCP service - Support for the MGCP protocol, including:

New Features Firewall

Verification of existence and correctness of call parameters Keep call state for each call Enforcement of call hand-over Logging of call information, and reporting of security vulnerabilities - call denial-of-service, call hijacking, fooling a billing

Sample Attack or vulnerability

service - Configure a VoIP domain, and then using SmartDashboard select SmartDefense > Application Intelligence > VoIP > MGCP Use the MGCP services in the . Security rule base.
Getting Here

23 Advanced MGCP features: DoS Protection. A maximum number of new VoIP sessions

that can be initiated per minute from a specific IP address can be set.
24 Skinny Client Control Protocol (SCCP) - VPN-1 supports the SCCP protocol, including:

Dynamic management of RTP sessions (open data connection dynamically) Analysis and enforcement of message states Verification of existence and correctness of call parameters Keep call state for each call Enforcement of hand-over domains Logs call information, report security vulnerabilities - Call denial-of-service, call hijacking, fooling a billing

Sample Attack or vulnerability

service - Configure a VoIP domain, and then using SmartDashboard select SmartDefense > Application Intelligence > VoIP > SCCP Use the SCCP service in the . Security rule base.
Getting Here

25 Advanced SCCP features: DoS Protection. A maximum number of new VoIP sessions that

can be initiated per minute from a specific IP address can be set.

Network Security
Port Scanning
26 Port Scanning detects scanning attempts in real-time (during packet processing). Scans

are detected whether they are perpetrated by a single host or several (distributed scans). The feature detects two types of scans: scans aimed at detecting all services that a given computer runs (host port scan), and scans aimed at detecting the computers in a given network running a certain service (sweep scan).

Whats New in Check Point NGX R60

Last Update 5/16/05

New Features Firewall

This feature is useful in detecting worms such as Welchia that scan networks in order to spread themselves. Sample Attack or vulnerability - Welchia worm Getting Here - In SmartDashboard select SmartDefense > Network Security > Port Scan
Detections

DShield Storm Center

27 Automatic integration in the rule base with the SANS Storm Center. SANS monitors

the top malicious sources in the Internet. This feature allows both the updating of SANS with malicious hosts detected by VPN-1 Pro and the ability to block hosts known to be malicious by SANS automatically. This offers protection from Distributed Denial of Service (DDOS) at the Firewall and further "upstream" by other Check Point customers. Sample Attack or vulnerability - Code Red or any DDOS attack. Getting Here - In SmartDashboard, select SmartDefense > Network Security > DShield
Storm Center > Report to DShield

DNS Security
DNS Verification
28 VPN-1 enforces the DNS protocol on DNS UDP and TCP traffic ensuring that the

traffic that crosses the Firewall is valid DNS traffic. The RFC-defined header-size, domain and FQDN (Fully Qualified Domain Name) syntax are enforced. This protects clients and servers from buffer overruns. VPN-1 enforces the proper content of the header (Z flag, QR bit, OPCODE), Resource Records counters and formats. This includes: enforcing a domain's proper syntax on queries and responses, enforcing proper format of the TYPE values, and enforcing format of Inverse Queries. In addition, VPN-1 verifies that every response matches a certain request by the session ID.

Whats New in Check Point NGX R60

Last Update 5/16/05

New Features Firewall

UDP Protocol Enforcement

29 DNS protocol inspection (supporting RFCs 1034/1035 (General), 1996 (Notify), 2136

(update), 2317 (classless delegation), 2535 (DNS security extensions), 2671 (EDNS0), draft-ietf-dnsext-axfr-clarify-05. Enforcement on lengths, counters, header flags, proper domain format, Resource Record formats, response matching a previous request, bound checking, type and domain logging. Sample Attack or vulnerability - Trojan Horses, DNS cache poisoning Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS > Protocol Enforcement, and enable UDP Protocol Enforcement. TCP Protocol Enforcement
30 Inspect DNS over TCP - In addition to the UDP capabilities mentioned above, inspect

TCP zone transfer traffic. - Trojan Horses, DNS cache poisoning Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS > Protocol Enforcement, and enable TCP Protocol Enforcement.
Sample Attack or vulnerability

Defense Against Cache Poisoning

31 ID scrambling- Some DNS implementation use trivial transaction ID and source ports

that are easy to predict for their DNS queries, this allows hackers to craft spoofed response packets that will poison the DNS server's cache. VPN-1 tracks each request, and randomizes the transaction ID and source port of outgoing queries using strong cryptographic algorithms. Replies are validated to have matching query entries. Sample Attack or vulnerability - DNS cache poisoning Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS > Cache Poisoning > Scrambling.
32 Birthday-Attack Defense- An attacker sends many simultaneous queries to the attacked

server, triggering it to issue many queries to external servers, which the attacker then spoofs the replies for. If a spoofed reply matches one of the server's requests, the result may be poisoning the server's cache; because of the birthday paradox, the chances of a spoofed reply to match a server request are high. This defense prevents external queries to internal DNS servers if the DNS server is not authoritative for the queried domain. Sample Attack or vulnerability - DNS birthday attack Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS > Cache Poisoning > Drop Inbound Requests.
33 Excessive ID Mismatch Detection - DNS cache poisoning attacks (especially the

"Birthday Attack") usually have a by-product of many mismatching DNS replies in a short time. An excessive number of DNS replies that do not have a matching query can indicate a cache-poisoning attack. VPN-1 generates a special alert when thresholds of
Whats New in Check Point NGX R60 Last Update 5/16/05

New Features Firewall

mismatched replies in a specified duration of time are surpassed. These thresholds are configurable (default is 50 over 5 seconds) and administrators can be notified in a variety of manners (log, email, SMTP Trap or one of three User Defined Actions). Sample Attack or vulnerability - DNS cache poisoning Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS > Cache Poisoning > Mismatched Replies. Domains Block List
34 Damaging or malicious traffic can sometimes be characterized by the DNS domain it is

trying to reach. In VPN-1 you can now maintain a block-list of DNS domains. Queries regarding the domains in the block-list are blocked. This method is effective for blocking traffic to this domain when the destination IP address hosts additional sites besides the prohibited one. This important advantage over blocking traffic to this domain in the Security rule-base grants safe domains access while keeping the unsafe ones out. Sample Attack or vulnerability - Undesired traffic to a site characterized by its domain. Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS > Domains block-list.

Check Point Active Streaming

35 The new Active Streaming technology enhances the streaming capabilities that already

exist in VPN-1 to new levels of inspection. Check Point Active Streaming reassembles TCP segments, enabling inspection of complete protocol units before any of them reach the client or server.

Application Intelligence for Additional Protocols

36 POP3 and IMAP - VPN-1 can verify that the username entered for reading mail using

POP3 or IMAP is similar to the username entered for VPN authentication and/or for UserAuthority authentication. In addition, protocol validation including blocking of binary data will be made on the username, and on other protocol elements. Sample Attack or vulnerability - Restrict a user from reading another user's mail. Getting Here - In order to configure username verification, define the gateway object as a Mail Server, then edit the Mail Server page of the object, and enable the property Verify username with VPN tunnel user.
37 Block Peer to Peer Applications - Peer to peer applications use their own proprietary

protocols, which use arbitrary port numbers, and therefore are hard to block using standard methods (such as via the Security rule base). These applications can cause a

Whats New in Check Point NGX R60

Last Update 5/16/05

10

New Features Firewall

variety of problems. VPN-1 can block the common peer to peer applications, including Kazaa, eDonkey, Gnutella, and gives administrators the opportunity to exclude specific ports and network objects from peer to peer detection. Sample Attack or vulnerability - Exposing private data, exposing the network to viruses and Trojan horses, wasting CPU time, exploiting storage and bandwidth resources, wasting employees' time and raising legal issues (piracy and intellectual property rights). Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > Peer
to Peer

38 DCE-RPC - DCE-RPC is a protocol for calling a procedure on a remote machine as if it

were a local procedure call. The protocol uses a Universal Unique Identifier (UUID) to connect remote machine Interfaces. Many DCE-RPC attacks are based on malformed or objectionable DCE-RPC traffic. VPN-1's DCE-RPC packet verification will prevent DOS attacks and exploits. VPN-1 addresses this protocol validation by authorizing DCE-RPC UUIDs and opening high ports dynamically only if the UUID is allowed and the protocol flow is not violated. Sample Attack or vulnerability - Blaster Worm, Spike Getting Here - Enabled by default in VPN-1s DCE-RPC enforcement.
39 DCOM Protocol Validation - Recent attacks against DCOM are based on malformed

DCOM traffic on port 135. VPN-1 will allow DCOM communication, allow traffic for UUIDs needed by DCOM, but prevent the Blaster and other attacks Sample Attack or vulnerability - The Blaster attack creates buffer overflow on DCOM server on port 135 Getting Here - Enabled by default in VPN-1s DCE-RPC enforcement.
40 SNMP Version Enforcement - SNMPv3 is much more secure than earlier versions.

VPN-1 will verify that all SNMP traffic is from version 3. The default is set to allow all SNMP traffic but if you switch to SNMPv3, all traffic from earlier versions is blocked. Sample Attack or vulnerability - SNMPv2 trivial communities; data is not encrypted, poor authentication mechanisms. Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > SNMP and enable Allow only SNMPv3 traffic.

Whats New in Check Point NGX R60

Last Update 5/16/05

11

New Features Firewall

41 Communities Block-list - Common network devices have default well-known

community strings. These communities are often not disabled, and thus expose a vulnerability by leaving an easy way to create unauthorized SNMP access to the machine. VPN-1 enforces an SNMP domain block-list, blocking SNMPv2 and earlier connections that use these trivial community strings. Sample Attack or vulnerability - SNMPv2 trivial communities Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > SNMP and enable Drop requests with default community strings for SNMPv1 and SNMPv2.
42 MS-SQL - An administrator can now block the Slammer worm on the SQL monitoring

UDP protocol by looking for pre-defined patterns. Sample Attack or vulnerability - Slammer worm Getting Here - In SmartDashboard, include the service MSSQL_Resolver in any access rule in the Security rule base.

Malicious Activity Prevention

43 Malicious Code Protector - Most HTTP worms and exploits take advantage of buffer

overflow vulnerability. This vulnerability is generally a result of mishandling of input length. An attacker can exploit this vulnerability by sending an enlarged buffer which is copied on top of the smaller buffer by the application, thus creating a memory corruption. This memory corruption might lead to any of the following: a brutal application termination a denial of service attack in the event of a well crafted attack - malicious code execution Malicious Code Protection is a Check Point patent-pending technology that blocks hackers from sending malicious code to target servers and applications. It can detect malicious executable code within communications by identifying not only the existence of executable code in a data stream but its potential for malicious behavior. Malicious Code Protection is a kernel-based protection delivering wire-speed performance. Its core functions are: Monitor communication for potential executable code Confirm the presence of executable code Identify if the code is malicious

Whats New in Check Point NGX R60

Last Update 5/16/05

12

New Features Firewall

Block malicious executable code from reaching target host It is important to understand that this defense does not rely upon pattern detection, which means it can stop both known and unknown attacks. Sample Attack or vulnerability - Some common worms: Nimda, CodeRed, and many exploits such as IIS WebDAV exploits. Getting Here - In SmartDashboard, select Web Intelligence > Malicious Code > Malicious Code Protector.

General
44 DCE-RPC can now communicate over ports other than 135. 45 Multicast traffic can now be allowed or blocked for each multicast group. Configuration

is per interface. For example, define a new object called multicast address range, and use it when defining the network topology on the interface.
46 IPv6 security is now supported on the Linux platform. 47 NAT hide can now be defined for PPTP clients. 48 Authentication capabilities have been enhanced to better protect against brute force

attacks.
49 It is now possible to disable the logging of anti-spoofing activity of local interfaces and

clusters.
50 Individual interfaces can now be configured to accept or block traffic from specific

multicast groups.
51 ISP redundancy on the Nokia platform is now supported. 52 ISP Redundancy DNS features can now be configured using SmartDashboard. 53 The SmartDefense service now protects IPv6 networks. 54 SmartDefense update can now traverse web proxy with authentication. 55 It is now possible to define a name for each security rule. The rule name will appear in

the logs created by that rule and will persist across policy changes.
56 Enhanced SmartDefense updates infrastructure with improved inspection capabilities.

Whats New in Check Point NGX R60

Last Update 5/16/05

13

New Features VPN

VPN
In This Section

VPN Routing VPN Tunnel Management Multiple Entry Point (MEP) and VPN Load Distribution VPN-1 Clusters PKI, PKCS NAT with VPN VPN-1 Diagnostics (Logging, Monitoring, Planning) Connectivity Office Mode L2TP Clients Multicast Route Injection Mechanism (RIM)

page 14 page 15 page 15 page 16 page 16 page 16 page 16 page 16 page 17 page 17 page 17 page 17

VPN Routing
1

To tighten security and enhance granularity of the VPN security policy, enforcement of VPN rules by the direction of a connection is now possible. For example, it is possible to define in the VPN column:
Source Destination

Community A Community A Local domain Local domain

2

Community B Any Community A Remote Access Community

OSPF/BGP over VPN is enabled with VPN-1 gateway on SecurePlatform and IPSO. Every VPN tunnel is represented as a virtual adapter, enabling encapsulation of OSPF and BGP traffic. These virtual adapters can be used to establish integrated dynamic routing configurations with the routing domains in the protected networks. In effect this new technology enables unification of all the VPN-protected networks to a unified dynamically adaptable network.

Whats New in Check Point NGX R60

Last Update 5/16/05

14

New Features VPN

Support of Back-up links and On-Demand links is enabled by multiple VPN links between VPN-1 gateways. Multiple VPN links are available when a single VPN-1 gateway is connected to multiple network infrastructures (e.g., multiple ISPs). Two VPN gateways may have several paths of communication that they can use to reach each other. Also new are Link Selection mechanisms, which provide additional methods to resolve a gateways IP address, such as defining a fixed IP address to always be used, and defining a DNS name to be resolved, which is most useful for gateways with dynamically allocated IP addresses. GRE is now supported over IPsec in order to interoperate with devices that support dynamic routing over the VPN only with GRE. Wire mode VPN is now available: Internal (safe) VPN connectivity is supported by reducing security checks on VPN traffic. On Linux, SecurePlatform, and SecurePlatform Pro, encrypted packets will now be rerouted again after they are encrypted (and the destination was changed to the gateway IP address). (This behavior already takes place on Nokia platforms.)

4 5 6

VPN Tunnel Management

7

VPN tunnels may now be defined on VPN-1 gateways. The functionality is accessed using the command line interface to the gateway. This extends the interface to external management tools for Check Point gateways. VPN links can now be configured to be always on. This feature enables: VPN link (tunnel) monitoring - link-properties, link-state, traffic through the link and more. Better support of sensitive applications for link setup delays. Configuration of Route Injection Mechanism when using MEP. Alert upon tunnel failure SmartView Monitor can now monitor VPN tunnels. SmartViews of VPN tunnel properties and status, both for site to site and for remote access VPN, are now available.

Multiple Entry Point (MEP) and VPN Load Distribution

10 For site to site VPN, Explicit MEP configuration is now available at the center of a star

community. There are several methods to connect to the MEP gateway, including explicit priority among entry points (which is independent of the VPN domain definition of entry points). For Remote Access VPN, the old MEP configuration still exists.

Whats New in Check Point NGX R60

Last Update 5/16/05

15

New Features VPN

VPN-1 Clusters
11 By enabling the new Sticky Decision Function, ClusterXL Load Sharing now supports:

VPN routing of third party gateways that require stickiness SecureClient Visitor mode SSL Network Extender clients L2TP and Nokia clients Support for these features requires certain additional configuration. Consult the ClusterXL guide for more details.

PKI, PKCS
12 Internal CA diagnostics are now available through SmartView Monitor. 13 Internal CA enhancements include:

Certificate enrollment using PKCS10 is available. Generate certificate - as PKCS12 (used in CAPI token) Additional, configurable level of administration privileges

14 Certificate enrollment to a VPN-1 module using SCEP and CMP protocols is now

available.
15 Online Certificate Status Protocol (OCSP) is now supported. 16 An existing CA certificate can now be replaced with a newer one in a VPN-1 system,

provided that the new certificate has the exact same pair of keys as the certificate that it is replacing.

NAT with VPN

17 SecureClient now supports NAT-T.

VPN-1 Diagnostics (Logging, Monitoring, Planning)

18 The usability of VPN activity logs has been enhanced.

Connectivity
19 SecuRemote/SecureClient can now resolve the address of the remote gateway by using

one of the following link selection methods: Main IP / Single IP Topology calculation

Whats New in Check Point NGX R60

Last Update 5/16/05

16

New Features VPN

RDP probing, which allows the possibility of configuring the primary interface and manual IP list for probing.

20 The encryption domain of the gateway can now be defined differently for site-to-site

VPN, and for remote access VPN.

21 Third party DAIP gateways and externally managed DAIP gateways are now supported

with certificate authentication.

Office Mode
22 Office Mode assignment can now be used to access other gateways in the site. 23 A RADIUS server can now be used for Office Mode IP assignment.

L2TP Clients
24 Legacy authentication schemes, such as Check Point password, OS password, RADIUS,

LDAP, TACACS, etc., are now supported for L2TP clients.

Multicast
25 Through the use of VPN Virtual interfaces, multicast traffic can now be encrypted and

passed through VPN tunnels.

Route Injection Mechanism (RIM)

26 RIM is now supported both with and without MEP. It can be configured under the
Tunnel Management

page on the community.

Whats New in Check Point NGX R60

Last Update 5/16/05

17

New Features SecuRemote/SecureClient

SecuRemote/SecureClient
In This Section

NAT with VPN User Experience Connectivity Office Mode Desktop Security Secure Configuration Verification (SCV) Windows - XP-specific Issues Miscellaneous SecureClient Software Distribution Sever (SDS)

page 18 page 18 page 18 page 19 page 19 page 19 page 20 page 20 page 20

NAT with VPN

1

SecureClient now supports NAT-T.

User Experience
2 3

SecuRemote/SecureClient user interface now supports the following languages: English, French, Italian, German and Spanish. The Hotspot Registration feature now limits the number of unsuccessful registration attempts and disables registration IP addresses once the client connects.

Connectivity
4 5

In MEP configuration, the client MEP decision can be disabled, in which case the client connects to the gateway specified in the profile. In an MEP configuration, a backup gateway can be specified in a centrally managed connection profile. If so specified, and the primary gateways are unreachable, the SecuRemote/SecureClient connects to the specified backup gateway and does not perform an MEP decision. The encryption domain of the gateway can now be defined differently for site-to-site VPN, and for remote access VPN. SecuRemote/SecureClient can now resolve the address of the remote gateway by using one of the following link selection methods: Main IP / Single IP
Whats New in Check Point NGX R60 Last Update 5/16/05

6 7

18

New Features SecuRemote/SecureClient

Topology calculation RDP probing, which allows the possibility of configuring the primary interface and manual IP list for probing.

Office Mode
8 9

Office Mode assignment can now be used to access other gateways in the site. A RADIUS server can now be used for Office Mode IP assignment. DHCP clients to differentiate themselves. The attributes are pre-configured on the client side operating system, and can be used by different DHCP servers in the process of distributing IP addresses. VPN-1 Pro gateway DHCP requests can contain the following attributes: Host Name Fully Qualified Domain Name (FQDN) Vendor Class User Class

10 VPN-1 Pro gateway DHCP requests can contain various client attributes that allow

Desktop Security
11 When policy expiration is enabled and SecureClient is connected, it will attempt to

update policy every expire_time/2. If it fails to update the policy, SecureClient will not revert to the default policy.
12 Desktop security rules now support RADIUS groups. 13 Policy server logon is by default set to the Policy Server on the gateway to which you

connect. Centrally managed profiles can be configured to direct logons to a different Policy Server. Perform the following:
1 Specify the Policy Server in the profile. 2 Use the dbedit database tool to set the property use_profile_ps_configuration

to true.

Secure Configuration Verification (SCV)

14 When enforcing Secure Configuration Verification on simplified mode VPN (VPN-1

communities), specific hosts and services may be defined as exceptions to the rule (e.g., to allow anti-virus updates, even if the client machine is not verified).

Whats New in Check Point NGX R60

Last Update 5/16/05

19

New Features SecuRemote/SecureClient

15 SecuRemote (which does not support SCV) can be regarded as verified when SCV is

enforced. To enable it set scv_allow_sr_clients to true in userc.c, (by default it this value is set to false). This global flag can be overridden by the administrator by setting the matching flag in the topology, using the dbedit tool.
16 OS Monitor is now supported on Windows 2003 Server. 17 The operator greater than (>) is supported in signature file comparison in AntiVirus

monitor.
18 ZoneAlarm Pro antivirus signatures version validation is supported for AntiVirus

monitor.
19 The following enhancements for SCV monitors are now available:

You can now check keys under HKCU, HKU and HKLM in the Registry Monitor While in Secure Domain Logon (SDL), each check under the Registry Monitor, OS Monitor and Browser Monitor can be disabled.

Windows - XP-specific Issues

20 Improved integration with Windows XP SP2 Firewall.

Miscellaneous
21 The following R56 local attributes can now be centrally managed:

Hotspot registration configuration

Disconnect_when_in_enc_domain Simplified_client_route_all_traffic

22 SecureClient now reports the following parameters to User Monitor:

OS version, Client version and build last known SCV failure reason

23 Secure Domain Logon (SDL) by default will not be part of the Windows logon

procedure when the client machine is part of the encryption domain. To force SDL when inside the encryption domain, use the Windows Registry editor to set SdlIgnoreEncDomain to 0 (DWORD) in HKLM\Software\CheckPoint\SecuRemote.
24 VPN-1 Pro now enforces the amount of licensed remote access connections, this

include the amount of SecuRemote allowed according to the gateway size plus the amount of SecureClient licenses.

SecureClient Software Distribution Sever (SDS)

25 The SDS server and the SDS agent are no longer part of the SecureClient product.
Whats New in Check Point NGX R60 Last Update 5/16/05

20

New Features Integrity

Integrity
1

Integrity Product Family achieves Total Access Protection for all PCs that connect to your network. Check Point Integrity endpoint security products ensure that both employee and guest users' PCs are secure before they're granted network access. By stopping worms, spyware, and hacker attacks, Integrity maintains business continuity, supports regulatory compliance, and protects you against financial loss due to endpoint attacks. Integrity client and server software secures all networked PCs by centrally managing proactive defenses and enforcing policy compliance. Integrity for Linux offers enterprises easy-to-manage endpoint security for the growing number of Linux workstations, providing sophisticated attack protections coupled with centralized policy deployment and reporting. Integrity SecureClient unites the complementary strengths of VPN-1 SecureClient and Integrity to deliver the most advanced remote access, endpoint security, and access policy enforcement. Integrity Clientless Security mitigates risks posed by employee and guest endpoints accessing enterprise resources via the Web. It delivers spyware disablement, ensures session confidentiality, and enforces network access policy. Integrity Desktop delivers preemptive protection against the latest worms, viruses, spyware, and hacker attacks.

2 3

SSL Network Extender

1 2 3 4 5 6

The SSL Network Extender is now centrally managed, and can be configured on SmartDashboard. SSL Network Extender now supports SecureIDs New Pin Mode and password changes for RADIUS and LDAP authentication servers. SSL Network Extender now supports ICS. SSL Network Extender clients are supported on ClusterXL gateways in Load Sharing mode when the Sticky Decision Function is enabled. SSL Network Extender now supports IntegrityTM Clientless Security (ICS) version 3.0, including IntegrityTM Secure Browser (ISB). The SSL Network Extender end-user interface can now be customized, as well as localized for the following languages (user-selectable): English French
Whats New in Check Point NGX R60 Last Update 5/16/05

21

New Features SmartCenter

Italian German Spanish Japanese Traditional Chinese Simplified Chinese Portuguese (Brazilian) Hebrew

SmartCenter
Cloning Network Objects
1

Networks and Host Nodes can now be cloned with a right click. The newly created object has field values in common with the original object.

SmartGroups
2

Groups can be viewed hierarchically in the Objects Tree. Additionally, a new feature in SmartDashboard allows you to configure group conventions. When you do so, SmartDashboard makes suggestions to assign newly created objects to groups based on their name, color or network location.

Tooltips
3

Details about a network object or service, such as IP/port, version, and comment, are now visible within SmartDashboard rule bases without opening the object or service.

Unique Rule Identifier

4

A new feature in SmartView Tracker allows you to open SmartDashboard to the rule that a certain connection matched on. Also, an enhanced rule filter provides the ability to search within SmartView Tracker for other connections that matched on that rule, either by rule number or unique rule ID. A new feature in SmartDashboard allows you to view all logs generated for a certain rule.

Improved Manageability of Administrators

5

In this release, cpconfig allows the definition of just one administrator. Others can be added through SmartDashboard. All cpconfig administrators can be converted to administrators in SmartDashboard by using the $FWDIR/bin/cp_admin_convert tool.

Whats New in Check Point NGX R60

Last Update 5/16/05

22

New Features VPN-1 Edge

Mandatory Session Description

6

SmartDashboard users can now be compelled to enter a session ID describing the changes they have made. This provides a better ability to track database changes in the audit logs.

GUI Client Disconnect

7

When logging into a SmartCenter Server, an administrator can now disconnect other users who are logged in and locking the database.

Central Management for Connectra

8

Connectra devices are now part of Check Points centralized SMART management, integrating security, monitoring, logging, reporting, updating and intelligent information processing in a single interface.

Web-Based Access to SmartCenter SmartPortal

9

SmartPortal is a web-based management tool providing a centralized view of security policies, network and security activity status, and administrator information. This web-based access to SmartCenter extends the visibility of security policies to groups outside of the IT security team and enables collaborative management of SmartCenter administrators.

VPN-1 Edge
1

VPN-1 Pro now supports VPN-1 Edge behind NAT devices. This can implemented by using NAT traversal (port 4500), which encapsulates the IKE/IPSEC in UDP packets, between the VPN-1 Edge device and the VPN-1 Pro. Enhanced VPN-1 Edge configuration in SmartDashboard, including: time of log generation and forwarding time at which the VPN-1 Edge device is updated with new configuration settings content filtering (CVP and UFP) Unrestricted mode (connections from centrally managed peers that do not undergo access control or NAT) VPN-1 Edge (with firmware 4.5 or higher) is now integrated with Eventia Reporter. Excluded Services are now supported with VPN Communities that contain SofaWare entities. VPN-1 Edge Web UI can now be launched from within SmartDashboard, as follows:

3 4 5

Whats New in Check Point NGX R60

Last Update 5/16/05

23

New Features SmartView Monitor

Select a VPN-1 Edge object in the Objects tree, right click and choose Manage Device in the displayed menu. In the VPN-1 Edge Objects General Properties page, click Configure Edge Using Web Interface.

VPN Enhancements: VPN-1 Edge now supports different IKE methods, rules with communities in the VPN column, Multiple Entry Point (MEP) enhancements, shared secrets, excluded services, as well as Link selection. Content filtering for VPN-1 Edge can now be centrally managed from SmartCenter. This can be done using the Content filtering section of the VPN-1 Edge page of the Global Properties, or the Content Filtering page of the VPN-1 Edge object. The configuration includes specifying OPSEC UFP, CVP & SMTP servers, and determining which Edge devices use UFP/CVP. NAT rules can now be configured and installed on VPN-1 Edge gateways. NAT rules can either be manual, by placing a VPN-1 Edge gateway in a NATed rule in the Install On column, or automatic by choosing a VPN-1 Edge gateway as the Install on gateway in the network objects NAT page. A High Availability (HA) deployment can now be configured for VPN-1 Edge devices using SmartCenter. Configuring HA for VPN-1 Edge is done in the VPN page of the VPN-1 Edge Gateway Objects Properties window. Select Use Backup Gateways and specify the (VPN-1 Edge) gateway that will function as the backup gateway. script is downloaded to the VPN-1 Edge device. It controls various features and settings, (for example QoS settings, Wireless Settings).

10 A configuration script can now be added to the VPN-1 Edge object window. This

SmartView Monitor
1

SmartView Monitor has become a new monitoring application that combines the functionality of the following applications: SmartView Status SmartView Monitor User Monitor In addition it has new capabilities. The GUI is an MDI (Multi-document interface) application that allows users to see side-by-side multiple views of traffic in different aspects. It is now possible to monitor the following elements in SmartView Monitor Traffic Monitoring: Traffic by top or specific tunnels Traffic by top or specific interfaces
Whats New in Check Point NGX R60 Last Update 5/16/05

24

New Features Eventia Reporter

Packet size distribution Traffic by top individual connections Connection direction filter

Tunnel Monitoring is a new feature that allows the user to view the current gateway to gateway tunnels in the organization. The user can define filters to present specific tunnels, as well as display tunnel state and other properties. The user can also reset a tunnel and drill down to view its traffic. SmartView Monitor now has new ways of presenting traffic monitoring: Traffic data can now be presented in a pie graph or in a table. After drilling down into data, a back button is now available to undo drill downs. Exporting to HTML is now possible. Inbound and outbound traffic can now be viewed side by side The various SmartView Status applications have been replaced with Gateway views. SmartView Monitor now presents a table view that displays all gateways and configurable status columns. In addition there is a detail view that allows browser-like drill down.

Eventia Reporter
1 2

Eventia Reporter Add-On and Eventia Reporter Server can now be installed on a Solaris 64-bit platform. Eventia Reporter is faster than previous versions. Report generation - a report based on 20 GB of logs can be generated in little over an hour. Log consolidation the log consolidator can process 32 GB per day (without DNS). Eventia Reporter now provides more flexible and meaningful report content.
Clearer Reports

Unnecessary details and sections have been removed from the reports. By default, graphs are only created for time/date reports so as to achieve a smaller output.
Internal filters

Internal filters are displayed for better report comprehension and flexibility. A user can now filter reports based on communication direction, firewall action, VPN-1 fields, email sender/recipient, etc.
4

Consolidator and database management controls have moved from the SmartDashboard and are now integrated in the Reporter Client.

Whats New in Check Point NGX R60

Last Update 5/16/05

25

New Features SmartUpdate

When the database grows too large, the Reporter can automatically archive or delete the oldest records. Database maintenance can be defined in terms of database space or record age. Provider-1 now supports log-based reports. Improved Security Rule support: Rule name support: users can now tag rules with names. Names will be displayed in reports and can be used in filters. UUID support for rules can be used to track rule usage regardless of their location in the Rule Base. Rule Base Activity: the Rule Bases Analysis report includes a section that shows all rules in a policy and their usage. Support for Rule Base policies in reports.

6 7

SmartUpdate
1

Packages can now be distributed to remote devices and then installed at a later date. This is beneficial in a number of ways: The risk of a loss of connectivity during installation is minimized, as the package is delivered to the remote device before the remote install command is issued. Upgrade performance is improved, as packages can be transferred in parallel to multiple devices. The process is now more efficient, as it can more easily be performed after hours, when the load on the network is less. Downtime due to upgrade is reduced. SmartUpdate can now upgrade remote devices to versions earlier than that of the management server. Earlier versions supported are R54, R55, R55W, and R55P, and their respective HFAs. The Upgrade All option in SmartUpdate allows Nokia platforms to be upgraded to any IPSO OS version. To do so, the desired Nokia IPSO OS package must first be added to the SmartUpdate Package Repository and set as the default package, followed by selecting the Upgrade All option. SmartUpdate supports an automatic revert from an unsuccessful upgrade when upgrading SecurePlatform gateways. SmartUpdate creates the image backup before the upgrade starts. Should the Upgrade not complete successfully, the SecurePlatform machine will revert to the backed up image. SmartUpdate supports the CPInfo utility. The CPInfo utility runs on remote gateways and/or the SmartCenter server, and collects information about that machine into a single text file. This text file is fetched and accessible from the GUI machine.
Whats New in Check Point NGX R60 Last Update 5/16/05

26

New Features SmartLSM

The SmartUpdate command line tool can make a snapshot of the SecurePlatform machine. A list of currently available snapshots on a machine can be compiled and used to revert a machine to one of the snapshots.

SmartLSM
1

When defining VPN Domain for VPN-1 Express/Pro or VPN-1 Edge ROBO Gateways, the user should use the new Topology table available in the SmartLSM GUI (or the parallel capabilities of LSMcli). It is possible to define the VPN Domain for ROBO Gateway in one of the following ways: Use the external IP address of the Gateway only VPN Domain includes all of the networks behind the Gateway's internal interfaces (based on topology) VPN Domain consists of manually defined IP address ranges. Controlling the settings of internal interfaces of VPN-1 Edge ROBO Gateways is now supported from the centralized SmartLSM management. The following settings can be controlled and enforced on the VPN-1 Edge ROBO Gateway: Interface is enabled/disabled Interface IP address and netmask NAT Hide of the network behind the interface is enabled/disabled DHCP server on the interface is enabled/disabled Range of IP addresses distributed by the DHCP server DHCP server serves as a relay to another external DHCP server It is now possible to launch VPN-1 Edge Portal Web GUI when using context menus of items representing VPN-1 Edge gateways and VPN-1 Edge ROBO Gateways in the SmartLSM main view.

SecurePlatform
Installation
1

SecurePlatform can be installed in two flavors: the regular flavor, and the SecurePlatform Pro flavor. SecurePlatform Pro is an enhanced version of SecurePlatform. SecurePlatform Pro adds advanced networking and management capabilities to SecurePlatform such as: Dynamic routing RADIUS authentication for SecurePlatform administrators

To install SecurePlatform Pro select SecurePlatform Pro option during the installation.

Whats New in Check Point NGX R60

Last Update 5/16/05

27

New Features SecurePlatform

To convert regular SecurePlatform to SecurePlatform Pro, from the expert mode command line run: pro enable.
Note - SecurePlatform Pro requires a separate license that must be installed on the SmartCenter Server that manages the SecurePlatform Pro enforcement modules.

For information regarding advanced routing, see the Check Point Advanced Routing Suite guide.
2 3

In this release, the SecurePlatform installation allows adding new hardware drivers for mass storage and networking devices, during the installation phase. There is a change in behavior from R55 and earlier SecurePlatform versions. When no key is pressed after the SecurePlatform installation has begun, the installation will be aborted, and the system boots from the hard disk.

General
4

Speed/Duplex settings of Ethernet interfaces can be controlled using the eth_set utility in the command line, or by using the WebUI. The interface settings configured via the WebUI, or via the command line utility will survive reboot and become persistent. The patch add command now supports scp as one of the options, allowing convenient and secure transfer of patch files to SecurePlatform. VPN-1 log files are not included in the backup operation by default. The display of time zones in the command line was changed from the POSIX convention to the commonly accepted convention. For example, for a region located two hours to the east of the GMT region, the time zone will show GMT+2 and not GMT-2, as in earlier versions. During the installation of SecurePlatform, one interface is selected as the management interface. The IP address of this interface cannot be set to 0.0.0.0, as this will disrupt operation of the product. The commands sysconfig and ifconfig enforce this limitation in this release. If a specific interface must receive the IP address 0, a different interface must first be configured to be the management interface, and then the IP address 0.0.0.0 can assigned to the specific interface.

5 6 7

User Experience
9

Starting with this release, Netscape 7.1 is supported for use with the administration WebUI. This allows using the WebUI from non-Windows systems.

Whats New in Check Point NGX R60

Last Update 5/16/05

28

New Features ClusterXL

ClusterXL
Configuration
1

ClusterXL has a new (and optional) packet distribution scheme for Load Sharing which is supported with the two Load Sharing modes: Multicast and Unicast. In the new distribution scheme (called Sticky Decision Function), a connection that started on a certain cluster member will continue to pass only through that member. The Sticky Decision Function is not supported with Performance Pack or with an Acceleration device.

VPN-1 Clusters
2 3 4

ClusterXL Load Sharing now supports SecureClient visitor mode and SSL extender clients when the Sticky Decision Function is enabled. Third party peers can now open VPN tunnels on ClusterXL in Load Sharing mode with the Sticky Decision Function enabled. ClusterXL Load Sharing now supports VPN routing configuration, in which both sides of the connection are encrypted for peer gateways of third parties, such as Cisco, which requires stickiness. This support is limited to when the Sticky Decision Function is enabled, and requires certain additional configuration. Consult the ClusterXL guide for more details.

Supported Features
5 6

Dynamic routing is now supported in SecurePlatform clusters. Multicast data traffic is supported on ClusterXL in High Availability mode, and in Load Sharing mode under certain conditions. Refer to the Release Notes for more details.

Performance Pack
1 2 3

BGE interface is now supported on Solaris. SmartView Monitor is now supported by Performance Pack. Dynamic Routing changes are now supported by Performance Pack on SecurePlatform.

VSX
1

SmartCenter Server can now manage the following versions of VSX: VSX 2.0.1 VSX NG AI

Whats New in Check Point NGX R60

Last Update 5/16/05

29

New Features QoS

VSX NG AI Release 2

For more information on these releases, please see the documentation at http://www.checkpoint.com/support/technical/documents/index.html.

QoS
1

The license for QoS Express should be installed on the SmartCenter server instead of on the Enforcement module. QoS supports licenses for 1, 3 or 5 modules. These licenses should be added via SmartUpdate and then attached to the SmartCenter Gateway Object. QoS is now supported by and can run on the same Enforcement Module that runs Web Intelligence.

UserAuthority
1 2

UserAuthority now supports outbound identity-based access control for non-TCP connections. User credentials can now be fetched using UserAuthority Servers on other SIC domains.

Whats New in Check Point NGX R60

Last Update 5/16/05

30