About This Appendix
This appendix explains how Check Point™'s VPN-1®/FireWall-1® SecureClient™ (referred to from here on as SecureClient) interacts with SafeGuard PortProtector Client to enhance your network's security. It contains the following sections:
What is OPSEC™, page 82, describes Check Point's OPSEC™ and its benefits.
OPSEC™ and SafeGuard PortProtector, page 82, describes how Sophos interfaces with OPSEC™.
Preparing SafeGuard PortProtector Client, page 82, describes the preparations you need to do on the SafeGuard PortProtector side in order to apply OPSEC™.
Configuring your SCV Policy, page 83, describes the preparations you need to do on the VPN-1®/FireWall-1® side in order to apply OPSEC™.
Installing Updated SCV Policy to SecureClients, page 89, explains how to install the updated SCV Policy to SecureClient.
SafeGuard PortProtector SCV Check Parameters, page 92, describes the checks that can be performed on SafeGuard PortProtector Client and provides examples.
Note: The instructions in this appendix assume that SecureClient is already installed on the required endpoints in your organization.
6.1 What is OPSEC™
Check Point's OPSEC™ (Open Platform for Security) integrates and manages all aspects of network security through an open, extensible management framework. SafeGuard PortProtector can plug into this framework to provide you with a comprehensive security solution.
Using this solution, an SVC Check (a DLL) queries the security aspect of the configuration of a client, and reports to SecureClient whether the configuration is "Verified" or "Not Verified". When the configuration is not verified, SecureClient prohibits access to the organizational network.
6.2 OPSEC™ and SafeGuard PortProtector
Sophos provides a DLL which can perform several checks of SafeGuard PortProtector Client, the results of which are reported to SecureClient. In addition to checking for the existence of SafeGuard PortProtector Client, these checks you may include one or more of the following parameters:
Policy ID
Policy update date/time
Version number
Protection Status
Server ID
An explanation of these parameters appears in SafeGuard PortProtector SCV Check Parameters, page 92.
When one or more of the checks fail, the computer configuration is not verified, and SecureClient blocks the endpoint from accessing the organizational network.
6.3 Preparing SafeGuard PortProtector Client
Sophos provides a DLL that interfaces with SecureClient, specifically with its SCV Policy, which you should install to the required endpoints:
1 If you haven't done so, install SafeGuard PortProtector Client as explained in, 2 Installing SafeGuard PortProtector Client, page 54.
3 Install SafeGuardPortProtectorScv to the required computers using GPO or manually (SafeGuardPortProtectorScv.msi can be found on your SafeGuard PortProtector installation CD). This installs a DLL that can perform your choice of one or more of the checks described
Important: SecureClient must already be installed on target computers before you install the SafeGuardPortProtectorScv DLL.
Note: If you install SafeGuardPortProtectorScv manually and SecureClient is active, the latter will stop/start the service. In this case, reconnect it.
6.4 Configuring your SCV Policy
The SCV Policy is SecureClient's security policy, into which third party applications such as SafeGuard PortProtector can plug in. An SCV Policy may include one or more SCV Checks, each relating to a different application. SafeGuard PortProtector's SCV Check, namely
SafeGuardPortProtectorScv, must be added to the SCV Policy and then installed to the required SecureClients. This process includes three steps:
Step 1: Adding the SafeGuard PortProtector SCV Check to your SCV Policy
Step 2: Adding SafeGuard PortProtector parameters to your SafeGuard PortProtector SCV Check
Step 3: Installing your SCV Policy to the required SecureClients
Steps 1 and 2 may be performed using SCVEditor™ (recommended), explained immediately below, or using any text editor.
6.5 Configuring SCV Policy using SCVEditor™
As mentioned above, it is recommended that you configure your SCV Policy using SCVEditor™, as explained immediately below. If you wish to configure the SCV Policy using a text editor, refer to Configuring SCV Policy using a Text Editor on page 86.
6.5.1.1 Adding SafeGuard PortProtector SCV Check to SCV Policy
The SafeGuard PortProtector SCV Check – SafeGuardPortProtectorScv – must be added to your SCV Policy (local.scv), located in the $FW1conf directory of the VPN-1®/FireWall-1® Management Server.
The SafeGuard PortProtector SCV Check can be added to your SCV Policy using SCVEditor™.
To add the SCV Check using SCVEditor™:
1 From SCVEditor™'s main window, open local.scv:
2 From the left-hand pane of the SCVEditor™ main window, right-click Products, and select Add. The following window opens:
3 Enter SafeGuardPortProtectorScv and click OK. SafeGuardPortProtectorScv now appears in the left-hand pane under Products, along with any products you may have added previously.
4 From the left-hand pane, right-click SafeGuardPortProtectorScv and select Enforce.
SafeGuardPortProtectorScv now appears in the bottom half of the right-hand pane of the main window:
5 In the Global SCV Parameters section of the main window, set Block connection on SCV unverified on/off and Expiration Time value as desired.
6 Click Save from the toolbar or from the File menu to save the updated SCV Policy.
6.5.1.2 Adding SafeGuard PortProtector Parameters to the SCV Check
The SCV Check may include several parameters whose value you wish to check in order to verify SecureClient's connection. Refer to SafeGuard PortProtector SCV Check Parameters, page 92, for a list of available parameters including explanations and examples of how to define and use them.
1 To add parameters, right click in the blank workspace on the right-hand side and select New.
The following window opens:
2 Enter the parameter Name and its Value.
In the figure above you can see how to add the MinimumVersion parameter and its value. In this example, if the SCV Check determines that the SafeGuard PortProtector Client version is not equal to or greater than 3.0.12444, the Client will not be verified and will not be allowed to connect to the organizational network.
3 Click OK. The parameter is now added to SafeGuardPortProtectorScv.
4 Perform steps 1 and 2 for each parameter you wish to add. Each parameter you have added is shown in the workspace as follows:
5 Click Save from the toolbar or from the File menu to save the updated SCV Policy.
6.5.2 Configuring SCV Policy using a Text Editor
Another way to configure you SCV Policy is by editing local.scv directly using a text editor.
Two examples are provided below.
Example 1 is a general SCV Policy example which describes the file syntax.
Example 2 is an example of an SCV Policy that includes a SafeGuard PortProtector SCV Check with no parameters.
Example 3 is an example of an SCV Policy that includes a SafeGuard PortProtector SCV Check with several parameters.
6.5.2.1 Example 1
The following is a general SCV Policy Example:
(SCVObject
:SCVPolicy(
:(SCVGroup1) )
)
SCV Policy Description
The SCVPolicy set contains the groups of SCV checks that should be used. In SCVGroup1 there are two SCV checks defined (samplescv and samplescv1). The first SCV check from SCVGroup1 that is registered correctly will be used by SecureClient. samplescv and samplescv1 are similar SCV checks in this example, and at least one of them should be used to report SCV status. Since samplescv1 is not defined properly, samplescv will be used instead. The SCVPolicy does not contain the emptyscv SCV check, therefore it will not be used at all. samplescv contains three parameters which will be passed in the Start function.
6.5.2.2 Example 2
The following is an example of an SCV Policy that contains the SafeGuardPortProtectorScv SCV Check. This SCV Check does not include any parameters and will only check for the existence of SafeGuard PortProtector Client on the endpoint in order to determine whether it is verified to connect to the organizational network.
(SCVObject
6.5.2.3 Example 3
The following example is of an SCV Policy that contains the SafeGuardPortProtectorScv SCV Check. The SCV Check includes four parameters which should be checked in order to verify the Client and allow connection to the organizational network (refer to SafeGuard PortProtector SCV Check Parameters on page 92 for a list of available parameters including explanations and examples of how to define and use them).
:PolicyId ("Policy1 0 / 1$$Sophos Initial Policy ") :ProtectionStatus ("STATUS_PROTECTED")
6.6 Installing Updated SCV Policy to SecureClients
Once you have added SafeGuardPortProtectorScv to your SCV Policy and saved it, either through SCVEditor™ or using a text editor, you can install it to your SecureClients as explained below.
To install the updated SCV Policy:
1 Open Check Point SmartDashboard™:
2 From the Policy menu, select Install, as shown in the previous figure. The Install Policy window opens:
3 Select the desired settings and click OK. The installation begins and the Installation Process window opens, displaying installation progress. Once the installation is completed successfully, the following window is displayed:
4 Your SCV Policy is now installed to the selected gateways.
When SecureClients perform their next logon to Policy Server, the updated SCV Policy will be installed to them. Once installed to SecureClients, they can now communicate with the SafeGuard PortProtector DLL described above and block connection to the organizational network when the SafeGuard PortProtector configuration is not verified.
In the case where a configuration is not verified, an error message appears on the endpoint.
The following figure shows an example of the message the end user will receive when a configuration is not verified due a parameter value mismatch:
The following figure shows an example of the message the end user will receive when a
6.7 SafeGuard PortProtector SCV Check Parameters
Following is a description of the parameters which you may use to perform checks of SafeGuard PortProtector Client, in addition to checking its existence on the endpoint. Syntax and examples are provided for each parameter.
6.7.1 General
There are 5 parameters you can use to check the status of SafeGuard PortProtector. All the parameters are optional.
The parameters are compared with the current SafeGuard PortProtector information which is displayed in the SafeGuard PortProtector Client Options window.
6.7.2 Parameter Format and Description
6.7.2.1 MinimumVersionDescription: "Verified" for versions with the number greater than or equal to MinimumVersion.
Format: 0-255.0-255.0-65535
Examples: 3.0.12444
3.1.0
6.7.2.2 PolicyUpdatedSinceDate
Description: "Verified" if the last policy update was performed on or after PolicyUpdatedSinceDate. Date is mandatory, time is optional.
Format: DD.MM.YYYY HH:MM:SS Examples: 24.08.2006 12:32:00 12.06.2005
6.7.2.3 PolicyID
Description: "Verified" if the current policy is equal to one of the PolicyIDs described by the parameter.
Format: PolicyID1$$PolicyID2$$PolicyID3 …
Notes: Policy version and ID should be added to the policy name. For example, if the policy name is “Policy1”, its version is 0 and its ID is 1, it should be “Policy1 0 / 1”.
6.7.2.4 ProtectionStatus
Description: "Verified" if the current protection status is one of the defined statuses. Currently there are three statuses: STATUS_PROTECTED, STATUS_ERROR and STATUS_SUSPENDED.
Format: Status1$$Status2$$Status3 …
Examples: STATUS_PROTECTED
STATUS_SUSPENDED$$STATUS_PROTECTED$$STATUS_ERROR 6.7.2.5 ServerID
Description: "Verified" if the Server Name is equal to one of the ServerIDs described by the parameter. This parameter is applicable to versions 3.1 and later.
Format: ServerID1$$ServerID2$$ServerID3 …
Examples: Unknown
Unknown$$ABC$$ServerID