`;- .,.
`
`~
`
`13:47
`
`QUALIX GROUP
`
`P.02
`
`CheckPoint FrreWall-1 Technical White Paper
`
`CHECKPOINT
`
`C.heckP-oint FireWall-1™
`
`Techni·cal White Paper
`
`
`
`. info@CbeckPoint.COM ·
`
`Executive Summary
`Setting up a 11f1rewall" .system that controls access from the Internet tO a.private DetWork. stopping
`break-in attempts, ls the single most important security measure to be taken when c.onnecting to the
`· Internet This documem describes the architecture and unique characteristics of CheckPoint's
`FireWall-1 Xnternet gateway security system. It outlines the major ttrlmology cbaracteristi~ that
`enable CheckPoint FU"eWall-1 to establish full, transparent and. true hlternet Connectivity using the
`entire range of Int.e.met protocols y.rhile ensuring network security.
`Tw<? malnstream methods are currently used to establish httemet firewalls:
`•
`
`01994 Ci.cd:.PointSot\wan:TC¢hnolopes 1.14.
`
`INV0012112
`
`Page 1 of 14
`
`Implicit Exhibit 2010
`Juniper v. Implicit
`
`
`
`;·, JUL--;18-1994
`
`13:47
`
`QIJALIX GROUP
`
`P.1:13
`
`CheckPointF"lI'eWall-1 Technical Wbit.e Paper
`
`Internet Firewalls Technology
`
`When connecting a network ro the Internet or to other networks. the most important securlcy
`to the private one. Securing the Inte.rnet link
`\"~!!fe. is u,_ control -~s
`from the other IletWodcs
`
`U&-hy=~=~~~~¥~·
`
`but stopping the "fire" from
`_ eobaTJN'!n_lP.JJtS
`may foil~w. ~ ~lllp~~-~!?.!i~,
`ing into the private network is the first thing to do. -~
`Two major techniques apply w~n building an Intern.et firewall:
`• Application level and circuit gateways
`• Packet filtering gateways
`The major difference between the two t.ecluliques (which are commonly used inconjt.lIKzj_on) li~ in
`
`.:,;~:c:: =· s!r:~d:=w:=~:!~~~~a~~q"~~r!,
`
`1
`'P"'!zl!;ct:s·~ When using application and circuit gateways, all packets are addt~
`
`to a user· 1eve1
`application on _the ga1eway that 1lriks bet.ween tbe two cooimunlcation poi.ms by relaying me
`a~·--!;=a~9~~~~fi~~~n,~:~:€~~iiP1~~i:~
`~on inclndes two routers with a "bastion host" in t.he middle, th:il.t acts. !lS the application -
`,,,., .. _:ayf
`Application Level and Circuit Gateways
`For each application relayed, application level gateways use a specific, special purpose code.
`Application gateways can provide a high level of security, though they suffer from a number of
`deficits: only a limited number (usually only a small basic subset) of the applications and services
`In order to use the application gateways, user have to log into 1be gateway machine
`are supported.
`the application gateway f9r each application they
`or to install a specific client application that u~
`,,/ . 1~are and
`
`• ed~, . licatie)D. 'is· a'>differimr '
`intend to use.,. Each,.~
`·-. . its;
`~.JW~M ,.,.,_;_,"~"''"'"'"''•!•'·
`~%d~1:,&P;!lr;r~'1
`- propn~--
`1ori[; -· --
`requires
`~?:.~--- . management ~ .
`
`: gateways - de a more. eneral wa to i
`
`lement-· , Ucaumr · itewa- '. The·' lll(t :\.
`. --~~~~llfr~~f rtti~~=¼~" '·
`· _ sorri~fc~u~o'rift~;;,w,!rt<5eaifar-.:¥
`
`•--w,, .... _. , ___ .-
`
`~ .. :G1~!£~~~r~~
`
`Network performance is also affected by both application gateways and circuit ga1eways: each
`packet must be processed twire by all coo:i.IImnlcation
`layers, requires user-level processing and
`It should also be noted.that the application gateway computer itself ("bastion-_
`context switching.
`gateway") remains ~ to the network. and additional means should be
`host" or "d~•homed
`implemented to protect it (packet filtering). This typically results in limiting the available service
`and also additional hardware.
`
`2
`Cl 1994 Oicick:Point Software Tedmologle8 Ltd.
`
`INV0012113
`
`Page 2 of 14
`
`Implicit Exhibit 2010
`Juniper v. Implicit
`
`
`
`· JUL-18-1994
`
`13: 48
`
`QUALIX GROUP
`
`P.04
`
`CheckPoint Fire Wall-I Teconical ·White Paper
`
`Packet Filtering Gateways
`
`~~etet~tii!]!f~j~=-
`
`.. the entire network traffic 'is processed and forwarded or blocked from a single point at;
`
`requh;ern~t Only basic
`i:j~iiy,·p~:~:~ologies
`did~ ad~s a.11 ~.-~~ty
`an insufficient information was available-for filtering (e.g. ooly ·source
`·~d destination address
`af!4.Pqrt ~pers), ~.rnirnheiofruies·wa.<:
`
`°Jfin'ii~'and ~glfpcd'opnance penalfy __ -~as paid when
`... -• ·:.•·~~;;~~~Jff~~-~-·
`..... -~:~~~;~~i~Jf¥"infof~,:tj;::_·:·~-+,.,,
`-~ti:l~~~~:.:!~L-.--
`ill ~ ~SJ Previous acket fil ·
`.s~ ,~~e a1SQ ~$
`hnol6gies also suffered
`:
`1from poor management interfaces: Implementing them requires J:ligh
`level of understanding of the
`~ ~:~5?11-r:=::
`communication internals. writing low-level bit and bytes code, maldng it v~ hard to Change and
`
`n:'.(~:-·· --, ,~ fil~!?,.~~c
`
`ftlter screening computer or bard.ware-)f-
`i~<>~ eajstinglnternet firewall,s use a combination of p1tcl<.~
`
`. CheckPoint FireWall-1
`CheclcP.oint F.II'eWall-1 combines the efficiency of impJemt-'Jlting a general purpose solution for all
`network protocols. with application le,vel savvy. As part of the interface• a comprehensive
`installation procedure and logging and alerting mechanisms are included. On top of this unique
`protocol independent tcchllology, a simple, inntitlve, object-oriented user interface enables easy.
`flexible and uniform way of implementing 'the organization's global security policy. Following
`sections detail the functions of FrreW all-1.
`
`3
`01994 Oical'oint Software Tcchnologlca Ud.
`
`INV0012114
`
`Page 3 of 14
`
`Implicit Exhibit 2010
`Juniper v. Implicit
`
`
`
`· JUL~18-1994
`
`13:49
`
`QUAUX GROUP
`
`P.05
`
`CheckPoint FtreWall-1 Technical White Paper
`
`FireWall-1 Overview
`Tbe CheckPoint P'ireWall-1 Internet Gateway acts as a router between the organization's internal
`networks and the Internet. All the network traffic between the organization's internal network,
`Internet sites, and the ~pplication gateways between them is routed through the gateway. This
`ensures full security coverage of the entire. spectrum of lntanet protocols and services and that
`each and every pack.et is screened and verified to comply with the organization's security policy.
`ensuring full sectnity coverage of the entire spectrum. of Internet protocols and services.
`
`,,.,.
`is. composed. ofrtyom.a.Joc_ components:
`-~ointFlreWall-1
`i'{
`j
`.
`J4,-Ht\~J
`;,-
`.
`,,,.._ pc--t/,....,;,i k ·1 ru, 1-'l"'
`It
`.
`·/,·(,<•:n c
`.
`. Filter Modules
`J
`,
`--·
`.
`i
`contimModule
`l'
`. ..... C.ontrol Module can oontrol and moDltor multiple Packet Futer Modules. The Packet
`tee Module operates autonomously of the Control Module, providing an on-going, simple,
`powerful. and reliable packet filtering. Packet Filter Modules can operate on additional Internet
`gateways. as well. as int~-departm.emal gar.eways and on aitical se.rvers, thus providing peripheral
`defense as well as in-dq,th security and comp,mnent:aJization.
`• ..
`The control workstation and packet filter module can r~de either on the same gateway roacbiae,
`or on two different hosts. In the latter, communic.ation between the two is authenticated, using a
`,.-.,,~'':':~:
`im~~password authentication scheme.
`,
`.
`
`_.
`
`-
`
`.
`
`.
`
`9 FW-1 Packet Filter Module
`I Router Access List
`
`4
`(119')4 ~ S<!Ctwan: Tcchnotogics Ltd.
`
`INV0012115
`
`Page 4 of 14
`
`Implicit Exhibit 2010
`Juniper v. Implicit
`
`
`
`; · JUL":-18-1994
`
`13: 51
`
`QUALIX GROUP
`
`P.06
`
`CheckPointF'treWall-1 Tee~~ White Paper
`
`CheckPoint's Packet Filter Module Architecture
`Che.ckPoint FireW all-1 packet filter module resides on the gateway host. acting as a security router · ·
`between the protected networks. The packet filter module is plugged between ~e Data Unk and
`tbe Network layers (layers 2 and 3). The Data Lln.k. being the actual network interface card (NlC)
`. and the Network Link is the· first layer of the protocol stack (e.g. IP). , . Inbound and. outbound
`-!\'cS"';'''~~-.~cJn~~tt4-an4 S!!~J~:£~;f,~~~tr\l~-l~.~-·~-'~e4-.it:i. $e. _l ,.
`.. ~ @ p~:~J~ J>r~ed: by the various
`: : ~,module. .. FJltering at this lay~,!-~~-
`ck layers before being vmfied toJ:omply with the s~tfpolicy/
`Packets that are not explicitly to be accepted by the security policy. arc simply dtopped ("That
`which is not expressly permitted is prohibited").
`Communication Layers
`
`Firewall-1 Packet·Fi/ter Module
`
`INV0012116
`
`Page 5 of 14
`
`Implicit Exhibit 2010
`Juniper v. Implicit
`
`
`
`. JUL-18-1994
`
`13:53
`
`QUALIX GROUP
`
`P.07
`
`CheckPointF'ueWall-1 Tecttnical Whir.e Paper
`
`Data Access
`Full packet context is available for screening, from lower layers (like interface and
`addresses' data) up to the higher_ application layers (layers 2 to 7 data in the ISO mooel).
`Programmable Filter Module
`Security rules, application kooWledge, context information, and packet dat.a are combined
`into a powerful macltlne that can implement any security policy based. on all needoo
`parameters and logical expressions.
`Protocol Independence
`The generic and flexible underlying Packet Ftlter Module is capable of learning .and
`undersmnding any protocol. as well as adapting'" to newly defined protocols and
`'Ibis· is achieved by using high level definitions and ·requires no code
`applications.
`changes.
`Status_ Reporting
`The F'n:eWtil-1 Packet F'.tlt.er Module also include robust status. auditing. and alc;:rting
`capabilities. A S\1IIllllaI'Y of status information and network traffic ls available 1n· the
`System Status Monitor and can also be obtained using SNMP for incorporation into any
`networlt: management platform.
`
`•
`
`I
`
`Auditing and Alerting
`Every communication attempt can. be subject to logging and alerting. log and alert format
`and actions are open and configurable. The standard formats contain .the source and
`destination of the communication, the service attempted, protocol 11$00.. time and date,
`source pon. action carried (communication accepted, rejected), log and alert type, as well
`as the packet filter module orlginating the log. Any Information about any communication
`attempt can be logged or used to trigger an alen (e.g. pop-up window. send a mail
`message, activate a user defined action-program, or actiyate a trap).
`Simple and Efficient
`CbeckPoint F.ireWall-1 packet filter module is implemented as an autonomous compact
`code module. It rmdes inside the opCI'llting ~ lc(%'Ilel llS aJo~~.~Jevel
`µi tii• f~p~qg
`P~~qµ~¢+~~
`fA
`~-
`The loadable ke.mel module~~
`~g Ope:ating inside the operating system kernel makes it efficient by inttoduci.ng oo
`additional memory requirements or cont.ext switch over.beads, and harder to tamper with or
`bypass.
`Benefiis and Examples
`Utilizing and combining all these technological advanta.g~ enable CheckPoint F.ueWall-1 to handle.
`securely all Internet protocols. Following .are a few examples of common Internet protocols and
`applications and their baudBng by CheckPoint's filtering technology. It should be noted that all
`t:b.(>u protocols can not be secured properly using traditional packet filtering systems.
`UDP applications
`Problem: Tue User Datagram Protoc:91 (UDP) is a packet-based, connection--less protocol.
`Unlike connection . based protocols (like TCP), there is no disdncti~een
`the
`originator of the request and 1¥ response. UDP-based applications (lik~ WAIS) Archie,
`
`I
`
`6
`
`(l 1994 Oicd;Point Sottylarc T~oglal
`
`Ltd.
`
`"--..__./
`lvo I
`
`INV0012117
`
`Page 6 of 14
`
`Implicit Exhibit 2010
`Juniper v. Implicit
`
`
`
`. JUL.--;-18,--1994 13:53
`
`QUALIX GROUP
`
`P.l:::ll::l
`
`CheckPoint FireWall-1 Tecfinical White Paper
`
`Domain Name Services) were the.refore difficult to filter. ·O1ct packet filtering-rechniques
`simply eliminated UDP connections or openoo a large portion of the UDP range to bi(cid:173)
`directional communication. exposing the internal nerwork to attacks.
`
`Solution: FireWall-1 solves.the problem by keeping a ''.vi.rtual..connection" on top of UDP
`communications. This is done by keeping state information for each UDP connection an
`the gateway. Every UDP request packet permitted to cross the firewall is recorded. When
`recaving an incollling UDP packet, it 1s looked up in the list of pending coniiections. Only
`if tbe packet is a. l'C.$J)ODSe to a request it is de1lvered. This assures that all attacks are
`blocked while UDP applications can be used securely.
`
`Server
`
`Client
`
`~~:~ ~~-fili~
`.: b~~:~;!:i-:~:o:
`
`•··
`
`- · ·. .:~'i~
`
`.. 1,,~.'i,w
`
`Outbound FTP connection
`Problem: Though being a. TCP-based protocol, FfP (File Transfer Protocol), one of the
`most basic and common Internet protocols, involves a level of complexity difficult for
`existing packet filteting implementations to handle .. Af!:er the client W,~e"(~)Elk.::~
`,·~~,w,,~r~:,,,,i;>•
`Since thls·PQtfnumber is ·not laiown in advance, andf ··,.,_,,
`.. t,,,tlii~e'.i
`and close 'trequently, old packet filter implemenliH.
`· ,
`entire range of high-numbered pons (>J023) for incoming connections. This is done to
`allow the back-FTP connections, but it enables numerous ways of attacks throughout most
`·
`of.the application spe.c:trum.
`
`_Solution:fFfreWah-1 trac~ the·FTP session, looking at the FfP applicanon,J~e,l.d_ata.
`the server
`
`
`Wlieii tli~~cllent~r&i,uests to eneraie the. back..connection ·cAn'.'¥IFi'~1ipt)RT"
`:·.-:-,.,,,:. • . g
`.
`. .. · .. ,. :::,.,,t,-:;~ti:"$;;!,•Jri•.;,..::~:o...\1;·;-.
`· .,. , · 1· : :~~'lo-~1;
`!}~·!',. .... : .. , .- ·
`~ 1 record this request. Then. when the back-connection 1s. a~mpte4,
`·
`and allowe~(Qrily as spccifi~~~~;;~;;L~~
`)he pendi!_ii(l§ilests,
`is n,almainftl dynarllically so that; ohlY'ilie'reqiliied
`, .. "of conn.cciion.f
`.~ed and only duri.tig the FI'P ~ession and at no other time.,
`RPC based protocols
`services do not use pre-defined port numbers, they utilize mainly
`Prob1em::m·:~
`::0pj-itiht&;f J;;·fixed acket structure. This n1Akes thtm impassible tQ. 'bi''icientlfied'or
`p
`, · · · -~ _by_ traditional packet\ filters; application gateway ~sually fall to· bandlt'I diem as
`15 Id lfof ~
`· /0r;, f
`~/,
`.
`
`~~.1~~~.t~
`
`
`
`1-3 .. ':'J'.~":':t.,;·!·"·.',;_~ ... -·.::, · -
`
`i
`
`··
`
`.; ··~.;).:e:t,;<e:f"!:::·1;,:::.::-1H..r.-i-s~M•$'.:-,
`
`7
`01994 Oleck;Point Sofiw8"0 TC>Chnologic::i
`Lid.
`
`INV0012118
`
`Page 7 of 14
`
`Implicit Exhibit 2010
`Juniper v. Implicit
`
`
`
`QUALIX GROUP
`
`CheckPoint FireWall~ 1 Tecnnical White Paper
`
`Solution: FtteWall-1111:ilizes a combination of the previous techniques. First, RPC pan
`numbers are tr8Cked dynamically and transparently from the various port mappers in the
`system. Second. the application information is extracted · from the packet in order to
`identify the program used, overcoming the packet's varying structure. Third, a track of
`UDP connections i~ maintain~. as desciibed earlier.
`- Mosaic, World Wide Web and Gopher
`The World Wide Web project and the M.osaic front-end exhibit a new level of connectivity
`in the cyber-space, by enabling users to expl<X"e the I.ntemet resources using simple
`windows-based applications from any deSktop.
`·
`Prob lent: Mosaic is difficult to· control because it combines
`many und<.'1"lying protocols
`(HTTP. FTP, WAIS. Archie. Gopher, and others) and it has a broad range of client
`i.mpJernentations from any windows-based desktop. It exposes the network.security .to the
`risks of each of the underlyillg protocols (UDP, FTP, etc.) because it requires all of the
`services to be accessed from ~ and every ~esktop on the network
`Solution; The standard handling of all these protocols by the FireWall-1 Packet F'tl.tel'
`Module (as demonstratm previously) allows simple, transparent:, and secure utilizatiOIJ. of
`Mosaic by any client desktop on the network, without any addi:ti.onal effort!
`Trojan Horses and Viruses
`Problem: A common way of attacking a. computer system, is by plaIIting a "Trojan hol:se"
`or a virus in the computer systt.m. This program accepts rommunicatlon from the outside
`
`world enabling $}'Stem h'eak·ins or creates commUIUcatlon to the outside world exporting
`cl.assi.fied fnfcrmation. Trojan horses are planted either by b~
`in server applications or
`by impttting SOftware packages from the net or using rnagnetir. media. While there are ·
`good ways to minimize the problem. there ls Jll) way t.o elirolnare it completcl.y.
`.
`.
`Solution: Check:Point F.II'eWall-1 seals all the co~cation
`cbanoeJs and logs all
`conuµunication attempts, both incoming and outgoing, This enables blocking and
`identifying such atteDlpts promptly, tracking the source of the problem. 8.Dd ellroloatJng it
`The above eYamples provide only a quick look into the diffiOJ.lties of baIJ('JHng various Inteniet
`protQCOls by a firewall system. and how Check:Point F'ireWall•l ensures reliable operation and
`system security. This is only a partial list of prot0col$ CU1Tently
`supponed. Other protocols are
`. handled in a similar way. More protocols are handled along the guidelines of top-level network
`security together with correct protq.col baodling and user transparency. As new protocols and
`applications arc being introduced, they '.are being added regularly to tbe system. without requiring
`additiomd programming or new software modules.
`
`Performance
`CheckPoint Fll'eWall .. t was designed t<;> be simple and effective; various optimization techniques
`are used to achieve high performance:
`• Operating inside the opcritlng ~sttim kernel imposes negligible overhead of ~sing
`context switching is required, tbns lfhieving low-latency operation.
`• Advanced memory management ~hniques such as caching and hash; tables are used to unify
`multiple instances objects and to access data effectively.
`
`and oo
`
`8
`01994 Cleek.Point So1t111·an: Tcc:laologiea Ltd.
`
`
`
`INV0012119
`
`Page 8 of 14
`
`Implicit Exhibit 2010
`Juniper v. Implicit
`
`
`
`\.,lUf-\L1X lit-<UUt-'
`
`P.10
`
`CheckPointFireWall-1 Tecul)ical White Paper
`
`• Generic and simple fil~g mechaDism combined with a 'packet futer optimizer ensures getting
`the maximum of today's RISC processors.
`Network performance degradation was unmeasurable .when operating at full LAN speed
`(10Mb/sec) on the lowest-end SPARCstation machine; that included communication latency and
`network bandwidth. J?er!ormanoe impact on the filtering gateway host was · also immeasurable.
`Judging by these test results we de.duct the performance hit to be negligible and pi:actlcally non(cid:173)
`existent for CUITent Internet speeds (usually 56kb to Tl - l.5Mb/sec)
`
`9
`C 1994 <licda'olnt Softwa.rc Te.chnolo~ Lui.
`
`INV0012120
`
`Page 9 of 14
`
`Implicit Exhibit 2010
`Juniper v. Implicit
`
`
`
`l>!UHL L /\
`
`L:IKUUr
`
`t"'. 11
`
`Q.eckPoint FireWall-1 Tecu.nical White Paper
`
`· CheckPoint FireWall-1 Control Model
`CheckPointFireWall-1 control workstation is used tol@~the
`emerprise-wide security policy.
`control the communication gateways (Packet Filter Modules). and to view logging and alerting
`infonnation. The Conttol Workstation runs an OPEN LOOK. Xl 1R5 graphical user interl'ace.
`supporting the full operation and verification of system operation. A set of command line utilities
`mable operation from a standard TIY. Toe GUI is composed of the following modules:
`
`Network Objects Manager
`Defines the network objects participating directly in. the securlt:y scbelne policy:
`
`• Networks and Sub-networks
`• Servers and Workstations
`•
`·F'ireWall-1 Hosts and Gateways
`
`• Routers
`
`Intemet Domains
`·•
`· Bvccy object has a set of attributes
`tha1 defines its characteristics
`like netWork: address, subnet(cid:173)
`mask etc. Object attributes are extracted from the network databases, like the hosts and networks
`fil~, NIS (Yellow Pages) network databases and the Internet Domain Service. SNMP agents are
`used for extracting additional information. lncluding the interface. and network configuration of
`hosts, routers and gateways. Objects can be combined togeth« int:o groups. creating higher level
`hierarchies.
`serv1oes Manager
`The Services Manager defines the sezvI~ ~~ t? t:l1l!I ~stem and addressed specifically iil ~
`be noted that ~ifflq#i ~ are beiµg screened and controlled, ffi'M
`J)(lli~ '. It shOltlcl.
`· S<'JClll'it)'
`g:ffl~~ m'~ ~ gfflij~i The system comes pre-loaded with a comprehensive set of TCP/IP and
`Intttnet services, inci.udlng the following:
`
`10
`~1994 Che:e:l.:l'oinl Sof!wun: Tcchnalogic:11 Ltd.
`
`INV0012121
`
`Page 10 of 14
`
`Implicit Exhibit 2010
`Juniper v. Implicit
`
`
`
`.JUL-18-1994
`
`13:56
`
`QUALlX GROUP
`
`P.12
`
`CheckFQint FireWall-1 Technical White Paper
`
`• Standard arpa-sexvices: telnet, FTP, SMTP, etc.
`• Berkeley r-services: tlogin. rsh, etc.
`• SunR.PC services: NIS/Y cl.low pages, NFS, etc.
`
`• Advanced Internet protocols like HTTP, Gopher, Archie and many more
`• __ IP services: ICMP, RIP, SNMP, etc ..
`i i; ~Yim
`niiiiii j ii ijji
`is done by SCled.ing the service_ type, and setting Jhe
`· service's attributes in the proper form, service types in.elude:
`·
`·
`
`• TCP
`
`• UDP
`
`• RPC
`Uil4i>~ ¢9ffi'.~mffi•m¥•
`• Other ;;:(aii~~ls•~ai'.®Wm•bf•~l~••ild~mot~ffi
`ijij\~ijw~•
`@t <it,ffiJµij,~; Services are defined using shnple expressions and macros.
`Services can be grouped to create se~ices families and hierarchies: Examples: ~"PS (The ~ount
`program. NFS•secver, lock manager-), NIS/Yellow-pages (ypserv/ypbind). and Mosaic (HTTP.
`FI'P, Archie, gopher, etc.).
`
`Rule--base m~nager
`After defining the network objects and browsing through the network services, it's time to put them
`together and enter the security policy. Rules expresse.d under the FireWall-1 rule-base use high
`4wel .defmitions and objeas, 1rtlly .representing the security policy.
`Every rule is composed of four parts:
`• Match • specifies which commnnicarlon attempts are included in this rule. It includes the
`.source of the communication, the destination, and the services attempted. A march might say:
`All communication· initiated from the intcmal-netWork going to the Internet. Another match
`can be: Internet mail (}elivcry (SMTP) going to the mailservers.
`• Action - specifies the handling of this communication attempt: Communication a~mpts can be
`accepted (passing the packets transparently), or blocked (rejecting the attempt and geruxating a
`negative-acknowledgment connection-refused message or simply by dropping the packet).
`· • __ Track • the tracking mecb.anis:tn specifies .the type of auditing or-alerting required:
`
`• Nologghig
`• Short for.mat record
`• Long format log record:
`
`• _Alen generation. e.g. poP,:up window at the system manager's workstation
`
`•
`
`Sending a Mail µicssage·
`
`• Generating network management trap
`
`• Activating any user-defined procedure
`
`i
`
`11
`C>1m Oicd:PointSotlware Tedmologica Ltd.
`
`INV0012122
`
`Page 11 of 14
`
`Implicit Exhibit 2010
`Juniper v. Implicit
`
`
`
`.-...
`
`_
`
`QUALIX GROUP
`
`P.13
`
`·�intF'ireWall-1 Technical White-Paper
`
`· • Target • iJlc«'p<>ratCS the cntcrprlsc-wide security rules by enforcing each rule in its
`
`appropriate Packet Filter Module or router location. Rules can be enforced on all _ the
`
`
`gateways, on the destination serv� and gateways, on the source gateways and hosts. Mul.1iple
`selections and exact speoificatlon are-supported.
`.Eacli.com1111mication attempt is roatcbed agaln.u � ntle•base. Rnles -� matched in the·order
`spccffied. top to bottom, enabling predictable bebmcx of the sysr.cm. A default last rule always
`drops communication at12mpts leaving no place for cotnmunicarion leaks to. · slip.;in, thus
`implementing the phrase: "lbat which is not expressly permitted is. prohibited".
`A:vcrificadon mecbanis1'1J. checks the C01l$1$tel3ey Of the rule baSe. lt includes:
`• Heuristic tests
`• Pefiowon incomist:ellcie.!
`• Redundancy and ordfl checking
`From the oomp1ete rule·base a F'iliec Script is generated� The Filter Script describes t&c objects
`and ru1ca 11Sing Cbeckt>ob,.t's fil� definition language. Tho script definition is easy to undenttand.
`of the ��base. Using the scrlpt.s, more sophisticated security � cles
`::a-arn
`
`.- Example: A true "diode" Internet Se�urlty Polley
`
`
`that ,allows free and secure outbound connection from the organization's
`\IHiiii:l'.Eiiii:mtiJwi
`· ini«na1 network to the Internet, yet prevems any. attacks and communication attempts from the
`.
`Internet, providing only incoming mail. will-look like this:
`,,......- - -,----..
`( Help v)
`
`•) C Utilities v) ( Properties ... )· ( �lie v) (1Me 'lr) ( FIiter v) ( Routers-
`
`
`UM�l�BI: - fllt&Jli· :If g, ,iji)l!ll:if}.
`iW,'mMwimm
`:1,#it!Hil.ii.w,
`,iaijijij10
`
`2
`
`3 @)Any @)Any
`
`
`
`
`
`Copyright O 19� Chec:kPolnt 50ftware Tet.:tlnologles Ltd.
`
`R,CJute.-s Access List
`Routel'S � Usts are generated in the same way: the rule-base is verified. and an access list is
`generated for each router specified. The acces., list is 1he1l distributed t.o ttte routers.j The tracking
`mechallism Is ignored, due to tJ]elack of logging am alerting �anlsm in Cisco routers.
`Note: Routtn . do not implclll&211 many of t1Je essential capabilities required to provide secure
`
`packet filrering (e.g. they � �. look only at TCP/UDP port numbers; sec previous sections
`
`01994 �
`
`Soft.ware Tectm.alogico lJd.
`
`12
`
`INV0012123
`
`Page 12 of 14
`
`Implicit Exhibit 2010
`Juniper v. Implicit
`
`
`
`•
`
`,JU1--1e-1994
`
`13:ss
`
`QUALIX GROUP
`
`P.14
`
`CbeckPoint Fire Wall-I Technical Wbit.e Paper
`
`.for details). The limited capabilities of routers access lists prevent many rules from ~ing
`implemented, and making other rules
`insecure or ins1:1fficient (UDP, FTP. RPC. and others).
`$ystem Status
`Sysr.em Staru.s window displays a snjtpshot of all the FireWall-1 Ftlter Modules at any time
`iJlrerval. Starus contains F"tlter Module status as well as packet statistics through it (accepted,
`blocked, lQgged, etc.)~ An SNMP asent is also supported by rhe paQket filter modules. exporting
`information and integrating with other network management platforms.
`
`Log Viewe~
`The LogViewer displays every lo~ed event. includ;ng communication attempts. filter installations.
`system shµtdowns, etc. For every evem, the relevant information is displayed, including the date
`and time~ originating machine, source and destination of communication. services attempted, action
`taken. log and alert types. and other specific Information. Fields can be displayed or hidden. .Color
`and icons are attached to events and fields yielding a rapid visual perception.
`Searching capabilities enables locating events of interest and tracking communication ~yents.
`Reports are genttated by applying selection. criteria to . chosen fields, providing colXlpOUrid and
`comprehensive views. Reports can viewed, exported in a ASCII format or·prlnted
`in Post.Script.
`Logflles management ~pabllitles are integra~.
`Qn.,.li.ne viewing feamres enables real-time monitoring of communication activities and alerts.
`Nodes that appear in the log can be probed instantly from within the LogView~ for SNMP
`information.
`·
`
`· Conclusions
`CheckPoint FireWall•.1 provides a comprehensive system for controlling and secumng the
`organization inter-network. CheckPoint's innovative packet ftlterlng teehnology brings application
`level security capabilities into an efficient packet filter:ing engine. Cbetk:Point FrreWali.I delivers
`both application and network level security advantages into a single comprehensive 5$eme •
`. Enterprlse,w.ide management tools enables the organization to utilize Checl<Point's advanced
`in a simple and effective way, creating an unm¢hed· security µ-amework for today's
`~logy
`and future network security needs.
`.,
`
`13
`
`INV0012124
`
`Page 13 of 14
`
`Implicit Exhibit 2010
`Juniper v. Implicit
`
`
`
`P.15
`
`-------
`
`·--. -·--- ir·----
`1, .
`
`QUALIX GROUP
`
`CheckPoint F1reW all-1 Ti;wIUcal Wbite Paper
`
`·Speciti~ons
`Platforms
`"" -Ope,rating System
`Wmdow System
`Diskspace
`·Memory
`
`Network Interface
`Routers
`Media
`
`·sun SPAR.C-based systems
`(/SunOS 4. 1.3 or Solaris 2.3~
`X11R5/0PEN LOOK (OpenWlndows 3)
`
`SMbytes
`16MB (Control Module). no special
`requirements for Packet F'Jlter Module
`All standard Sun Network Interfaces
`Cisco release 9.1
`3.5" diskette
`
`14
`Cl994 Oioc:tPoln1 Softwtn: 'l'calmologies IJd.
`
`TOTAL P.15
`
`INV0012125
`
`Page 14 of 14
`
`Implicit Exhibit 2010
`Juniper v. Implicit
`
`