Embedded NGX 6.0 Release Notes

Transcription

Embedded NGX 6.0 Release Notes
Embedded NGX 6.0 Release Notes
November 2005 – Document Revision 10
Contents
INTRODUCTION ..................................................................................................2
Supported Platforms......................................................................................................... 2
Availability......................................................................................................................... 2
Copyright ........................................................................................................................... 2
NEW PLATFORMS ..............................................................................................3
Safe@Office 500 and 500W.............................................................................................. 3
NEW FEATURES .................................................................................................8
New Security Features...................................................................................................... 8
New Networking Features.............................................................................................. 11
New Wireless Related Features ..................................................................................... 17
New VPN Features.......................................................................................................... 20
New Management & Maintenance Features ................................................................ 23
1
Introduction
This document contains a summary of new features in Embedded NGX 6.0 and
describes the differences between Embedded NGX 6.0 and previous versions.
Supported Platforms
Embedded NGX 6.0 supports the following hardware platforms:
• Check Point Safe@Office 100B series, 200 series, 400W series
• Check Point Safe@Office 500, 500W
• Check Point VPN-1 Edge X series,
• Check Point VPN-1 Edge W series
• NEC SecureBlade 300
• Nokia IP40 *
Important: Embedded NGX 6.0 does not support the following hardware platforms:
• Check Point Safe@Office 100 series
• Check Point VPN-1 Edge S Series
• Nokia IP30
• SofaWare S-box
• NEC SecureBlade 100
Availability
•
•
Embedded NGX 6.0 is available to existing Embedded NG customers with a valid
software subscription contract.
For information regarding availability on Nokia IP40, contact Nokia support.
For additional information and documentation, click here.
Copyright
© Copyright 2005 SofaWare Technologies Ltd.
SofaWare is a registered trademark of SofaWare Technologies Ltd.
Check Point is a registered trademark of Check Point Software Technologies Ltd.
2
New Platforms
Safe@Office 500 and 500W
Introduction
Safe@Office 500 and 500W are the latest addition to the Check Point Unified
Threat Management product line for the small businesses. The new products
feature security appliances that deliver an all-in-one Internet security solution
right out of the box. The Safe@Office 500W series features Check Point’s market
leading firewall and VPN technology integrated with a top of the line WiFi access
point that offers a simple, affordable and reliable solution designed to keep small
businesses networks protected and running.
Safe@Office 500 is a complete unified threat management (UTM) appliance,
addressing all security needs of a typical small business including: firewall, VPN,
wireless security, antivirus, fraud prevention, anti-spam, web content filtering and
more.
Safe@Office 500 is available in two models, the standard model - Safe@Office
500, and the wireless enabled model – Safe@Office 500W. Safe@Office 500W
features a built-in 802.11b/g/Super G access point that is tightly integrated with
the firewall and hardware-accelerated VPN, as well as print server function that
allows connecting USB-based printers to the appliance and easily sharing them
across the network.
Safe@Office 500 can be upgraded by installing the ‘Safe@Office 500 Power
Pack’, enabling advanced capabilities. Adding the Safe@Office 500 Power Pack
can be performed at any time, and does not require hardware replacement.
Technical Specifications
Model
500
500 with Power Pack
5/25/No Limit
5/25/No Limit
Firewall Throughput
100 Mbps
150 Mbps
VPN Throughput
20 Mbps
30 Mbps
Size
Total Users
Interfaces
Integrated switch
4-port 10/100 Mbps Full Duplex LAN switch with automatic
crossover (MDI-X) detection.
10/100 WAN port
✓
✓
10/100 DMZ/WAN2 port
✓
✓
3
Model
Serial port
500
500 with Power Pack
✓
✓
8000
8000
Firewall & Security Features
Concurrent connections
Firewall
Check Point Stateful Inspection with Application
Intelligence
Reporting and Logging
✓
✓
SmartDefense (IDS/IPS)
✓
✓
Instant Messenger Blocking /
Monitoring
✓
✓
P2P File Sharing Blocking /
Monitoring
✓
✓
Centralized Web Filtering*
✓
✓
Port-based and Tag-based VLAN
-
✓
Secure HotSpot (Guest Access)
-
✓
✓
✓
Antivirus
VStream Embedded Antivirus
VStream Supported Protocols
On the fly decompression
HTTP, FTP, NBT, POP3, IMAP, SMTP, User-defined TCP and
UDP ports.
✓
Centralized Email Antivirus and
Antispam *
✓
POP3, SMTP
VPN
Site-to-Site VPN
2 tunnels
15 tunnels
Site-to-Site VPN (Managed) *
10 tunnels
100 tunnels
Remote Access VPN client
✓
✓
Remote Access VPN server
✓
✓
5 users
25 users
✓
✓
Included VPN-1 SecuRemote
client Licenses
OfficeMode
IPSEC Features
Route Based VPN
Hardware accelerated DES, 3DES, AES, MD5, SHA-1,
Hardware Random Number Generator (RNG), Internet Key
Exchange (IKE), Perfect Forward Secrecy (PFS), IPSEC
Compression, IPSEC NAT Traversal (NAT-T)
✓
VPN User and Gateway Authentication Methods
4
✓
Model
500
500 with Power Pack
Site-to-site
Check Point Internal Certification Authority (Diffie-Hellman
1024-bit PKI) digital certificates, X.509 digital certificates or
pre-shared secret
Remote access (to VPN-1 Pro)
RADIUS, RSA (SecureID), LDAP, Active Directory, TACACS,
XAUTH
Remote access (to VPN-1 Edge)
RADIUS or pre-shared secret
Networking
WAN access protocols
Static IP, DHCP, PPPoE, PPTP, Telstra
Network Address Translation
✓
✓
DHCP server, client and relay
✓
✓
Dead Internet Connection
Detection (DCD)
✓
✓
Source Routing
✓
✓
OSPF Dynamic Routing
-
✓
Backup VPN gateways (MEP)
✓
✓
Backup ISP
✓
✓
Dialup Backup (Requires External
Modem)
✓
✓
Automatic Gateway Failover (HA)
-
✓
Basic
Advanced
Traffic Monitoring
✓
✓
DiffServ Tagging
-
✓
High Availability
Traffic Management
Traffic Shaper (QoS)
Centralized Management Support
Management software
SMP
Local Web-based Management
Friendly, Wizard based setup
Internet connection wizard, Firewall rule wizard, VPN wizard,
Certificate wizard and more.
Local Diagnostics Tools
Ping, WHOIS, Packet Sniffer, VPN Tunnel Monitor, Connection
Table Monitor, Wireless Monitor, Active Computers Display,
Local Logs
HTTPS remote access
✓
Other Management Methods
5
✓
Model
500
Command Line Interface (CLI)
500 with Power Pack
SSH, Serial Port
NTP Automatic Time Setting
✓
✓
Syslog logging
✓
✓
TFTP Rapid Deployment
✓
✓
SNMP monitoring
✓
✓
Other Hardware Specifications
Physical Dimensions
(500) 20.32 x 3.05 x 12.19 cm (8 x 1.2 x 4.8 inches)
(W x H x D)
(500W) 20 x 3.1 x 15.5 cm (7.9 x 1.2 x 6.1 inches)
Weight
0.7 kg (1.56 lbs)
Power
100-240 VAC, 50-60 Hz (Depending on Country)
Regulatory Compliance
FCC Part 15 Class B, CE
Warranty
*
One-Year Hardware
Requires SMP (Security Management Portal) management software
Safe@Office 500W adds the following features:
Model
500W
Hardware Features
USB 2.0 Print Server
✓
Wall Mounting Kit
✓
Anti-Theft Slot
✓
Wireless Features
Wireless Protocols
IEEE 802.11b (11 Mbps), 802.11g (54 Mbps), Super-G (108
Mbps)*
Wireless Security
I VPN (IPSec) over Wireless, WEP, WPA, WPA2 (802.11i),
WPA-PSK, 802.1x, MAC address filtering, Firewall WLAN
network
Wireless Range (regular mode)
Up to 109 yards (100 m) indoors and 328 yards (300 m)
outdoors*
Wireless Range (extended range
mode)
Up to 328 yards (300 m) indoors and 1094 yards (1 km)
outdoors*
Dual Diversity Antennas
✓
6
Model
500W
Wireless QoS (WMM)
*
✓
Super-G and XR modes require Super-G and XR enabled wireless network
adapters. Environmental factors may reduce actual range and throughput.
7
New Features
New Security Features
SmartDefense & Application Intelligence
Since the popularization of the Internet, enterprise firewalls have proven an
effective defense against security exploits aimed at the network and transport
levels. Firewalls with a defined security policy foil a full 90 percent of these
attacks. However, 21st century hackers do more than look for exposed
vulnerabilities in the network and transport layers; nowadays, these technically
talented rogues actively attack the application level.
To help network administrators deal with application-level attacks, Check Point
Application Intelligence technology provides a potent combination of attack
safeguards and attack blocking tools. Embedded NGX now supports Check Point
SmartDefense Services, which use Application Intelligence to prevent and block
attacks in the following ways:
• Validating compliance to standards
• Validating expected usage of protocols (Protocol Anomaly Detection)
• Limiting application ability to carry malicious data
• Controlling application-layer operations
These mechanisms aid proper usage of Internet resources such as FTP, instant
messaging, Peer-to-Peer (P2P) file sharing, file-sharing operations, and File
Transfer Protocol (FTP) uploading, among others.
In addition, Embedded NGX continues to offer protection against network and
transport-level attacks with strategies countering IP fragmentation, smurfing,
Non-TCP Denial of Service (Non-TCP DOS), and port scans.
Embedded NGX currently supports a wide array of attack safeguards, including:
Denial of Service
•
•
•
•
•
Teardrop
Ping of death
LAND
Non-TCP flooding
SYN attack
IP and ICMP
•
•
•
•
Packet sanity
Maximum ping size
IP fragments control
Network Quota
8
TCP
FTP
P2P Instant Messenger
Blocking
P2P File Sharing Blocking
Microsoft File Sharing
Port Scan
•
•
•
Welchia worm blocking
Cisco IOS DoS attack blocking
Null payload ICMP blocking
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Strict TCP checking
Minimum PMTU enforcement
FTP bounce
Blocked FTP commands
FTP Block Known Ports
FTP Block Port Overflow
Skype
ICQ
Yahoo
FastTrack
Gnutella
E-donkey
Bit-Torrent
CIFS Worm Catcher
Host Port Scan
Sweep Scan
VStream Embedded Antivirus
Embedded NGX includes VStream, a new embedded stream-based antivirus
engine that supports efficient antivirus scanning at the kernel level.
By offering a gateway-based
antivirus solution, Embedded NGX
blocks security threats before they
ever reach your network. The
antivirus signatures are automatically
updated, keeping the security up-todate with no need for user or
network administrator intervention.
Although it can be used alone, VStream is especially suitable as a second layer of
antivirus, complementing the capabilities and addressing the weaknesses of
desktop antivirus software.
In addition to blocking computer viruses and Trojan Horses, VStream includes
also Anti-Phishing, blocking fraudulent emails that try to entice users to fake web
sites in attempt to steal sensitive data, such as passwords or credit card details.
9
Based on Check Point Stateful Inspection and Application Intelligence
technologies, VStream offers several advantages over traditional proxy-based
network antivirus solutions:
Lightweight Streaming
VStream scans files for malicious content on the
fly, without downloading them into intermediate
storage. This means minimal added latency and
support for unlimited file sizes. By taking great
care to store only minimal state information per
connection, VStream can scan thousands of
concurrent connections.
Comprehensive Protocol
Support
VStream offers comprehensive protocol support,
including HTTP, FTP, NBT, file sharing, POP3,
SMTP, and IMAP, as well as arbitrary, userdefined TCP and UDP ports.
Granular Scanning Policy
A customizable scanning policy allows
specifying with very fine granularity exactly
which connections should be scanned for
viruses.
On-the-fly Decompression
VStream
supports
on-the-fly,
real-time
decompression and scanning of ZIP, TAR, and
GZ archive files. Archive files can be scanned
with no file size limitation and with support for
nested archive files.
10
New Networking Features
Dynamic Routing
Embedded NGX supports the Open Shortest Path First Routing (OSPF) version 2
dynamic routing protocol, for standard dynamic routing, as well as for routebased VPN (see “Route-based VPN,” page 20).
OSPF is a shortest-path-first or link-state protocol. This widely used interior
gateway protocol distributes routing information between routers in a single
autonomous system (AS). OSPF chooses the least-cost path as the best path. It is
suitable for complex networks with a large number of routers because it provides
equal-cost, multi-path routing, where packets to a single destination can be sent
via more than one interface simultaneously.
In a link-state protocol, each participating router maintains a database describing
the entire AS topology, which it builds out of the collected link state
advertisements of all routers. Each router distributes its local state (that is, the
router’s usable interfaces and reachable neighbors) throughout the AS by
flooding.
Each multi-access network
with at least two attached
routers has a designated
router and a backup
designated router. The
designated router floods a
link state advertisement for
the multi-access network
and has other special
responsibilities. Using a
designated router reduces
the number of adjacencies
required on a multi-access
network.
The great advantages of using dynamic routing are automatic distribution of
routing tables across the enterprise and automatic rerouting of traffic around
failures for high resiliency.
Since OSPF is fully integrated with VPN, all of OSPF’s advantages can be
enjoyed for VPN links, allowing for a fully dynamic, resilient, multi-hop VPN
network. It is even possible to use OSPF in a mixed VPN and leased line
environment, allowing automatic failover between VPN links and leased lines.
11
The Embedded NGX OSPF implementation is fully interoperable with the Check
Point Advanced Routing Suite, as well as with any other RFC compliant OSPF
implementation.
Embedded NGX OSPF capabilities can be configured through the gateway’s
command line interface.
Dynamic Routing is supported in the following models: Safe@Office 225,225U,
425W, 425UW, 500 with Power Pack, VPN-1 Edge X and W series.
Custom DHCP Options
The Embedded NGX DHCP
server
allows
the
administrator to manually
customize the DHCP options
passed to the clients,
including:
• Domain name
• DNS servers (2)
• WINS servers (2)
• NTP servers (2)
• VoIP call managers
(2)
• TFTP server & boot filename
RADIUS Enhancements
Vendor-Specific Attribute (VSA) Support
Remote Authentication Dial-In User Service (RADIUS) is an external
authentication scheme that provides security and scalability by separating the
authentication function from the access server.
When employing RADIUS as an authentication scheme, Embedded NGX
forwards remote users’ authentication requests to the RADIUS server. The
RADIUS specification defines a list of attributes that can be sent in RADIUS
replies. These attributes can contain authorization information for a specific user.
Embedded NGX now accepts the Vendor Specific Attribute (VSA) (26) in
RADIUS responses with the SofaWare vendor code (6983). The RADIUS server
can use the VSA to pass the Embedded NGX gateway a specific set of
permissions to grant the authenticated user. Multiple permissions can be specified
in a single response, and any permission sent by the RADIUS server overrides the
permission configured locally on the gateway.
12
The syntax of the VSA is as follows:
Permission
Type ID
Administrator 1
Allowed Values (String)
“none” / “readonly” / “readwrite”
VPN
2
“true” / “false”
HotSpot
3
“true” / “false”
Filter
Override
4
“true” / “false”
RADIUS Realm Appending
If your organization uses
RADIUS realms, you can now
append a specific realm to
RADIUS requests.
For
example,
setting
the
RADIUS realm to “myrealm”
would make Embedded NGX
append “@myrealm” to the end
of the username before sending it
to the RADIUS server.
RADIUS Timeout and Retries
Settings
The timeout and maximum
retries settings for RADIUS
authentication are now user-configurable.
Dead Connection Detection (DCD)
Embedded NGX now supports several methods for detecting Internet connection
failures:
• Probing the default gateway for availability. In LAN modes this is done
by sending ARP requests to the default gateway, while in PPP modes
(PPTP, PPPoE, and Dialup) this is done by sending PPP echo reply (LCP)
messages to the PPP peer. If the default gateway does not respond, the
Internet connection is considered to be down.
• Probing up to three servers for availability, using ICMP Ping. If all the
defined servers do not respond to pinging for 45 seconds, the Internet
connection is considered to be down.
• Probing up to three Check Point VPN gateways for availability, using
RDP echo reply messages. If all the defined gateways do not respond to
13
•
RDP echo requests for 45 seconds, the Internet connection is considered to
be down.
Probing the currently defined DNS servers for availability, by sending
DNS requests. If both the primary and secondary DNS servers do not
respond for 45 seconds, the Internet connection is considered to be down.
If two Internet connections are defined, and the primary Internet connection is
considered to be down, a failover will be performed to the secondary Internet
connection, ensuring continuous Internet connectivity.
MAC Cloning for WAN2
Some ISPs require the use of a specific MAC address for connecting to their
services. Previous versions of Embedded NG supported MAC cloning only for the
WAN port. In Embedded NGX, MAC cloning is supported for both WAN1 and
DMZ/WAN2 ports.
Note: If the DMZ/WAN2 port is configured to act as a DMZ port, this setting is
disabled for the secondary Internet connection.
14
NTP Automatic Time Setting
Embedded NGX supports Network Time Protocol (NTP), a widely used protocol
for accurately synchronizing the system clock to a set of well-known time sources
(NTP servers).
Gateway High Availability (HA) Enhancements
Group ID
Embedded NGX now allows
multiple high availability
groups (clusters) to co-exist
on the same network
segment. To allow this, each
group should be assigned a
unique Group ID.
Enhanced Interface
Tracking
Embedded NGX allows
tracking the link status of the
gateway’s Ethernet ports as
part of the high availability priority calculation. If a tracked port’s Ethernet link is
lost, the gateway’s HA priority is reduced by the user-specified amount.
HA VPN Effect
Embedded NGX allows the user to specify whether all the VPN links should be
disabled automatically when the HA gateway is in Passive state.
Note: The Safe@Office 100B, 200, and 500 appliances support tracking of the
WAN and DMZ/WAN2 ports. Safe@Office 400W series appliances support
tracking of the WAN, DMZ/WAN2, and LAN ports.
15
Manual Ethernet Port Settings
By default, the link speed and duplex settings are automatically detected for all
the ports in the gateway. In addition to autodetection, Embedded NGX now offers
the ability to manually restrict each Ethernet port to a specific link speed (10 or
100 Mbps) and duplex setting (Full Duplex or Half Duplex).
Note: The Safe@Office 100B, 200, and 500 appliances support setting the link
speed and duplex settings of the WAN and DMZ/WAN2 ports. Safe@Office 400W
and 500W series appliances support setting the link speed and duplex settings of
the WAN, DMZ/WAN2, and LAN ports.
Source Routing
Embedded NGX includes a new Static Route Wizard with support for source
routes. In traditional routing, the next hop route is selected according to the
destination IP address. Source routing is a technique that allows the selected
destination route to depend upon both the destination IP address and source IP
address.
Source routing allows, for example, the LAN network to use the primary Internet
connection, while the DMZ network uses the secondary Internet connection, thus
balancing the load between the two Internet connections.
16
Traffic Shaper (QoS) Enhancements
Traffic Shaper is a bandwidth
management solution for Internet and
Intranet gateways that enables network
administrators to set bandwidth
policies, so as to alleviate bandwidth
congestion at network access points.
The overall mix of traffic is
dynamically controlled by managing
bandwidth usage for entire classes of
traffic.
Embedded NGX Traffic Shaper supports the shaping of inbound traffic when
multiple internal networks are defined on the gateway. Previous versions
supported inbound traffic shaping for a single internal network.
New Wireless Related Features
Secure HotSpot
Public Internet access hotspots are now
rapidly being deployed in airports,
hotels, retail outlets, and educational
institutions. To facilitate easy creation of
guest access networks, Embedded NGX
includes the new and innovative Secure
HotSpot system.
17
The Embedded NGX Secure HotSpot is enabled as a HotSpot network by
selecting a single check box. On HotSpot networks, each user is required to sign
in to the HotSpot before gaining access to the network. Signing in can be done
either by surfing to the page http://my.hotspot, or by surfing to any other Web
page, in which case a user who has not signed in will automatically be redirected
to http://my.hotspot. On the Secure HotSpot page, the user is prompted to accept
the terms of use for the network. If the HotSpot is configured to be password
protected, the user is prompted to enter a username and password before gaining
access to the network.
In contrast, SecuRemote VPN software users who are authenticated by the
Internal VPN Server are exempt from HotSpot authentication. This allows, for
example, authenticated employees to gain full access to the corporate LAN, while
guest users are permitted to access the Internet only.
Secure HotSpot also includes support for Quick Guest, which allows an
administrator to grant access to a new HotSpot guest user with a single mouse
click.
The Secure HotSpot feature is not restricted for use in wireless environments. It
can be used successfully in any environment in which Web-based user
authentication or terms-of-use approval is required prior to gaining access to the
network. For example, HotSpot access can be enabled in public computer labs,
educational institutions, libraries, Internet cafés, and so on.
Secure HotSpot is supported in the following models: Safe@Office models
225/225U/425W/425UW/500 with Power Pack, as well as on the VPN-1 Edge X
series and W series appliances.
IEEE 802.11i (WPA2) support
IEEE 802.11i (also known as WPA2) is an amendment
to the 802.11 standard specifying security mechanisms
for wireless networks. It is a replacement for the WPA
and WEP security specifications, both which were
discovered to have severe security weaknesses.
WPA2
WPA2 makes use of the Advanced Encryption Standard (AES) cipher, instead of
the RC4 cipher used by WPA and WEP.
Embedded NGX wireless appliances now offer full support for the WPA2
standard, in addition to continued support for the older WPA and WEP standards.
18
Wireless Multimedia QoS (WMM)
With the rising use of real time multimedia services
over wireless networks, the need for quality of service
enforcement on the wireless network is becoming
evident.
WMM
Wireless Multimedia (WMM) is based on the IEEE 802.11e draft standard,
providing basic Quality of Service (QoS) features to IEEE 802.11 wireless
networks. WMM prioritizes traffic according to four access categories (Voice,
Video, Best Effort, and Background).
Embedded NGX wireless appliances now offer full support for WMM.
Manual Diversity Control
Multipath distortion is caused by the reflection of
Radio Frequency (RF) signals traveling from the
transmitter to the receiver along more than one path.
Signals that were reflected by some surface reach the
receiver after non-reflected signals and distort them.
Embedded NGX Wireless Security Appliances avoid
the problems of multipath distortion by using an antenna diversity system. To
provide antenna diversity, each wireless security appliance has two antennas.
In automatic diversity control mode, the signal is received through both antennas,
and the best antenna to use for communicating with each station is selected by
comparing the distortion ratio. The antenna that receives the lowest distortion
signal is automatically selected as the best antenna.
Manual diversity control means that the administrator can select a single antenna
that will be used permanently, disabling the automatic diversity control system.
Manual diversity control should be used if there is only one antenna connected to
the appliance.
Manual Extended Range (XR) Control
Embedded NGX wireless security appliances support a
special extended range (XR) mode that allows up to
three times the range of a regular 802.11g access point.
XR dramatically stretches the performance of a wireless
LAN, by enabling long-range connections. The
architecture delivers receive sensitivities of up to
105dBm, over 20 dB more than the 802.11 specification. This allows ranges of up
XR
19
to 300 meters indoors, and over 1 km (3200 ft) outdoors, with XR-enabled clients.
(Actual range depends on environment.)
Normally, support for XR is automatically negotiated with the wireless stations
and used as needed. However, Embedded NGX now allows for manually
disabling support for XR mode.
New VPN Features
Route-based VPN
Embedded NGX is designed to extend company resources to remote locations, no
matter how complex the environment is. Embedded NGX supports VPN domains,
the traditional method of defining VPN boundaries with a static group of IP
addresses.
In addition, Embedded NGX
supports route-based VPNs, in which
the VPN topology is delegated to
network routing decisions. Such
flexibility gives enterprises a
powerful mechanism for providing
connectivity in complex and
dynamic networks. Route-based
VPNs allow administrators to extend
dynamic routing protocols from
headquarters to remote locations
over the VPN tunnel, improving
network and VPN management efficiency for a large network. For constantly
changing networks, route-based VPNs combined with OSPF dynamic routing can
be a good solution.
Every VPN tunnel is represented as a virtual tunnel interface (VTI) and assigned
an IP address, enabling encapsulation of OSPF traffic. These virtual adapters can
be used to establish integrated dynamic routing configurations with the routing
domains in the protected networks. By combining OSPF and route-based VPNs,
organizations can make frequent changes to the network topology, such as adding
an internal network, without having to repeatedly reconfigure static VPN
domains. In effect, this new technology enables unification of all the VPNprotected networks to a unified dynamically adaptable network.
Advanced VPN Configuration
Embedded NGX allows the manual configuration of several advanced IPSEC
VPN options, including:
20
•
•
•
•
Phase-1 and Phase-2 security
methods
Phase-2 Perfect Forward Secrecy
Diffie Hellman (DH) groups
SA lifetime values
As in previous versions, the administrator
can configure any of these settings to
‘Automatic’ (the default and recommended
value), in which case the gateway will
attempt to automatically negotiate the best
settings which are supported by the VPN
peer.
IP Compression (IPCOMP)
Embedded NGX supports IP Payload Compression (RFC 2394) for Site to Site
VPN. Using IP compression can improve VPN performance over slow Internet
links.
Enhanced Active Tunnels display
The Active Tunnels report has now been improved to show both the currently
active Phase-1 (IKE) and their associated established Phase-2 (IPSEC) VPN
tunnels. For each tunnel, the source and destination IP addresses or address ranges
are shown, as well as the selected security methods and tunnel establishment time.
Certificate Fingerprint Display
A unique certificate fingerprint text, used to identify the certificate, is displayed n
the Certificate page. This fingerprint will match the fingerprint displayed in
SecuRemote VPN Client upon the first connection to this gateway.
If the system administrator sends the SecuRemote user a fingerprint, the user
should verify that the root CA fingerprint displayed in SecuRemote is identical to
the fingerprint sent to him/her.
21
Office Mode Support
Remote access to organizations’ internal networks has become widespread,
making it essential that remote users be able to access as many of the
organization’s internal resources as possible.
Typically, when remote access is implemented, the client connects using an
Internet IP address locally assigned by an ISP. This may lead to the following
problems:
•
•
When two clients on the same network (for example, the WLAN) use the
Internal VPN server, they will not be able to communicate with each other
over the secure VPN link. This is because their IP addresses are on the
same subnet, and they therefore will attempt to communicate directly over
the local network, instead of routing through the gateway.
Some networking protocols or resources may require the client’s IP
address to be an internal one.
Office Mode enables an
Embedded NGX Gateway to
assign a remote client a
unique local IP address, thus
solving the abovementioned
problems. The assignment
takes place when the user
connects and authenticates. The address is taken from the predefined OfficeMode
network.
By default, Office Mode is disabled. Office Mode is enabled in the Embedded
NGX configuration portal’s My Network page.
22
Note: Office Mode requires Check Point SecureClient to be installed on the VPN
clients. Check Point SecuRemote does not support Office Mode. When Office
Mode is not supported by the client, traditional mode will be selected instead.
New Management & Maintenance Features
Built-in Packet Sniffer Tool
Embedded NGX includes a built-in
packet sniffer tool, allowing the user
to
capture
packets
for
troubleshooting purposes. A filter
expression can be specified to
capture only packets matching
certain conditions. If no expression is
given, all packets on the selected
interface will be saved.
The packet sniffer tool saves capture results to a file on the user’s computer, in a
format that is easily readable by free protocol analyzers, such as Ethereal.
Ethereal runs on all popular computing platforms, including UNIX, Linux, and
Windows, and can be readily downloaded from http://www.ethereal.com.
Traffic Monitor
Embedded NGX includes Traffic Monitor, a built-in traffic-monitoring and
graphing system that allows the administrator to quickly visualize the network
traffic patterns and easily identify trends and anomalies.
23
Traffic monitor allows reporting on blocked, allowed, and encrypted traffic rates
per network interface and per incoming/outgoing direction. In addition, Traffic
Monitor is fully integrated with Traffic Shaper to allow graphical reporting on
Quality of Service (QoS) classes. The administrator can use Traffic Monitor to
identify bottlenecks and fine tune Traffic Shaper QoS class assignments.
Traffic monitor can be used to answer questions such as: Is the Internet
connection underutilized or congested? How much of the Internet connection
bandwidth is being used by Voice over IP (VoIP) traffic? How much is being
used for bulk traffic such as SMTP or FTP?
The data collected by Traffic Monitor can be exported to CSV (Comma Separated
Values) format, allowing further manipulation and analysis of the data using
familiar tools such as Microsoft Excel.
Enhanced Serial Console
The initial appliance password can now be set through the serial (RS232) console,
allowing full initialization of the appliance through the serial port. This is
especially useful in bulk deployments, where it is desirable to prepare each
appliance very quickly in an operations center prior to shipment.
Enhanced CLI Editing
The Embedded NGX Command Line Interface (CLI) can be accessed via the
serial console or Secure Shell Protocol (SSH) and has been enhanced to support
command line completions and command line history.
24
At any point when typing a command, you can press the TAB key to either
complete the current command, or show a list of possible completions.
All commands entered during a CLI session are saved in a command history. You
can browse through the command history by using the UP and DOWN arrow
keys.
User Account Expiration
The Embedded NGX local user database now supports the definition of users with
a preset expiration date and time. When the user account expires, it is locked, and
the user can no longer log on to the appliance.
25