The frightening return of Check Point CVP
1 Comments
Few Check Point customers remember or even know what Content Vectoring Protocol (CVP) is.
CVP, together with URL Filtering Protocol (UFP), are the foundations of a very old technology embedded in Check Point VPN-1 and generally called Content Security.
Content Security is the first attempt of the company to approach application inspection, security the 3 most critical protocols of the current business-over-Internet: HTTP, FTP and SMTP.
Content Security was already present when Check Point conquered big market shares with its Firewall-1 4.1 (aka 2000), more than 6 years ago, and can be considered the pioneering of modern application inspection. Or, if you prefer, the ancestor of today's Check Point Application Intelligence (AI) / Web Intelligence (WI).
This ancient technology, still present in recent VPN-1 versions, permits administrators to intercept and inspect application traffic by the use of user-mode daemons and vectoring protocols (CVP and UFP exactly).
Depending on required analysis HTTP, FTP and SMTP can be analized on the VPN-1 machine thanks to user-mode daemons, or sent to a 3rd party Security Server through vectoring protocols.
Check Point developed around its Content Security a whole consotium called OPSEC (Open Platform for Security), which permitted partners to develop and integrate new Security Servers with FW-1 through a freely available SDK.
Capabilities of user-mode daemons are very limited and Check Point itself suggests to approach a 3rd party Security Server.
At beginning the amount of partners offering their UFP/CVP-compliant solutions was notable, including biggest security players like Websense, TrendMicro, Symantec, etc.
But several factors concurred to reduce support to the OPSEC program during years and, one after another, put existing solutions out of the market.
First of all was too early: the market was't really ready to embrace application inspection, still being occupied in massively adoption of antivirus and firewalls as first defensive line.
Secondly and mostly performance of UFP/CVP solutions were simply indecent.
The way Content Security works with 3rd party Security Server imposes the inspected application session to travel back and forth through VPN-1 which acts like a proxy:
This scheme has a lot of problems and the most critical is obviously speed.
Since the born of Content Security a large amount of customers lamented sessions time-out, missing or compromised files, network segments congestions, etc.
And if you consider it works not only with FTP but also with SMTP, you can understand risks in its adoption.
I won't go any further exploring Content Security problems since you can figure out from yourself. I just will say that depending on these performances, few customers in the world adopted the tecnology, avoiding OPSEC partners to return on investment of producing a dedicated UFP/CVP solution.
So, simply, while still existing Content Security cannot be used anymore.
Until today.
Kasperski, which is having a big success these days with the inclusion of its engine in the new AOL offering, just launched a version of its Anti-Virus 5.5 for Check Point VPN-1 (still called Firewall-1, which is a deprecated name), interacting with CVP.
The funny thing is official announcement states:
If you really decide to adopt this solution, pretend a very extensive and assisted pilot on real-world traffic. Otherwise you'll discover Content Security performances too late.
CVP, together with URL Filtering Protocol (UFP), are the foundations of a very old technology embedded in Check Point VPN-1 and generally called Content Security.
Content Security is the first attempt of the company to approach application inspection, security the 3 most critical protocols of the current business-over-Internet: HTTP, FTP and SMTP.
Content Security was already present when Check Point conquered big market shares with its Firewall-1 4.1 (aka 2000), more than 6 years ago, and can be considered the pioneering of modern application inspection. Or, if you prefer, the ancestor of today's Check Point Application Intelligence (AI) / Web Intelligence (WI).
This ancient technology, still present in recent VPN-1 versions, permits administrators to intercept and inspect application traffic by the use of user-mode daemons and vectoring protocols (CVP and UFP exactly).
Depending on required analysis HTTP, FTP and SMTP can be analized on the VPN-1 machine thanks to user-mode daemons, or sent to a 3rd party Security Server through vectoring protocols.
Check Point developed around its Content Security a whole consotium called OPSEC (Open Platform for Security), which permitted partners to develop and integrate new Security Servers with FW-1 through a freely available SDK.
Capabilities of user-mode daemons are very limited and Check Point itself suggests to approach a 3rd party Security Server.
At beginning the amount of partners offering their UFP/CVP-compliant solutions was notable, including biggest security players like Websense, TrendMicro, Symantec, etc.
But several factors concurred to reduce support to the OPSEC program during years and, one after another, put existing solutions out of the market.
First of all was too early: the market was't really ready to embrace application inspection, still being occupied in massively adoption of antivirus and firewalls as first defensive line.
Secondly and mostly performance of UFP/CVP solutions were simply indecent.
The way Content Security works with 3rd party Security Server imposes the inspected application session to travel back and forth through VPN-1 which acts like a proxy:
- Content Security is configured to do antivirus inspection of ongoing traffic with help of a 3rd party antivirus Security Server
- a new FTP session starts from a client on the Internet and wants to reach a protected FTP server
- the client's request of sending a new file triggers Security Server daemon on VPN-1
- the incoming file is intercepted by the user-mode daemon, incapsulated in the CVP and sent to the 3rd party antivirus (meanwhile the FTP session is on hold)
- the 3rd party antivirus checks and possibly disinfects the received file
- the 3rd party antivirus sends back to the firewall the disinfected file through CVP
- the disinfected file is decapsulated from CVP and finally sent to FTP server
This scheme has a lot of problems and the most critical is obviously speed.
Since the born of Content Security a large amount of customers lamented sessions time-out, missing or compromised files, network segments congestions, etc.
And if you consider it works not only with FTP but also with SMTP, you can understand risks in its adoption.
I won't go any further exploring Content Security problems since you can figure out from yourself. I just will say that depending on these performances, few customers in the world adopted the tecnology, avoiding OPSEC partners to return on investment of producing a dedicated UFP/CVP solution.
So, simply, while still existing Content Security cannot be used anymore.
Until today.
Kasperski, which is having a big success these days with the inclusion of its engine in the new AOL offering, just launched a version of its Anti-Virus 5.5 for Check Point VPN-1 (still called Firewall-1, which is a deprecated name), interacting with CVP.
The funny thing is official announcement states:
The advanced scalability of the solution makes it eminently suitable for use in the largest organizations that see heavy traffic loads. The system administrator can choose to run multiple copies of the antivirus engine and multiple CVP servers for processing requests from the firewall to meet peaks in traffic volumes. Moreover, the solution is optimized for use on the Intel Xeon platform.
If you really decide to adopt this solution, pretend a very extensive and assisted pilot on real-world traffic. Otherwise you'll discover Content Security performances too late.
Most Recent Articles
1 Comments:
-
Very aptly presented. In fact, in a very recent nasty experience of attempting to integrate Websense with Check Point R54, our customer was taken for a long arduous ride! He was advised a hw upgrade which he obediently did - investing, read- in(wasting) - huge funds w/o realizing even a bit of improvement in performance. To rule out any battle over what is impacting performance, CP deamons or Websense, we simply took 'Websense' off the plate and enabled a plain vanilla security server w/ minimal inspections on a Nokia's IP740 platform and enabled every single performance enhancement tweak recommended by CP or Nokia without of course an iota of improvement - as soon as the firewall module saw security server connections touching 3000, CP security server would start to spike CPU to 90% and above - bring firewall to a halt! We had Nokia/CP run tests on a bigger and better platform - IP1260 with exact same results - mind you, we had also disabled SmartDefense.
CP had no answer than to make an effort to hide these performance numbers under the carpet!
CP is now trying to shim in the security servers to kernel - not sure if that would lead to any performance enhancements w/o going through the multithread route and if it would not lead to some serious security concers??!
Thanks for presenting the issue
Links to this article:
Stay up to date |
|