Embedded NGX 6.0 Release Notes
Transcription
Embedded NGX 6.0 Release Notes
Embedded NGX 6.0 Release Notes November 2005 – Document Revision 10 Contents INTRODUCTION ..................................................................................................2 Supported Platforms......................................................................................................... 2 Availability......................................................................................................................... 2 Copyright ........................................................................................................................... 2 NEW PLATFORMS ..............................................................................................3 Safe@Office 500 and 500W.............................................................................................. 3 NEW FEATURES .................................................................................................8 New Security Features...................................................................................................... 8 New Networking Features.............................................................................................. 11 New Wireless Related Features ..................................................................................... 17 New VPN Features.......................................................................................................... 20 New Management & Maintenance Features ................................................................ 23 1 Introduction This document contains a summary of new features in Embedded NGX 6.0 and describes the differences between Embedded NGX 6.0 and previous versions. Supported Platforms Embedded NGX 6.0 supports the following hardware platforms: • Check Point Safe@Office 100B series, 200 series, 400W series • Check Point Safe@Office 500, 500W • Check Point VPN-1 Edge X series, • Check Point VPN-1 Edge W series • NEC SecureBlade 300 • Nokia IP40 * Important: Embedded NGX 6.0 does not support the following hardware platforms: • Check Point Safe@Office 100 series • Check Point VPN-1 Edge S Series • Nokia IP30 • SofaWare S-box • NEC SecureBlade 100 Availability • • Embedded NGX 6.0 is available to existing Embedded NG customers with a valid software subscription contract. For information regarding availability on Nokia IP40, contact Nokia support. For additional information and documentation, click here. Copyright © Copyright 2005 SofaWare Technologies Ltd. SofaWare is a registered trademark of SofaWare Technologies Ltd. Check Point is a registered trademark of Check Point Software Technologies Ltd. 2 New Platforms Safe@Office 500 and 500W Introduction Safe@Office 500 and 500W are the latest addition to the Check Point Unified Threat Management product line for the small businesses. The new products feature security appliances that deliver an all-in-one Internet security solution right out of the box. The Safe@Office 500W series features Check Point’s market leading firewall and VPN technology integrated with a top of the line WiFi access point that offers a simple, affordable and reliable solution designed to keep small businesses networks protected and running. Safe@Office 500 is a complete unified threat management (UTM) appliance, addressing all security needs of a typical small business including: firewall, VPN, wireless security, antivirus, fraud prevention, anti-spam, web content filtering and more. Safe@Office 500 is available in two models, the standard model - Safe@Office 500, and the wireless enabled model – Safe@Office 500W. Safe@Office 500W features a built-in 802.11b/g/Super G access point that is tightly integrated with the firewall and hardware-accelerated VPN, as well as print server function that allows connecting USB-based printers to the appliance and easily sharing them across the network. Safe@Office 500 can be upgraded by installing the ‘Safe@Office 500 Power Pack’, enabling advanced capabilities. Adding the Safe@Office 500 Power Pack can be performed at any time, and does not require hardware replacement. Technical Specifications Model 500 500 with Power Pack 5/25/No Limit 5/25/No Limit Firewall Throughput 100 Mbps 150 Mbps VPN Throughput 20 Mbps 30 Mbps Size Total Users Interfaces Integrated switch 4-port 10/100 Mbps Full Duplex LAN switch with automatic crossover (MDI-X) detection. 10/100 WAN port ✓ ✓ 10/100 DMZ/WAN2 port ✓ ✓ 3 Model Serial port 500 500 with Power Pack ✓ ✓ 8000 8000 Firewall & Security Features Concurrent connections Firewall Check Point Stateful Inspection with Application Intelligence Reporting and Logging ✓ ✓ SmartDefense (IDS/IPS) ✓ ✓ Instant Messenger Blocking / Monitoring ✓ ✓ P2P File Sharing Blocking / Monitoring ✓ ✓ Centralized Web Filtering* ✓ ✓ Port-based and Tag-based VLAN - ✓ Secure HotSpot (Guest Access) - ✓ ✓ ✓ Antivirus VStream Embedded Antivirus VStream Supported Protocols On the fly decompression HTTP, FTP, NBT, POP3, IMAP, SMTP, User-defined TCP and UDP ports. ✓ Centralized Email Antivirus and Antispam * ✓ POP3, SMTP VPN Site-to-Site VPN 2 tunnels 15 tunnels Site-to-Site VPN (Managed) * 10 tunnels 100 tunnels Remote Access VPN client ✓ ✓ Remote Access VPN server ✓ ✓ 5 users 25 users ✓ ✓ Included VPN-1 SecuRemote client Licenses OfficeMode IPSEC Features Route Based VPN Hardware accelerated DES, 3DES, AES, MD5, SHA-1, Hardware Random Number Generator (RNG), Internet Key Exchange (IKE), Perfect Forward Secrecy (PFS), IPSEC Compression, IPSEC NAT Traversal (NAT-T) ✓ VPN User and Gateway Authentication Methods 4 ✓ Model 500 500 with Power Pack Site-to-site Check Point Internal Certification Authority (Diffie-Hellman 1024-bit PKI) digital certificates, X.509 digital certificates or pre-shared secret Remote access (to VPN-1 Pro) RADIUS, RSA (SecureID), LDAP, Active Directory, TACACS, XAUTH Remote access (to VPN-1 Edge) RADIUS or pre-shared secret Networking WAN access protocols Static IP, DHCP, PPPoE, PPTP, Telstra Network Address Translation ✓ ✓ DHCP server, client and relay ✓ ✓ Dead Internet Connection Detection (DCD) ✓ ✓ Source Routing ✓ ✓ OSPF Dynamic Routing - ✓ Backup VPN gateways (MEP) ✓ ✓ Backup ISP ✓ ✓ Dialup Backup (Requires External Modem) ✓ ✓ Automatic Gateway Failover (HA) - ✓ Basic Advanced Traffic Monitoring ✓ ✓ DiffServ Tagging - ✓ High Availability Traffic Management Traffic Shaper (QoS) Centralized Management Support Management software SMP Local Web-based Management Friendly, Wizard based setup Internet connection wizard, Firewall rule wizard, VPN wizard, Certificate wizard and more. Local Diagnostics Tools Ping, WHOIS, Packet Sniffer, VPN Tunnel Monitor, Connection Table Monitor, Wireless Monitor, Active Computers Display, Local Logs HTTPS remote access ✓ Other Management Methods 5 ✓ Model 500 Command Line Interface (CLI) 500 with Power Pack SSH, Serial Port NTP Automatic Time Setting ✓ ✓ Syslog logging ✓ ✓ TFTP Rapid Deployment ✓ ✓ SNMP monitoring ✓ ✓ Other Hardware Specifications Physical Dimensions (500) 20.32 x 3.05 x 12.19 cm (8 x 1.2 x 4.8 inches) (W x H x D) (500W) 20 x 3.1 x 15.5 cm (7.9 x 1.2 x 6.1 inches) Weight 0.7 kg (1.56 lbs) Power 100-240 VAC, 50-60 Hz (Depending on Country) Regulatory Compliance FCC Part 15 Class B, CE Warranty * One-Year Hardware Requires SMP (Security Management Portal) management software Safe@Office 500W adds the following features: Model 500W Hardware Features USB 2.0 Print Server ✓ Wall Mounting Kit ✓ Anti-Theft Slot ✓ Wireless Features Wireless Protocols IEEE 802.11b (11 Mbps), 802.11g (54 Mbps), Super-G (108 Mbps)* Wireless Security I VPN (IPSec) over Wireless, WEP, WPA, WPA2 (802.11i), WPA-PSK, 802.1x, MAC address filtering, Firewall WLAN network Wireless Range (regular mode) Up to 109 yards (100 m) indoors and 328 yards (300 m) outdoors* Wireless Range (extended range mode) Up to 328 yards (300 m) indoors and 1094 yards (1 km) outdoors* Dual Diversity Antennas ✓ 6 Model 500W Wireless QoS (WMM) * ✓ Super-G and XR modes require Super-G and XR enabled wireless network adapters. Environmental factors may reduce actual range and throughput. 7 New Features New Security Features SmartDefense & Application Intelligence Since the popularization of the Internet, enterprise firewalls have proven an effective defense against security exploits aimed at the network and transport levels. Firewalls with a defined security policy foil a full 90 percent of these attacks. However, 21st century hackers do more than look for exposed vulnerabilities in the network and transport layers; nowadays, these technically talented rogues actively attack the application level. To help network administrators deal with application-level attacks, Check Point Application Intelligence technology provides a potent combination of attack safeguards and attack blocking tools. Embedded NGX now supports Check Point SmartDefense Services, which use Application Intelligence to prevent and block attacks in the following ways: • Validating compliance to standards • Validating expected usage of protocols (Protocol Anomaly Detection) • Limiting application ability to carry malicious data • Controlling application-layer operations These mechanisms aid proper usage of Internet resources such as FTP, instant messaging, Peer-to-Peer (P2P) file sharing, file-sharing operations, and File Transfer Protocol (FTP) uploading, among others. In addition, Embedded NGX continues to offer protection against network and transport-level attacks with strategies countering IP fragmentation, smurfing, Non-TCP Denial of Service (Non-TCP DOS), and port scans. Embedded NGX currently supports a wide array of attack safeguards, including: Denial of Service • • • • • Teardrop Ping of death LAND Non-TCP flooding SYN attack IP and ICMP • • • • Packet sanity Maximum ping size IP fragments control Network Quota 8 TCP FTP P2P Instant Messenger Blocking P2P File Sharing Blocking Microsoft File Sharing Port Scan • • • Welchia worm blocking Cisco IOS DoS attack blocking Null payload ICMP blocking • • • • • • • • • • • • • • • • Strict TCP checking Minimum PMTU enforcement FTP bounce Blocked FTP commands FTP Block Known Ports FTP Block Port Overflow Skype ICQ Yahoo FastTrack Gnutella E-donkey Bit-Torrent CIFS Worm Catcher Host Port Scan Sweep Scan VStream Embedded Antivirus Embedded NGX includes VStream, a new embedded stream-based antivirus engine that supports efficient antivirus scanning at the kernel level. By offering a gateway-based antivirus solution, Embedded NGX blocks security threats before they ever reach your network. The antivirus signatures are automatically updated, keeping the security up-todate with no need for user or network administrator intervention. Although it can be used alone, VStream is especially suitable as a second layer of antivirus, complementing the capabilities and addressing the weaknesses of desktop antivirus software. In addition to blocking computer viruses and Trojan Horses, VStream includes also Anti-Phishing, blocking fraudulent emails that try to entice users to fake web sites in attempt to steal sensitive data, such as passwords or credit card details. 9 Based on Check Point Stateful Inspection and Application Intelligence technologies, VStream offers several advantages over traditional proxy-based network antivirus solutions: Lightweight Streaming VStream scans files for malicious content on the fly, without downloading them into intermediate storage. This means minimal added latency and support for unlimited file sizes. By taking great care to store only minimal state information per connection, VStream can scan thousands of concurrent connections. Comprehensive Protocol Support VStream offers comprehensive protocol support, including HTTP, FTP, NBT, file sharing, POP3, SMTP, and IMAP, as well as arbitrary, userdefined TCP and UDP ports. Granular Scanning Policy A customizable scanning policy allows specifying with very fine granularity exactly which connections should be scanned for viruses. On-the-fly Decompression VStream supports on-the-fly, real-time decompression and scanning of ZIP, TAR, and GZ archive files. Archive files can be scanned with no file size limitation and with support for nested archive files. 10 New Networking Features Dynamic Routing Embedded NGX supports the Open Shortest Path First Routing (OSPF) version 2 dynamic routing protocol, for standard dynamic routing, as well as for routebased VPN (see “Route-based VPN,” page 20). OSPF is a shortest-path-first or link-state protocol. This widely used interior gateway protocol distributes routing information between routers in a single autonomous system (AS). OSPF chooses the least-cost path as the best path. It is suitable for complex networks with a large number of routers because it provides equal-cost, multi-path routing, where packets to a single destination can be sent via more than one interface simultaneously. In a link-state protocol, each participating router maintains a database describing the entire AS topology, which it builds out of the collected link state advertisements of all routers. Each router distributes its local state (that is, the router’s usable interfaces and reachable neighbors) throughout the AS by flooding. Each multi-access network with at least two attached routers has a designated router and a backup designated router. The designated router floods a link state advertisement for the multi-access network and has other special responsibilities. Using a designated router reduces the number of adjacencies required on a multi-access network. The great advantages of using dynamic routing are automatic distribution of routing tables across the enterprise and automatic rerouting of traffic around failures for high resiliency. Since OSPF is fully integrated with VPN, all of OSPF’s advantages can be enjoyed for VPN links, allowing for a fully dynamic, resilient, multi-hop VPN network. It is even possible to use OSPF in a mixed VPN and leased line environment, allowing automatic failover between VPN links and leased lines. 11 The Embedded NGX OSPF implementation is fully interoperable with the Check Point Advanced Routing Suite, as well as with any other RFC compliant OSPF implementation. Embedded NGX OSPF capabilities can be configured through the gateway’s command line interface. Dynamic Routing is supported in the following models: Safe@Office 225,225U, 425W, 425UW, 500 with Power Pack, VPN-1 Edge X and W series. Custom DHCP Options The Embedded NGX DHCP server allows the administrator to manually customize the DHCP options passed to the clients, including: • Domain name • DNS servers (2) • WINS servers (2) • NTP servers (2) • VoIP call managers (2) • TFTP server & boot filename RADIUS Enhancements Vendor-Specific Attribute (VSA) Support Remote Authentication Dial-In User Service (RADIUS) is an external authentication scheme that provides security and scalability by separating the authentication function from the access server. When employing RADIUS as an authentication scheme, Embedded NGX forwards remote users’ authentication requests to the RADIUS server. The RADIUS specification defines a list of attributes that can be sent in RADIUS replies. These attributes can contain authorization information for a specific user. Embedded NGX now accepts the Vendor Specific Attribute (VSA) (26) in RADIUS responses with the SofaWare vendor code (6983). The RADIUS server can use the VSA to pass the Embedded NGX gateway a specific set of permissions to grant the authenticated user. Multiple permissions can be specified in a single response, and any permission sent by the RADIUS server overrides the permission configured locally on the gateway. 12 The syntax of the VSA is as follows: Permission Type ID Administrator 1 Allowed Values (String) “none” / “readonly” / “readwrite” VPN 2 “true” / “false” HotSpot 3 “true” / “false” Filter Override 4 “true” / “false” RADIUS Realm Appending If your organization uses RADIUS realms, you can now append a specific realm to RADIUS requests. For example, setting the RADIUS realm to “myrealm” would make Embedded NGX append “@myrealm” to the end of the username before sending it to the RADIUS server. RADIUS Timeout and Retries Settings The timeout and maximum retries settings for RADIUS authentication are now user-configurable. Dead Connection Detection (DCD) Embedded NGX now supports several methods for detecting Internet connection failures: • Probing the default gateway for availability. In LAN modes this is done by sending ARP requests to the default gateway, while in PPP modes (PPTP, PPPoE, and Dialup) this is done by sending PPP echo reply (LCP) messages to the PPP peer. If the default gateway does not respond, the Internet connection is considered to be down. • Probing up to three servers for availability, using ICMP Ping. If all the defined servers do not respond to pinging for 45 seconds, the Internet connection is considered to be down. • Probing up to three Check Point VPN gateways for availability, using RDP echo reply messages. If all the defined gateways do not respond to 13 • RDP echo requests for 45 seconds, the Internet connection is considered to be down. Probing the currently defined DNS servers for availability, by sending DNS requests. If both the primary and secondary DNS servers do not respond for 45 seconds, the Internet connection is considered to be down. If two Internet connections are defined, and the primary Internet connection is considered to be down, a failover will be performed to the secondary Internet connection, ensuring continuous Internet connectivity. MAC Cloning for WAN2 Some ISPs require the use of a specific MAC address for connecting to their services. Previous versions of Embedded NG supported MAC cloning only for the WAN port. In Embedded NGX, MAC cloning is supported for both WAN1 and DMZ/WAN2 ports. Note: If the DMZ/WAN2 port is configured to act as a DMZ port, this setting is disabled for the secondary Internet connection. 14 NTP Automatic Time Setting Embedded NGX supports Network Time Protocol (NTP), a widely used protocol for accurately synchronizing the system clock to a set of well-known time sources (NTP servers). Gateway High Availability (HA) Enhancements Group ID Embedded NGX now allows multiple high availability groups (clusters) to co-exist on the same network segment. To allow this, each group should be assigned a unique Group ID. Enhanced Interface Tracking Embedded NGX allows tracking the link status of the gateway’s Ethernet ports as part of the high availability priority calculation. If a tracked port’s Ethernet link is lost, the gateway’s HA priority is reduced by the user-specified amount. HA VPN Effect Embedded NGX allows the user to specify whether all the VPN links should be disabled automatically when the HA gateway is in Passive state. Note: The Safe@Office 100B, 200, and 500 appliances support tracking of the WAN and DMZ/WAN2 ports. Safe@Office 400W series appliances support tracking of the WAN, DMZ/WAN2, and LAN ports. 15 Manual Ethernet Port Settings By default, the link speed and duplex settings are automatically detected for all the ports in the gateway. In addition to autodetection, Embedded NGX now offers the ability to manually restrict each Ethernet port to a specific link speed (10 or 100 Mbps) and duplex setting (Full Duplex or Half Duplex). Note: The Safe@Office 100B, 200, and 500 appliances support setting the link speed and duplex settings of the WAN and DMZ/WAN2 ports. Safe@Office 400W and 500W series appliances support setting the link speed and duplex settings of the WAN, DMZ/WAN2, and LAN ports. Source Routing Embedded NGX includes a new Static Route Wizard with support for source routes. In traditional routing, the next hop route is selected according to the destination IP address. Source routing is a technique that allows the selected destination route to depend upon both the destination IP address and source IP address. Source routing allows, for example, the LAN network to use the primary Internet connection, while the DMZ network uses the secondary Internet connection, thus balancing the load between the two Internet connections. 16 Traffic Shaper (QoS) Enhancements Traffic Shaper is a bandwidth management solution for Internet and Intranet gateways that enables network administrators to set bandwidth policies, so as to alleviate bandwidth congestion at network access points. The overall mix of traffic is dynamically controlled by managing bandwidth usage for entire classes of traffic. Embedded NGX Traffic Shaper supports the shaping of inbound traffic when multiple internal networks are defined on the gateway. Previous versions supported inbound traffic shaping for a single internal network. New Wireless Related Features Secure HotSpot Public Internet access hotspots are now rapidly being deployed in airports, hotels, retail outlets, and educational institutions. To facilitate easy creation of guest access networks, Embedded NGX includes the new and innovative Secure HotSpot system. 17 The Embedded NGX Secure HotSpot is enabled as a HotSpot network by selecting a single check box. On HotSpot networks, each user is required to sign in to the HotSpot before gaining access to the network. Signing in can be done either by surfing to the page http://my.hotspot, or by surfing to any other Web page, in which case a user who has not signed in will automatically be redirected to http://my.hotspot. On the Secure HotSpot page, the user is prompted to accept the terms of use for the network. If the HotSpot is configured to be password protected, the user is prompted to enter a username and password before gaining access to the network. In contrast, SecuRemote VPN software users who are authenticated by the Internal VPN Server are exempt from HotSpot authentication. This allows, for example, authenticated employees to gain full access to the corporate LAN, while guest users are permitted to access the Internet only. Secure HotSpot also includes support for Quick Guest, which allows an administrator to grant access to a new HotSpot guest user with a single mouse click. The Secure HotSpot feature is not restricted for use in wireless environments. It can be used successfully in any environment in which Web-based user authentication or terms-of-use approval is required prior to gaining access to the network. For example, HotSpot access can be enabled in public computer labs, educational institutions, libraries, Internet cafés, and so on. Secure HotSpot is supported in the following models: Safe@Office models 225/225U/425W/425UW/500 with Power Pack, as well as on the VPN-1 Edge X series and W series appliances. IEEE 802.11i (WPA2) support IEEE 802.11i (also known as WPA2) is an amendment to the 802.11 standard specifying security mechanisms for wireless networks. It is a replacement for the WPA and WEP security specifications, both which were discovered to have severe security weaknesses. WPA2 WPA2 makes use of the Advanced Encryption Standard (AES) cipher, instead of the RC4 cipher used by WPA and WEP. Embedded NGX wireless appliances now offer full support for the WPA2 standard, in addition to continued support for the older WPA and WEP standards. 18 Wireless Multimedia QoS (WMM) With the rising use of real time multimedia services over wireless networks, the need for quality of service enforcement on the wireless network is becoming evident. WMM Wireless Multimedia (WMM) is based on the IEEE 802.11e draft standard, providing basic Quality of Service (QoS) features to IEEE 802.11 wireless networks. WMM prioritizes traffic according to four access categories (Voice, Video, Best Effort, and Background). Embedded NGX wireless appliances now offer full support for WMM. Manual Diversity Control Multipath distortion is caused by the reflection of Radio Frequency (RF) signals traveling from the transmitter to the receiver along more than one path. Signals that were reflected by some surface reach the receiver after non-reflected signals and distort them. Embedded NGX Wireless Security Appliances avoid the problems of multipath distortion by using an antenna diversity system. To provide antenna diversity, each wireless security appliance has two antennas. In automatic diversity control mode, the signal is received through both antennas, and the best antenna to use for communicating with each station is selected by comparing the distortion ratio. The antenna that receives the lowest distortion signal is automatically selected as the best antenna. Manual diversity control means that the administrator can select a single antenna that will be used permanently, disabling the automatic diversity control system. Manual diversity control should be used if there is only one antenna connected to the appliance. Manual Extended Range (XR) Control Embedded NGX wireless security appliances support a special extended range (XR) mode that allows up to three times the range of a regular 802.11g access point. XR dramatically stretches the performance of a wireless LAN, by enabling long-range connections. The architecture delivers receive sensitivities of up to 105dBm, over 20 dB more than the 802.11 specification. This allows ranges of up XR 19 to 300 meters indoors, and over 1 km (3200 ft) outdoors, with XR-enabled clients. (Actual range depends on environment.) Normally, support for XR is automatically negotiated with the wireless stations and used as needed. However, Embedded NGX now allows for manually disabling support for XR mode. New VPN Features Route-based VPN Embedded NGX is designed to extend company resources to remote locations, no matter how complex the environment is. Embedded NGX supports VPN domains, the traditional method of defining VPN boundaries with a static group of IP addresses. In addition, Embedded NGX supports route-based VPNs, in which the VPN topology is delegated to network routing decisions. Such flexibility gives enterprises a powerful mechanism for providing connectivity in complex and dynamic networks. Route-based VPNs allow administrators to extend dynamic routing protocols from headquarters to remote locations over the VPN tunnel, improving network and VPN management efficiency for a large network. For constantly changing networks, route-based VPNs combined with OSPF dynamic routing can be a good solution. Every VPN tunnel is represented as a virtual tunnel interface (VTI) and assigned an IP address, enabling encapsulation of OSPF traffic. These virtual adapters can be used to establish integrated dynamic routing configurations with the routing domains in the protected networks. By combining OSPF and route-based VPNs, organizations can make frequent changes to the network topology, such as adding an internal network, without having to repeatedly reconfigure static VPN domains. In effect, this new technology enables unification of all the VPNprotected networks to a unified dynamically adaptable network. Advanced VPN Configuration Embedded NGX allows the manual configuration of several advanced IPSEC VPN options, including: 20 • • • • Phase-1 and Phase-2 security methods Phase-2 Perfect Forward Secrecy Diffie Hellman (DH) groups SA lifetime values As in previous versions, the administrator can configure any of these settings to ‘Automatic’ (the default and recommended value), in which case the gateway will attempt to automatically negotiate the best settings which are supported by the VPN peer. IP Compression (IPCOMP) Embedded NGX supports IP Payload Compression (RFC 2394) for Site to Site VPN. Using IP compression can improve VPN performance over slow Internet links. Enhanced Active Tunnels display The Active Tunnels report has now been improved to show both the currently active Phase-1 (IKE) and their associated established Phase-2 (IPSEC) VPN tunnels. For each tunnel, the source and destination IP addresses or address ranges are shown, as well as the selected security methods and tunnel establishment time. Certificate Fingerprint Display A unique certificate fingerprint text, used to identify the certificate, is displayed n the Certificate page. This fingerprint will match the fingerprint displayed in SecuRemote VPN Client upon the first connection to this gateway. If the system administrator sends the SecuRemote user a fingerprint, the user should verify that the root CA fingerprint displayed in SecuRemote is identical to the fingerprint sent to him/her. 21 Office Mode Support Remote access to organizations’ internal networks has become widespread, making it essential that remote users be able to access as many of the organization’s internal resources as possible. Typically, when remote access is implemented, the client connects using an Internet IP address locally assigned by an ISP. This may lead to the following problems: • • When two clients on the same network (for example, the WLAN) use the Internal VPN server, they will not be able to communicate with each other over the secure VPN link. This is because their IP addresses are on the same subnet, and they therefore will attempt to communicate directly over the local network, instead of routing through the gateway. Some networking protocols or resources may require the client’s IP address to be an internal one. Office Mode enables an Embedded NGX Gateway to assign a remote client a unique local IP address, thus solving the abovementioned problems. The assignment takes place when the user connects and authenticates. The address is taken from the predefined OfficeMode network. By default, Office Mode is disabled. Office Mode is enabled in the Embedded NGX configuration portal’s My Network page. 22 Note: Office Mode requires Check Point SecureClient to be installed on the VPN clients. Check Point SecuRemote does not support Office Mode. When Office Mode is not supported by the client, traditional mode will be selected instead. New Management & Maintenance Features Built-in Packet Sniffer Tool Embedded NGX includes a built-in packet sniffer tool, allowing the user to capture packets for troubleshooting purposes. A filter expression can be specified to capture only packets matching certain conditions. If no expression is given, all packets on the selected interface will be saved. The packet sniffer tool saves capture results to a file on the user’s computer, in a format that is easily readable by free protocol analyzers, such as Ethereal. Ethereal runs on all popular computing platforms, including UNIX, Linux, and Windows, and can be readily downloaded from http://www.ethereal.com. Traffic Monitor Embedded NGX includes Traffic Monitor, a built-in traffic-monitoring and graphing system that allows the administrator to quickly visualize the network traffic patterns and easily identify trends and anomalies. 23 Traffic monitor allows reporting on blocked, allowed, and encrypted traffic rates per network interface and per incoming/outgoing direction. In addition, Traffic Monitor is fully integrated with Traffic Shaper to allow graphical reporting on Quality of Service (QoS) classes. The administrator can use Traffic Monitor to identify bottlenecks and fine tune Traffic Shaper QoS class assignments. Traffic monitor can be used to answer questions such as: Is the Internet connection underutilized or congested? How much of the Internet connection bandwidth is being used by Voice over IP (VoIP) traffic? How much is being used for bulk traffic such as SMTP or FTP? The data collected by Traffic Monitor can be exported to CSV (Comma Separated Values) format, allowing further manipulation and analysis of the data using familiar tools such as Microsoft Excel. Enhanced Serial Console The initial appliance password can now be set through the serial (RS232) console, allowing full initialization of the appliance through the serial port. This is especially useful in bulk deployments, where it is desirable to prepare each appliance very quickly in an operations center prior to shipment. Enhanced CLI Editing The Embedded NGX Command Line Interface (CLI) can be accessed via the serial console or Secure Shell Protocol (SSH) and has been enhanced to support command line completions and command line history. 24 At any point when typing a command, you can press the TAB key to either complete the current command, or show a list of possible completions. All commands entered during a CLI session are saved in a command history. You can browse through the command history by using the UP and DOWN arrow keys. User Account Expiration The Embedded NGX local user database now supports the definition of users with a preset expiration date and time. When the user account expires, it is locked, and the user can no longer log on to the appliance. 25