Check Point FireWall-1 HTTP Security Server performance tuning

Transcription

1 PROFESSIONAL SECURITY SYSTEMS Check Point FireWall-1 HTTP Security Server performance tuning by Mariusz Stawowski CCSA/CCSE (4.1x, NG) Check Point FireWall-1 security system has been designed as a means for performing a detailed control of HTTP protocol, among others: commands correctness and data format control, reliable authentication of Web users identity (e.g. RADIUS, SecurID), verification of real name and IP address of a Web server (Reverse DNS) in the HTTP Proxy configuration (i.e. Firewall is set up as a Proxy in Web browsers), detection of dangerous URL construction e.g. Content Disposition, enforcing restrictions protecting Web server against Buffer Overflow attacks e.g. maximum URL size, blocking of typical HTTP Worm attacks e.g. Nimda, CodeRed, control of a proper data transfer mode in HTTP protocol, control of allowed URL address schema, blocking of prohibited attachments in HTML pages e.g. ActiveX, blocking of prohibited files copied through HTTP e.g. VisualBasic, blocking of URLs containing prohibited keywords, etc. HTTP protocol control is performed in the basic scope by the SMLI (Stateful Multi- Layer Inspection) on the operating system kernel level (2-3 OSI layer) and in the full scope by the HTTP Security Server on the application level. HTTP Security Server is the implementation of the technology known as Application Gateway or Firewall Proxy. Check Point FireWall-1 is a very efficient security system. However, we must realize that when performing detailed network traffic control, Firewall performance decrease is inevitable. From the operating system of the Firewall platform point of view, HTTP Security Server is an usual process in which limitations of this system environment are in force (e.g. maximum number of file descriptors for each process). In Firewall installations conducting detailed control of HTTP protocol for large number of users it is recommended that the configuration be appropriately prepared and tuned. Recommendations for the Firewall platform: 1. An efficient operating system (e.g. SecurePlatform). 2. Fast processor or multiprocessor machine (at least CPU 1 GHz). 3. Large size of RAM memory (min. 512 MB RAM). Note: It is recommended to utilize hardware-software solutions, so called Firewall Appliance, but only those solutions where the manufacturer gives a detailed description of their hardware parameters (especially type and power of CPU) and which can be updated during operation (e.g. replacement of the CPU, hard disk, etc.). Only such devices can assure suitable Firewall performance and continuos development of application security means. Details on devices performance announced by their manufacturers are not reliable (e.g. performance tests done on specially selected UDP packets). CLICO Ltd. Al. 3-go Maja 7, Kraków, Poland; Tel: ; Fax: ; support@clico.pl, orders@clico.pl; Ftp.clico.pl;

2 Recommendation for the Firewall configuration: 1. Running multiple HTTP Security Server processes. Each instance of the HTTP Security Server has good performance for about simultaneous, unproxied connections. For the proxied connections (i.e. Firewall is set as a Proxy in Web browser), each HTTP Security Server can handle sessions before performance problems can be expected. In the Firewall systems running more simultaneous HTTP connections, it is suggested increasing the number of Security Server processes. HTTP Security Server processes are activated when the FireWall-1 security policy requires application control of HTTP protocol. The number of running processes and the port on which SMTP Security Server listens to should be configured on the Firewall machine in the $FWDIR/conf/fwauthd.conf file (see the product documentation): 80 fwssd in.ahttpd wait -4 In case of problems to run HTTP Security Server control, the settings in the fwauthd.conf file should be examined. Note: HTTP traffic is balanced between multiple HTTP Security Server processes. But only those HTTP connections are being balanced which are initiated from different IP addresses. In case of using HTTP Proxy server in the network protected by Firewall (e.g. SQUID) HTTP traffic is handled only by one HTTP Security Server process. In such configurations, the Firewall cluster working in a load balancing configuration should be deployed (e.g. StoneBeat FullCluster) or HTTP Proxy server should be moved to the other location in the network. Increasing a maximum number of file descriptors available for one operating system process is risky. Instead, we should increase the number of HTTP Security Servers. 2. Increasing of the HTTP buffers size to :http_buffers_size (32768) HTTP buffers size can be adjusted on the Check Point Management server using dbedit or GUIdbedit applications in NG version, and by editing objects.c file in the 4.1 version CLICO LTD. ALL RIGHTS RESERVED 2

3 3. In the configurations with local users authentication, it is recommended to use Client Authentication Partially Automatic method instead of User Authentication method. 4. Increase operating system resources available for the FireWall-1 module (e.g. memory pool size, maximum concurrent connections, hash table size, etc.). In the 4.1 version these settings are performed in configuration files and depend on the operating system type. In the NG version it is performed in GUI (see the figure). Note: In case of a significant system load, first and foremost we should check if FireWall-1 module has been assigned suitable RAM memory size. It is performed on the Firewall machine using fw ctl pstat command CLICO LTD. ALL RIGHTS RESERVED 3

4 5. Using external HTTP Proxy server. From the performance point of view for HTTP control, it is recommended that FireWall-1 machine be configured in Web browsers as HTTP Proxy and external Proxy server be used (e.g. SQUID). By setting FireWall-1 address in Web browsers (port 80) as a Proxy, HTTP Security Server can better perform HTTP traffic control. On the other hand, external HTTP Proxy server delivers Web pages to the FireWall-1 much faster than the pages downloaded on-line from the Internet. 6. The Firewall machine should have properly configured DNS and use efficient DNS servers. This is especially important in configurations where the Firewall is set up as the HTTP Proxy in Web browsers. 7. In case of using dedicated CVP server for HTTP protocol content control (e.g. esafe, VirusWall), the FireWall-1 configurations settings suitable for CVP control should be used as well as specific setting for CVP product used. Typical settings for CVP configuration in the FireWall-1 version 4.1 are configured in the objects.c file on the Check Point Management server: :http_disable_content_enc (true) :http_disable_content_type (true) :http_use_host_h_as_dst (true) :http_force_down_to_10 (true) :http_sup_continue (true) :http_avoid_keep_alive (true) 2002 CLICO LTD. ALL RIGHTS RESERVED 4

5 :http_max_header_length (8000) :http_max_url_length (8000) :http_check_request_validity (false) :http_check_response_validity (false) :http_cvp_allow_chunked (true) :http_weeding_allow_chunked (true) :http_block_java_allow_chunked (true) :http_allow_ranges (true) :http_allow_content_disposition (true) Typical settings for CVP configuration in the FireWall-1 version NG are configured using dbedit or GUIdbedit file on the Check Point Management server: http_disable_content_enc true http_disable_content_type true http_use_host_h_as_dst true http_force_down_to_10 true http_avoid_keep_alive true http_max_header_length 8000 http_max_url_length 8000 http_check_request_validity false http_check_response_validity false http_cvp_allow_chunked true http_weeding_allow_chunked true http_block_java_allow_chunked true http_allow_ranges true http_allow_content_disposition true http_enable_uri_queries false Note: Many anti-virus server solutions are equipped with implementation of the CVP protocol version 4.1. In such a case, in the URI Resource configuration the control options set up in the CVP NG version should not be enabled (see figure). 8. Security policy optimization. The increase in performance of the FireWall-1 can be achieved by the security policy optimization. HTTP and DNS control rules should be moved to the beginning of the set of rules. When possible, the number of all the rules should be reduced (e.g. by grouping rules, removing of unnecessary control rules and NAT rules). In the security policy objects of Domain type should be avoided (e.g. objects defined as DNS names) CLICO LTD. ALL RIGHTS RESERVED 5