`Juniper v Implicit
`
`
`
`Juniper Ex. 1016-p. 2
`Juniper v Implicit
`
`
`
`
`Exhibit A
`
`Juniper Ex. 1016-p. 3
`Juniper v Implicit
`
`
`
`1/16/2020
`
`Check Point Software Technologies, Industry Leading Network Security Solutions
`
`Check Point Software Technologies
`
`FireWall-1 Demo
`Career Opportunities
`Licensing Center
`How to Contact Us
`FW-1 Mailing List
`Technical Support
`Search
`Press Room
`Seminars
`Events
`Training Centers
`Reseller Locator
`OPSEC.com
`OPSEC Solutions
`Center
`
`Corporate Mission
`Statement
`
`Produ
`and
`
`OPSE
`
`Products and Solutions
`Enterprise Security: FireWall-1, VPNs, Open Security
`Manager. Traffic Management: FloodGate-1. White Papers,
`demos, reference material.
`Sales
`Reseller Locator, how to purchase Check Point products and
`services
`Support, Technical Services & Training
`Technical knowledge base, seminars, training, licensing and
`installation, downloads, documentation, supported applications
`Partners
`Partner Alliance Program, Partner Resource Center, partner
`and training center locators.
`OPSEC (Open Platform for Secure Enterprise Connectivity)
`OPSEC Solutions Center, OPSEC Certified products, OPSEC
`architecture, OPSEC Alliance
`Corporate Information & News
`Corporate profile, employment opportunities, investor
`relations, press releases, trophy room, publications, events
`
`News
`ANS to Offer Managed Services Based on Check
`Point FireWall-1
`ANS Communications, Inc., a leading managed network services
`company, will now offer its ANS InterManage services based upon
`the Check Point FireWall-1 enterprise security solution. The ANS
`InterManage service offering includes firewall administration,
`monitoring, reporting, intrusion detection, hardware, software and
`24x7 technical support.
`Check Point Software Technologies Reports Record
`Financial Results for 1997
`Check Point Software Technologies today reported fiscal year and
`fourth quarter 1997 earnings. Revenues for the year were up 160%
`over last year to $82.9 million. Net income increased 164% to $40.2
`million.
`
`Navigation Bar
`
`web.archive.org/web/19980212233508/http://www.checkpoint.com/index.html
`
`1/2
`
`Juniper Ex. 1016-p. 4
`Juniper v Implicit
`
`
`
`1/16/2020
`
`Check Point Software Technologies, Industry Leading Network Security Solutions
`Copyright © 1998 Check Point Software Technologies Ltd.
`Feedback to webmaster@checkpoint.com
`
`web.archive.org/web/19980212233508/http://www.checkpoint.com/index.html
`
`2/2
`
`Juniper Ex. 1016-p. 5
`Juniper v Implicit
`
`
`
`1/16/2020
`
`Check Point Products Home Page
`
`Secure
`Enterprise
`Connectivity
`The widespread adoption of
`Internet technologies has
`enabled organizations to
`provide enterprise
`connectivity to a broad
`range of corporate
`stakeholders, including
`employees, customers,
`suppliers, and business
`partners. However, in order
`to fully leverage the reach
`and flexibility of the
`Internet, corporations must
`address two key
`requirements: enterprise
`security and traffic
`management. With its
`patented Stateful Inspection
`technology and proven
`expertise in policy-based
`enterprise management,
`Check Point Software is
`uniquely qualified to meet
`both requirements.
`
`Check Point Solutions
`General Product Information Product Categories
`Understanding CP Products White Papers/Brochures/
`Demonstration CDs
`Enterprise Security Management
`FireWall-1
`Industry leading suite of integrated security applications
`Access Control
`Encryption/Virtual Private Networks
`Authentication
`Operating System Security
`Address Translation
`Router Management
`Content Security
`High Availability
`Open Security Manager
`Policy-based network security device management
`
`More important information about network security:
`Stateful Inspection
`Supported Applications
`Performance Data
`System Requirements
`Year 2000 Compliance
`SecuRemote
`OPSEC Architecture
`Enterprise Traffic Management
`FloodGate-1
`Policy-based bandwidth management
`ConnectControl
`Advanced server load balancing
`
`Frequently Asked Questions
`
`Check Point’s Enterprise Security Management product line provides a comprehensive set of
`network security solutions, including FireWall-1®: an industry-leading suite of integrated
`security applications. Designed as an open platform and unified by Check Point's OPSEC
`[Open Platform for Secure Enterprise Connectivity] policy management framework,
`FireWall-1 provides central integration, configuration and management for more than 85
`third-party applications and security tools.
`Recognizing that the network is an active component in client/server computing, Check Point
`has introduced the Enterprise Traffic Management product line providing solutions that
`enhance network performance. Its flagship product, FloodGate-1TM, delivers policy-based
`bandwidth management to control congestion on oversubscribed Internet and Intranet links.
`Also part of the Enterprise Traffic Management product line, ConnectControlTM allows
`web.archive.org/web/19980212233416/http://www.checkpoint.com/products/index.html
`
`1/2
`
`Juniper Ex. 1016-p. 6
`Juniper v Implicit
`
`
`
`1/16/2020
`Check Point Products Home Page
`network administrators to replace a single server with a logical server pool to improve user
`response times and utilize existing hardware investments.
`
`Copyright © 1997 Check Point Software Technologies Ltd.
`
`Feedback to webmaster@checkpoint.com
`
`web.archive.org/web/19980212233416/http://www.checkpoint.com/products/index.html
`
`2/2
`
`Juniper Ex. 1016-p. 7
`Juniper v Implicit
`
`
`
`1/16/2020
`
`Check Point's Enterprise Security Management Product Line
`
`FireWall-1
`
`
`
`Product Functional
`Areas
`Enterprise Security
`Access Control
`Authentication
`Address Translation
`Content Security
`Encryption/Virtual
`Private Networks
`Operating System
`Security
`Router Management
`High Availability
`Product Technology
`Product Information
`- What to Buy
`Reference Material
`and Demos
`Download
`SecuRemote
`Training
`Awards
`
`Use the cursor to select a region of the map
`Internet technology has changed not only the way organizations do
`business, but also the way they approach network security.
`Corporate networks are no longer defined by physical boundaries,
`but instead by enterprise-wide security policies. To be effective,
`these policies must include a broad range of security services that
`govern access to network information resources while protecting the
`privacy and integrity of network communications across the
`Internet, intranet and extranet.
`Check Point Software Technologies offers a comprehensive solution
`to meet these new and expanding security requirements. Check
`Point FireWall-1 is an enterprise security suite which combines
`Internet, intranet/extranet and remote user access control with
`authentication, encryption, network address translation (NAT) and
`content screening services to deliver an integrated solution that
`scales to meet the demands of organizations large and small. The
`product suite is unified by Check Point's OPSEC [Open Platform for
`Secure Enterprise Connectivity] policy management framework
`which provides central integration, configuration and management
`for Check Point FireWall-1 as well as other third-party security
`applications. Only FireWall-1 provides organizations with the
`ability to define a single, integrated security policy that can be
`distributed across multiple firewall gateways and managed remotely
`from anywhere on the enterprise network. Additional capabilities
`such as router security management, traffic load balancing and high
`availabilty are also available and can be fully integrated into the
`overall, enterprise security policy. Check Point FireWall-1 is
`transparent to network users and delivers the highest possible
`performance across multiple protocols and high-speed networking
`https://web.archive.org/web/19980212233607/http://www.checkpoint.com/products/firewall-1/descriptions/products.html
`
`Go to:
`Open Security
`Manager
`FloodGate-1
`ConnectControl
`
`
`
`1/5
`
`Juniper Ex. 1016-p. 8
`Juniper v Implicit
`
`
`
`1/16/2020
`
`Check Point's Enterprise Security Management Product Line
`technologies. With installations at thousands of customer sites
`worldwide, Check Point FireWall-1 is the most widely tested
`firewall available.
`Based on Stateful inspection technology, the new generation of
`firewall technology invented and patented by Check Point Software
`Technologies, Check Point FireWall-1 provides the highest level of
`security possible. Stateful inspection incorporates communication-
`and application-derived state and context information which is
`stored and updated dynamically. This innovative approach provides
`full application-layer awareness without requiring a separate proxy
`for every service to be secured. Customers benefit through improved
`performance, scalability, and the ability to secure new and custom
`applications much more quickly. Check Point FireWall-1 supports
`hundreds of pre-defined services, applications and protocols out-of-
`the-box. The programmable INSPECT virtual machine, at the core
`of the FireWall-1 technology, allows Check Point to add support for
`new and custom applications quickly and easily.
`Check Point FireWall-1 employs a distributed, client/server
`architecture, providing scalability and centralized management for
`multiple firewall gateways located anywhere on the enterprise
`network. Cross-platform support for Windows 95, Windows NT,
`UNIX and internetworking equipment (routers, switches, remote
`access devices) from one of Check Point's OPSEC partners provides
`the highest degree of deployment flexibility in the industry.
`What to consider?
`Check Point Software Technologies provides a suite of applications
`scalable to small, medium and large businesses, providing complete
`enterprise-wide security, regardless of how customers define their
`network boundaries. To learn more about specific areas to consider
`when building an enterprise-wide security policy, follow the links
`listed below:
`Access Control
`Authentication
`Encryption/Virtual Private Networks
`Router Security Management
`High Availability
`Network Address Translation
`Content Security
`Connection Control
`Auditing, Logging, Alerting
`What about hackers?
`Many well known and documented types of hacker attacks exist
`today and new forms of attack are appearing every day. This makes
`it very difficult for an organization using a home-grown security
`system to keep up. Check Point Software Technologies is dedicated
`to monitoring and analyzing new methods developed to breach
`network security and to incorporate new defenses against these
`https://web.archive.org/web/19980212233607/http://www.checkpoint.com/products/firewall-1/descriptions/products.html
`
`2/5
`
`Juniper Ex. 1016-p. 9
`Juniper v Implicit
`
`
`
`1/16/2020
`
`Check Point's Enterprise Security Management Product Line
`attacks into FireWall-1. With its unsurpassed flexibility and
`extensibility, Stateful inspection technology is a key differentiator in
`this area, allowing Check Point FireWall-1 customers to benefit
`from the incorporation of defenses against new security threats as
`soon as they appear. Some common attacks and defenses are
`described below.
`SYN Flooding attack
`Ping of Death attack
`IP spoofing attack
`Stealthing Defense
`What is Stateful Inspection?
`Stateful inspection is the new generation of firewall technology,
`invented and patented by Check Point Software Technologies.
`Stateful inspection provides full application-layer awareness without
`requiring a separate proxy for every service to be secured. This
`results in multiple benefits to customers including excellent
`performance, scalability and the ability to support new and custom
`applications and services quickly and easily. Giga Information
`Group reported in its March 17, 1997 issue of Gigawire, "We
`believe that stateful inspection will be adopted by a broad segment
`of the computer industry as the standard way to provide gateway
`security in the future". The evolution in the industry has been from
`packet filters to application-layer proxies, to stateful inspection. This
`evolution has taken place based upon the advantages introduced
`with each new generation of firewall technology. Stateful inspection
`architecture is unique in that it understands the state of any
`communication through the firewall machine, including packet,
`connection and application information. Packet filters do not track
`application or connection state, which are integral to a
`comprehensive security decision. Application proxies track only
`application state, not packet or connection state, which may
`introduce security vulnerabilities.
`Check Point FireWall-1's patented stateful inspection
`implementation provides the highest possible level of security.
`FireWall-1 inspects communications at layers 3-7 of the OSI model,
`whereas application gateways can only check layers 5-7. This
`provides Check Point FireWall-1 with the unique triad of packet-,
`connection-, and application-awareness. Cumulative data from
`communication states, application states, network configuration and
`security rules are used to enforce the enterprise security policy. For
`added protection, FireWall-1 intercepts, analyzes, and takes action
`on all communications before they enter the operating system of the
`gateway machine, ensuring that the operating system is protected
`from exposure to untrusted communications.
`Check Point's stateful inspection implementation is a high
`performance solution, experiencing no degradation even at high
`networking transmission speeds. Driven by its patented INSPECT
`Virtual Machine, Check Point FireWall-1 offers much better
`performance than the leading application gateway firewall systems,
`https://web.archive.org/web/19980212233607/http://www.checkpoint.com/products/firewall-1/descriptions/products.html
`
`3/5
`
`Juniper Ex. 1016-p. 10
`Juniper v Implicit
`
`
`
`1/16/2020
`
`Check Point's Enterprise Security Management Product Line
`as validated by independent performance tests (see Data
`Communications, March 21, 1997;
`http://www.data.com/lab_tests/firewalls97.html).
`Check Point's stateful inspection implementation uses the
`information in dynamic state tables to its advantage by checking this
`information first when evaluating communication attempts. This
`provides excellent performance and ensures that communications
`are being assessed according to the very latest state information.
`State tables are kept in the operating system kernel memory and
`cannot become corrupted like disk files. If the system fails due to a
`hardware or software error, new tables are allocated and no
`old/corrupted data is valid anymore. Furthermore, the data in the
`state tables represents active connections, so if a hardware or
`software error were to occur, the connections would no longer be
`active and therefore disabled, preserving the security of the
`network.
`What is OPSEC?
`Check Point's Open Platform for Secure Enterprise Connectivity
`[OPSEC] is a revolutionary concept in enterprise-wide security - a
`single platform that integrates and manages all aspects of network
`security through an open, extensible management framework. Third
`party security applications can plug into the OPSEC framework via
`published application programming interfaces (APIs), industry-
`standard protocols and INSPECT, a high-level scripting language.
`Once integrated into the OPSEC framework, all applications can be
`configured and managed from a central point, utilizing a single
`policy editor.
`How do I define a single security policy across multiple
`platforms?
`Check Point FireWall-1 uses a state-of-the-art distributed client
`server architecture that allows you to define the security policy in a
`central location, and then distribute the security policy to all
`enforcement points. In addition, multiple user access control allows
`different people across the organization to manage the security
`policy, based upon their authorization levels, through the intuitive,
`point and click graphical user interface. Once the security policy is
`defined, the system converts the rule base into an INSPECT applet
`which is sent to all appropriate enforcement points throughout the
`network. Since the INSPECT applet is platform independent,
`virtually any system can be supported using Check Point's stateful
`inspection technology.
`What is the best platform to use?
`This is a frequently asked question to which there is no one correct
`answer. The right platform depends upon the specific network
`configuration, the number of network nodes to be secured, the
`required performance and the skill set of the security administrators
`https://web.archive.org/web/19980212233607/http://www.checkpoint.com/products/firewall-1/descriptions/products.html
`
`4/5
`
`Juniper Ex. 1016-p. 11
`Juniper v Implicit
`
`
`
`1/16/2020
`
`Check Point's Enterprise Security Management Product Line
`within the organization. At Check Point Software Technologies, we
`believe that all points of network access should be secured,
`regardless of platform technology. It is not reasonable to require
`special hardware or software to provide secure connectivity. This is
`why Check Point FireWall-1 can be supported across multiple
`platforms, including NT and UNIX servers, routers, switches and
`many other internetworking devices. The important factor is that all
`of these platforms are running the same software and can be
`managed with the same graphical user interface from a central
`management console. An important consideration when evaluating a
`platform is the number of interfaces it supports. Platforms limited to
`two network interfaces cannot support a DMZ (De-Militarized
`Zone) which may be crucial for your security implementation.
`Should I consider a DMZ?
`A DMZ (De-Militarized Zone), is a secure network attached directly
`to the secure point of access. This is typically a third interface on the
`gateway or device running the security application. Implementing a
`DMZ ensures all traffic goes through the secure access point which
`provides the highest level of protection against hacker threats.
`Without a DMZ implementation, all resources are located behind
`the firewall in a secure network. In this scenario, once a connection
`attempt is allowed through the firewall to communicate with a
`resource, it is already inside the perimeter defense. If there was a
`malfunction at the resource, the security of the entire network could
`be compromised at that point.
`
`In the diagram above, if network resources were located behind the
`firewall, instead of being in the DMZ, any malicious attacks that
`reached those resources would have already broken through the
`secure access point - without any further security measures.
`However, if network resources are located in the DMZ, all traffic to
`and from network resources must pass through the access point,
`which is secured with the same security policy. This is the most
`secure configuration possible.
`
`Copyright © 1998 Check Point Software Technologies Ltd.
`
`Feedback to webmaster@checkpoint.com
`
`https://web.archive.org/web/19980212233607/http://www.checkpoint.com/products/firewall-1/descriptions/products.html
`
`5/5
`
`Juniper Ex. 1016-p. 12
`Juniper v Implicit
`
`
`
`1/16/2020
`
`Access Control
`
`FireWall-1
`
`Product Functional
`Areas
`Enterprise Security
`Access Control
`Authentication
`Address Translation
`Content Security
`Encryption/Virtual
`Private Networks
`Operating System
`Security
`Router Management
`High Availability
`Product Technology
`Product Information
`- What to Buy
`Reference Material
`and Demos
`Download
`SecuRemote
`Training
`Awards
`
`Go to:
`Open Security
`Manager
`FloodGate-1
`ConnectControl
`
`
`
`Access Control
`
`Use the cursor to select a region of the map
`Internet technology provides a cost effective, global
`communications infrastructure that enables world-wide access for
`employees, customers, vendors, suppliers and key business partners.
`This is a critical enhancement to collaborative information sharing,
`but it also exposes an organization's network to new risks and
`threats. How can an organization keep its resources and information
`protected from unauthorized network access, from both inside and
`outside the organization? Access control, a fundamental building
`block in any security policy, addresses this issue.
`What Goes In and Out of The Network
`Access control protects an organization from security threats by
`specifying and enforcing what can go in and out of an organization's
`network. A key element of access control is an awareness of all
`underlying services and applications. First generation packet filters
`were not aware of applications, nor could they handle UDP or
`dynamic protocols. Second generation application proxies required a
`tremendous amount of CPU overhead, and were slow to provide
`support for new services appearing regularly on the Internet, such as
`multimedia services. Check Point FireWall-1's stateful inspection
`technology, combined with a powerful object oriented approach,
`provides full application-layer awareness as well as quick and easy
`support of new Internet services. FireWall-1 provides
`comprehensive access control with over 160 pre-defined
`applications, services and protocols as well as the flexibility to
`specify and define custom services.
`
`https://web.archive.org/web/19980212234325/http://www.checkpoint.com/products/firewall-1/descriptions/acontrol.html
`
`1/4
`
`Juniper Ex. 1016-p. 13
`Juniper v Implicit
`
`
`
`1/16/2020
`
`Access Control
`In addition to understanding the full state and context of a
`communication,
`FireWall-1 includes the ability for rules within a security policy to
`be enforced using a time parameter. This provides extensive
`granularity in access control allowing rules to be valid for specific
`hours, days, months or years. For example, an organization may
`decide to limit HTML or web traffic to the Internet during working
`hours, allowing access only during lunch time, after normal working
`hours and on weekends. Another example is to disallow access to
`critical servers while system backups are being performed.
`Defining a Security Policy
`Implementing access control parameters is simple and straight
`forward with a well-defined graphical user interface such as that
`provided by Check Point FireWall-1. In fact, all aspects of an
`organization's security policy can be specified using FireWall-1's
`award winning user interface. All elements are specified using an
`object oriented approach. Once defined, these objects are used to
`define the security policy within the Rule-Base Editor. Each rule can
`be comprised of any combination of network objects, services,
`actions, and tracking mechanisms. Once a rule is defined, FireWall-
`1 provides the ability to define which network enforcement points it
`should be distributed to across the network. Supported platforms
`include UNIX and NT servers, and internetworking equipment
`(routers, switches, edge devices) from Check Point's many OPSEC
`Alliance partners. A distinct advantage of Check Point FireWall-1 is
`the ability to define an enterprise security policy once, distribute it
`to multiple access points throughout the network, and manage it
`locally and remotely from a single centralized console. Click on the
`thumbnail below to see a full screen sample of a security policy.
`
`Distributed Access
`FireWall-1's architecture is fully scalable so that it grows as an
`organization's security requirements grow. The system is capable of
`providing multi-level concurrent user access. This allows the
`assignment of different access privilege levels to FireWall-1
`administrators. Upon authentication, each FireWall-1 administrator
`inherits the access rights assigned by the security manager and are
`indicated within the Rule-Base Editor. This feature also provides the
`
`https://web.archive.org/web/19980212234325/http://www.checkpoint.com/products/firewall-1/descriptions/acontrol.html
`
`2/4
`
`Juniper Ex. 1016-p. 14
`Juniper v Implicit
`
`
`
`1/16/2020
`
`Access Control
`ability for a single desktop to connect to multiple management
`modules concurrently.
`Supported access levels are defined as follows:
`Read/Write: access to all functionality of FireWall-1
`management tools
`User Edit: the ability to modify user information only; access
`to all other functionality is read-only
`Read Only: read-only access to the Security Policy Editor
`Monitor Only: read-only access limited to the Log Viewer and
`the System Status tools
`Secure Access
`IP Spoofing - A technique where an intruder attempts to gain
`unauthorized access by altering a packet's IP address to make it
`appear as though the packet originated in a part of the network with
`higher access privileges. For example, a packet originating on the
`Internet may be disguised as a local packet. FireWall-1 has
`integrated protection and logging against this type of attack.
`Denial of Service Attack - A TCP connection is initiated with a
`client issuing a request to a server with the SYN flag set in the TCP
`header. Normally the server will issue a SYN/ACK back to the
`client identified by the 32-bit source address in the IP header. The
`client will then send an ACK to the server and data transfer can
`commence. When the client IP address is spoofed (changed) to be
`that of an unreachable host, however, the targeted TCP cannot
`complete the three-way hand-shake and will keep trying until it
`times out. This is the basis for the attack.
`Application gateway based solutions by themselves are not able to
`defend against SYN flooding attacks. In fact, the firewall itself may
`be attacked to create a denial of service condition. Packet filtering
`based solutions are also not able to guard against SYN flooding
`attacks since they lack the necessary capability to perform Stateful
`Inspection of connections. FireWall-1 with Stateful Inspection can
`protect against this attack using SYNDefender.
`Ping of Death - On almost every OS, including some routers, PING
`(ICMP) packets larger than 65508, become larger than 64k (because
`of the header additions of 28 bytes) and therefore are not handled
`well by kernels, making some systems crash or reboot. FireWall-1
`with Stateful Inspection can protect against this attack by defining a
`service object and adding a rule to the security policy that prevents
`packets larger than 64K from passing.
`Defenses
`Stealth the Firewall - Under normal situations, anyone on the
`corporate network could potentially access the firewall gateway or
`security access point. This can be prevented by stealthing the
`firewall or hiding its access point. Check Point FireWall-1 provides
`https://web.archive.org/web/19980212234325/http://www.checkpoint.com/products/firewall-1/descriptions/acontrol.html
`
`3/4
`
`Juniper Ex. 1016-p. 15
`Juniper v Implicit
`
`
`
`1/16/2020
`
`Access Control
`this capability with the addition of one simple rule in the security
`policy. Protecting the gateway in this manner makes it inaccessible
`to any user or application, except for management and configuration
`purposes, effectively making the device invisible.
`Network Address Translationcan conceal or hide the internal
`network addresses from the Internet, avoiding their disclosure as
`public information.
`Advanced Logging and Alerting
`Connection Accounting - FireWall-1 allows the security manager
`to monitor accounting data on selected connections. For each
`connection handled by the rule an accounting log entry is then
`generated which includes the usual fields as well as the connection's
`duration, the number of bytes and the number of packets transferred.
`The accounting log records are generated when the monitored
`connection ends, so they can be viewed in the Log Viewer. In
`addition, when running the Log Viewer to show the live connections
`(see below), the Active Connections View can be used to monitor
`ongoing connections.
`Active Connections - With FireWall-1, the security manager can
`use the Log Viewer in active connection mode to view in real time
`all connections currently active through the Firewall Modules. The
`live connections are stored and handled in the same way as ordinary
`log records, but are kept in a special file that is continuously updated
`as connections start and end. In this way, all the standard Log
`Viewer features, such as selection, search engine, etc., can be used
`to monitor current network activity.
`When using the accounting option, the connection accounting data
`(time elapsed, bytes and packets transferred) is continuously
`updated, so the security manager can monitor not only the fact of
`the connection but also its activity.
`Multiple Alerting Capabilities - FireWall-1 provides integration of
`multiple alert options including email notification and SNMP traps
`for integration with SNMP-based network management systems
`such as HP OpenView, SunNet Manager, or IBM's NetView 6000. A
`User Defined alerting mechanism is also available to integrate with
`paging, trouble-ticketing and help desk systems providing a great
`deal of flexibility in how security alerts are integrated into current
`management systems.
`
`Copyright © 1998 Check Point Software Technologies Ltd.
`
`Feedback to webmaster@checkpoint.com
`
`https://web.archive.org/web/19980212234325/http://www.checkpoint.com/products/firewall-1/descriptions/acontrol.html
`
`4/4
`
`Juniper Ex. 1016-p. 16
`Juniper v Implicit
`
`
`
`1/16/2020
`
`FireWall-1 Product Functional Areas: Authentication
`
`FireWall-1
`
`Product Functional
`Areas
`Enterprise Security
`Access Control
`Authentication
`Address Translation
`Content Security
`Encryption/Virtual
`Private Networks
`Operating System
`Security
`Router Management
`High Availability
`Product Technology
`Product Information
`- What to Buy
`Reference Material
`and Demos
`Download
`SecuRemote
`Training
`Awards
`
`Go to:
`Open Security
`Manager
`FloodGate-1
`ConnectControl
`
`
`
`Authentication
`
`Use the cursor to select a region of the map
`Check Point FireWall-1 provides customers, including remote users
`and telecommuters, with secure, authenticated access to enterprise
`resources using multiple authentication schemes. FireWall-1
`authentication services securely validate that the users attempting to
`make a connection are who they say they are before the
`communication is allowed to proceed. Modifications to local servers
`or client applications are not required. Authentication services are
`fully integrated into the enterprise-wide security policy and can be
`centrally managed through FireWall-1's graphical user interface. All
`authentication sessions can be monitored and tracked through the
`Log Viewer.
`FireWall-1 provides three authentication methods:
`1. User Authentication
`2. Client Authentication
`3. Transparent Session Authentication
`User Authentication
`FireWall-1's transparent User Authentication provides access
`privileges on a per user basis for FTP, TELNET, HTTP, and
`RLOGIN, regardless of the user's IP address. If a local user is
`temporarily away from the office and logging in on a different host,
`the security administrator may define a rule that allows that user to
`work on the local network without extending access to all users on
`the same host.
`
`https://web.archive.org/web/19980212234337/http://www.checkpoint.com/products/firewall-1/descriptions/authentication.html
`
`1/3
`
`Juniper Ex. 1016-p. 17
`Juniper v Implicit
`
`
`
`1/16/2020
`
`FireWall-1 Product Functional Areas: Authentication
`The FireWall-1 Security Servers implement user authentication on
`the gateway. FireWall-1 intercepts a user's attempt to start an
`authenticated session on the requested server and directs the
`connection to the appropriate Security Server. After the user is
`authenticated, the FireWall-1 Security Server opens a second
`connection to the host. All subsequent packets of the session are
`intercepted and inspected by FireWall-1 on the gateway.
`Client Authentication
`Client Authentication enables an administrator to grant access
`privileges to a specific user at a specific IP address. In contrast to
`User Authentication, Client Authentication is not restricted to
`specific services, but provides a mechanism for authenticating any
`application, standard or custom. FireWall-1 Client Authentication is
`not transparent, but it does not require any additional software or
`modifications on either the client or server. The administrator can
`determine how each individual is authenticated, which servers and
`applications are accessible, at what times and days, and how many
`sessions are permitted.
`Transparent Session Authentication
`Transparent Session Authentication can be used to authenticate any
`service on a per-session basis. After the user initiates a connection
`directly to the server, the FireWall-1 gateway, located between the
`user and the destination, intercepts the connection, recognizes that it
`requires user-level authentication, and initiates a connection with a
`Session Authentication Agent. The Agent performs the required
`authentication, after which FireWall-1 allows the connection to
`continue to the requested server if permitted.
`1. Authentication Schemes
`FireWall-1 supports the following authentication schemes:
`1. SecurID — The user is challenged to enter the number
`displayed on the Security Dynamics SecurID card.
`2. S/Key — The user is challenged to enter the value of
`requested S/Key it