Chapter 7 - Firewall and DMZ Design: Check Point

Abstract

Check Point Software Technologies' firewalls are full-featured firewalls that run on a variety of platforms. These platforms include open systems and dedicated appliances manufactured by Nokia as well as a dozen other companies such as Crossbeam, Sun, and IBM. Key features of Check Point firewalls are stateful inspection, network address translation, multiple types of authentication mechanisms, SmartDefense, Web intelligence, and content inspection; they provide malicious activity detection, antivirus, and other high-level application protections against activities such as port scanning, FTP bounce attacks, URL worms, spyware, and adware. Check Point firewalls also have significant VPN capabilities for both site-to-site and remote access configurations. Check Point's site-to-site VPN is interoperable with products from all other major firewall vendors that implement the IKE and IPSec standards. Because the nature of a demilitarized zone (DMZ) is to allow access from the Internet to hosts on your network, it is important to maintain a complete security policy surrounding access to these hosts. Building a secure DMZ with Check Point involves many aspects of the firewall's feature set. Check Point firewalls can be used in any conceivable DMZ configuration, including the traditional “three-legged” design, a multi-DMZ setup, and the dual-firewall “sandwich” or “back-to-back” configuration, where separate firewalls protect the external and internal networks from each other.