Check Point FireWall-1 HTTP Security Server performance tuning



Similar documents
Resolving problems with SMTP Security Server and CVP operating in Check Point NG

PROFESSIONAL SECURITY SYSTEMS

PROFESSIONAL SECURITY SYSTEMS

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

INTRODUCTION TO FIREWALL SECURITY

Abila MIP Mobile. System Requirements

QuickSpecs. Models. Features and benefits Application highlights. HP 7500 SSL VPN Module with 500-user License

Technical Note. vsphere Deployment Worksheet on page 2. Express Configuration on page 3. Single VLAN Configuration on page 5

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

I N S T A L L A T I O N M A N U A L

McAfee Next Generation Firewall (NGFW) Administration Course

BorderWare Firewall Server 7.1. Release Notes

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Customer Service Description Next Generation Network Firewall

Virtual Managment Appliance Setup Guide

Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

Configuration Guide. Websense Web Security Solutions Version 7.8.1

Configuring Security for FTP Traffic

A Guide to New Features in Propalms OneGate 4.0

Virtual Web Appliance Setup Guide

Virtual Appliance Setup Guide

Firewalls, IDS and IPS

Network Security. Network Packet Analysis

Security Technology: Firewalls and VPNs

Endpoint Security VPN for Mac

Proxies. Chapter 4. Network & Security Gildas Avoine

Securing Networks with PIX and ASA

Cisco Application Networking Manager Version 2.0

Stateful Inspection Technology

Firewall Troubleshooting

Load Balancing Smoothwall Secure Web Gateway

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewall Architectures of E-Commerce

Ignify ecommerce. Item Requirements Notes

Fig : Packet Filtering

Aerohive Networks Inc. Free Bonjour Gateway FAQ

Guidelines for Web applications protection with dedicated Web Application Firewall

TABLE OF CONTENTS NETWORK SECURITY 1...1

COMPUTER NETWORK TECHNOLOGY (300)

F-Secure Internet Gatekeeper Virtual Appliance

Introduction to Computer Security Benoit Donnet Academic Year

Routing Security Server failure detection and recovery Protocol support Redundancy

Installation Notes for Outpost Network Security (ONS) version 3.2

Advanced Higher Computing. Computer Networks. Homework Sheets

CheckPoint FireWall-1 Version 3.0 Highlights Contents

ELIXIR LOAD BALANCER 2

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

RSA SecurID Ready Implementation Guide

MEASURING WORKLOAD PERFORMANCE IS THE INFRASTRUCTURE A PROBLEM?

Secure Web Appliance. Reverse Proxy

INUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER

Introduction to Mobile Access Gateway Installation

theguard! ApplicationDashboard Version 1.1

Installing and Configuring Websense Content Gateway

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

How To Fix A Fault Notification On A Network Security Platform (Xc) (Xcus) (Network) (Networks) (Manual) (Manager) (Powerpoint) (Cisco) (Permanent

Configuration Information

Cisco PIX vs. Checkpoint Firewall

Chapter 11 Cloud Application Development

FortiWeb 5.0, Web Application Firewall Course #251

Remote Access Clients for Windows

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Government of Canada Managed Security Service (GCMSS) Annex A-1: Statement of Work - Firewall

Streaming Media System Requirements and Troubleshooting Assistance

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Sage Grant Management System Requirements

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

PLATO Learning Environment System and Configuration Requirements. for workstations. April 14, 2008

Configuration Example

Installation and Deployment

Intro to Firewalls. Summary

Security threats and network. Software firewall. Hardware firewall. Firewalls

NEFSIS DEDICATED SERVER

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Deploying Microsoft SharePoint Services with Stingray Traffic Manager DEPLOYMENT GUIDE

Stingray Traffic Manager Sizing Guide

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

CYAN SECURE WEB APPLIANCE. User interface manual

HARDWARE, SOFTWARE AND CONFIGURATION REQUIREMENTS

Uptime Infrastructure Monitor. Installation Guide

Minimum System Requirements

SofaWare Management Architecture Basics

Configuration Information

Configuring Security for SMTP Traffic

Load Balancing Trend Micro InterScan Web Gateway

Sophos UTM Software Appliance

Semantic based Web Application Firewall (SWAF - V 1.6)

NETASQ MIGRATING FROM V8 TO V9

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

English Translation of SecurityGateway for Exchange/SMTP Servers

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

Web Application Firewall

Transcription:

PROFESSIONAL SECURITY SYSTEMS Check Point FireWall-1 HTTP Security Server performance tuning by Mariusz Stawowski CCSA/CCSE (4.1x, NG) Check Point FireWall-1 security system has been designed as a means for performing a detailed control of HTTP protocol, among others: commands correctness and data format control, reliable authentication of Web users identity (e.g. RADIUS, SecurID), verification of real name and IP address of a Web server (Reverse DNS) in the HTTP Proxy configuration (i.e. Firewall is set up as a Proxy in Web browsers), detection of dangerous URL construction e.g. Content Disposition, enforcing restrictions protecting Web server against Buffer Overflow attacks e.g. maximum URL size, blocking of typical HTTP Worm attacks e.g. Nimda, CodeRed, control of a proper data transfer mode in HTTP protocol, control of allowed URL address schema, blocking of prohibited attachments in HTML pages e.g. ActiveX, blocking of prohibited files copied through HTTP e.g. VisualBasic, blocking of URLs containing prohibited keywords, etc. HTTP protocol control is performed in the basic scope by the SMLI (Stateful Multi- Layer Inspection) on the operating system kernel level (2-3 OSI layer) and in the full scope by the HTTP Security Server on the application level. HTTP Security Server is the implementation of the technology known as Application Gateway or Firewall Proxy. Check Point FireWall-1 is a very efficient security system. However, we must realize that when performing detailed network traffic control, Firewall performance decrease is inevitable. From the operating system of the Firewall platform point of view, HTTP Security Server is an usual process in which limitations of this system environment are in force (e.g. maximum number of file descriptors for each process). In Firewall installations conducting detailed control of HTTP protocol for large number of users it is recommended that the configuration be appropriately prepared and tuned. Recommendations for the Firewall platform: 1. An efficient operating system (e.g. SecurePlatform). 2. Fast processor or multiprocessor machine (at least CPU 1 GHz). 3. Large size of RAM memory (min. 512 MB RAM). Note: It is recommended to utilize hardware-software solutions, so called Firewall Appliance, but only those solutions where the manufacturer gives a detailed description of their hardware parameters (especially type and power of CPU) and which can be updated during operation (e.g. replacement of the CPU, hard disk, etc.). Only such devices can assure suitable Firewall performance and continuos development of application security means. Details on devices performance announced by their manufacturers are not reliable (e.g. performance tests done on specially selected UDP packets). CLICO Ltd. Al. 3-go Maja 7, 30-063 Kraków, Poland; Tel: +48 12 6325166; +48 12 2927525 Fax: +48 12 6323698; E-mail: support@clico.pl, orders@clico.pl; Ftp.clico.pl; http://www.clico.pl

Recommendation for the Firewall configuration: 1. Running multiple HTTP Security Server processes. Each instance of the HTTP Security Server has good performance for about 400-500 simultaneous, unproxied connections. For the proxied connections (i.e. Firewall is set as a Proxy in Web browser), each HTTP Security Server can handle 200-250 sessions before performance problems can be expected. In the Firewall systems running more simultaneous HTTP connections, it is suggested increasing the number of Security Server processes. HTTP Security Server processes are activated when the FireWall-1 security policy requires application control of HTTP protocol. The number of running processes and the port on which SMTP Security Server listens to should be configured on the Firewall machine in the $FWDIR/conf/fwauthd.conf file (see the product documentation): 80 fwssd in.ahttpd wait -4 In case of problems to run HTTP Security Server control, the settings in the fwauthd.conf file should be examined. Note: HTTP traffic is balanced between multiple HTTP Security Server processes. But only those HTTP connections are being balanced which are initiated from different IP addresses. In case of using HTTP Proxy server in the network protected by Firewall (e.g. SQUID) HTTP traffic is handled only by one HTTP Security Server process. In such configurations, the Firewall cluster working in a load balancing configuration should be deployed (e.g. StoneBeat FullCluster) or HTTP Proxy server should be moved to the other location in the network. Increasing a maximum number of file descriptors available for one operating system process is risky. Instead, we should increase the number of HTTP Security Servers. 2. Increasing of the HTTP buffers size to 32768. :http_buffers_size (32768) HTTP buffers size can be adjusted on the Check Point Management server using dbedit or GUIdbedit applications in NG version, and by editing objects.c file in the 4.1 version. 2002 CLICO LTD. ALL RIGHTS RESERVED 2

3. In the configurations with local users authentication, it is recommended to use Client Authentication Partially Automatic method instead of User Authentication method. 4. Increase operating system resources available for the FireWall-1 module (e.g. memory pool size, maximum concurrent connections, hash table size, etc.). In the 4.1 version these settings are performed in configuration files and depend on the operating system type. In the NG version it is performed in GUI (see the figure). Note: In case of a significant system load, first and foremost we should check if FireWall-1 module has been assigned suitable RAM memory size. It is performed on the Firewall machine using fw ctl pstat command. 2002 CLICO LTD. ALL RIGHTS RESERVED 3

5. Using external HTTP Proxy server. From the performance point of view for HTTP control, it is recommended that FireWall-1 machine be configured in Web browsers as HTTP Proxy and external Proxy server be used (e.g. SQUID). By setting FireWall-1 address in Web browsers (port 80) as a Proxy, HTTP Security Server can better perform HTTP traffic control. On the other hand, external HTTP Proxy server delivers Web pages to the FireWall-1 much faster than the pages downloaded on-line from the Internet. 6. The Firewall machine should have properly configured DNS and use efficient DNS servers. This is especially important in configurations where the Firewall is set up as the HTTP Proxy in Web browsers. 7. In case of using dedicated CVP server for HTTP protocol content control (e.g. esafe, VirusWall), the FireWall-1 configurations settings suitable for CVP control should be used as well as specific setting for CVP product used. Typical settings for CVP configuration in the FireWall-1 version 4.1 are configured in the objects.c file on the Check Point Management server: :http_disable_content_enc (true) :http_disable_content_type (true) :http_use_host_h_as_dst (true) :http_force_down_to_10 (true) :http_sup_continue (true) :http_avoid_keep_alive (true) 2002 CLICO LTD. ALL RIGHTS RESERVED 4

:http_max_header_length (8000) :http_max_url_length (8000) :http_check_request_validity (false) :http_check_response_validity (false) :http_cvp_allow_chunked (true) :http_weeding_allow_chunked (true) :http_block_java_allow_chunked (true) :http_allow_ranges (true) :http_allow_content_disposition (true) Typical settings for CVP configuration in the FireWall-1 version NG are configured using dbedit or GUIdbedit file on the Check Point Management server: http_disable_content_enc true http_disable_content_type true http_use_host_h_as_dst true http_force_down_to_10 true http_avoid_keep_alive true http_max_header_length 8000 http_max_url_length 8000 http_check_request_validity false http_check_response_validity false http_cvp_allow_chunked true http_weeding_allow_chunked true http_block_java_allow_chunked true http_allow_ranges true http_allow_content_disposition true http_enable_uri_queries false Note: Many anti-virus server solutions are equipped with implementation of the CVP protocol version 4.1. In such a case, in the URI Resource configuration the control options set up in the CVP NG version should not be enabled (see figure). 8. Security policy optimization. The increase in performance of the FireWall-1 can be achieved by the security policy optimization. HTTP and DNS control rules should be moved to the beginning of the set of rules. When possible, the number of all the rules should be reduced (e.g. by grouping rules, removing of unnecessary control rules and NAT rules). In the security policy objects of Domain type should be avoided (e.g. objects defined as DNS names). 2002 CLICO LTD. ALL RIGHTS RESERVED 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information