Creating URI Resource Objects

Figure 4.8 illustrates the URI Resource Properties dialog box where you’ll set up properties for resources, connection methods, exception track, and URI match specification types. To access the URI Resource Properties window, go to Manage  Resources and click on New  URI.

F I G U R E 4 . 8 URI Resource Properties window

General Tab Options

Under the General tab, you can define a URI resource three ways: Wild Cards, File, or UFP. All three options can include interaction with a CVP server but only UFP can include interaction with a UFP server. Regardless of which URI Match Specification Type you use, all URI resources (for that matter, all resource objects) have commonalities—they all define the object’s name and methodology under the General tab. The option you select under URI Match Specification Type on the General tab affects what appears under the Match tab. Under the Match tab for each resource object, you specify what you’re looking for. Under the Action tab, you define what you want to do if you find what you’re looking for. Each resource object also has a CVP tab, where you define whether you want to send this connection on to a CVP server for virus scanning. We’ll discuss the General tab, Action tab, CVP tab, and SOAP tab (specific to URI resource objects) first. After we look at these tabs we’ll examine the Match tab and URI Match Specification Type options in greater detail.

LOGGING OPTIONS

Let’s talk about the specific URI resource options available under the Gen-eral tab. Two options appear under Use This Resource To, as described here:

Optimize URL Logging If this option is selected, all other options for the URI resource are grayed out. The Security Policy is enforced when URL logging is integrated with UFP caching. URL logging uses Check Point’s TCP streaming technology, which enables the firewall module to take over some of the Security Server functions. Basically, this option gives you more detailed logging of web traffic.

Enforce URI Capabilities If this option is selected, all other options are available. Everything you define will be checked by the Security Server.

We’ll discuss this option in great detail later in this section.

Optimize URL Blocking This option was new in NG FP2 and was moved to SmartDefense in FP3 (see Chapter 2 for more information on Smart-Defense). The purpose of Optimize URL Blocking (as it was called in FP2) or General HTTP Worm Catcher (as it is referred to in FP3) is to look for patterns of HTTP attacks such as Code Red. There is no automatic update of the pattern blocking if you used this feature in FP2 and then upgrade to FP3. You should remove any rules configured in FP2 for pattern block-ing and configure them through the SmartDefense settblock-ings in FP3.

CONNECTIONS METHODS

In the URI Resource Properties dialog box (Figure 4.8), you can choose from three Connection Methods:

 Transparent Matches all connections that are not in proxy mode and is relevant only if a proxy to the web browser is not defined.

 Proxy Matches connections in proxy mode and is relevant only if a proxy to the web browser is defined.

 Tunneling Matches connections using the HTTP CONNECT method and is relevant only if the HTTP Security Server is defined as the proxy to the web browser.

As of FP2, the HTTP Security Server handles the Transparent and Proxy connections differently. If a rule is matched and the Action of the rule is Accept, proxied or tunneled connections are not allowed. They are allowed only if the rule matched is an Authentication or Resource rule. The function-ality was changed to prevent the CONNECT method from looping to the HTTP Security Server and then to another destination.

FP2 also allowed FTP over HTTP proxied connections with User Authen-tication even if a resource rule wasn’t defined. FP3 locked this down so that FTP over HTTP proxied connections are not allowed unless there is an explicit URI resource rule with an Action of Accept.

The CONNECT method only specifies the hostname and port number to connect to. When the Tunneling option is specified, the firewall doesn’t examine the content of the request or even the URL—it only checks the hostname and port number. Therefore, if Tunneling is specified, all Content Security options under the Match tab (with the exception of the Host field) are grayed out.

EXCEPTION TRACK

The Exception Track area at the bottom of the URI Resource Properties dia-log box defines what to dia-log. We always turn on dia-logging because it gives detailed information, such as which link in the web site the user visited or tried to visit. We don’t recommend turning on Alert, because too many alerts will be generated due to the amount of web surfing that takes place on cor-porate networks.

Action Tab Options

In the Action tab of the URI Resource dialog box, shown in Figure 4.9, you define what happens to the traffic if it matches your specifications. The Replacement URI field is our favorite feature for HTTP scanning. If this value is defined and the Action of the rule that incorporates this resource is Drop or Reject, then this URI is given to the user instead of the URI they requested. For example, if a user tried to visit pornographic sites during work hours, you could redirect them to a custom web page that outlines the Human Resources policies that prohibit this kind of activity.

F I G U R E 4 . 9 URI resource Action tab

If a UFP server, defined on this URI resource, sends a URL for redirection, it will override this replacement URI.

HTML Weeding options allow you to strip specified code from an HTML page. The user will not be aware that the code has been stripped (Java applets already in the cache are not affected by this option).

The truth is, the code is not really stripped from the web page; as you can see in Figure 4.10, the code is still there. The firewall takes the HTML header information and modifies it so the browser doesn’t run the code (note the highlighted changes in Figure 4.10).

F I G U R E 4 . 1 0 Source code that results from HTML weeding

CVP Tab Options

In the CVP tab of the URI Resource dialog box, shown in Figure 4.11, you define what happens if you want the traffic sent to a CVP server.

F I G U R E 4 . 1 1 CVP tab

First you must select the Use CVP (Content Vectoring Procotol) check box; otherwise all other options are grayed out. The CVP Server Is Allowed To Modify Content option lets the CVP server know whether it can modify the content if necessary (for example, to clean out a virus). HTTP headers and requests can also be sent to the CVP server for content checking. Reply Order options determine how the content will be filtered. If Return Data After Content Is Approved is selected, no data is sent back to the firewall until the entire data stream is filtered. If Return Data Before Content Is Approved is selected, the data is scanned packet by packet.

SOAP Tab Options

In the SOAP tab (new to FP3 and unique to the URI resource object), shown in Figure 4.12, you define how you want Simple Object Access Protocol (SOAP) traffic handled.

F I G U R E 4 . 1 2 SOAP tab

SOAP is an XML/HTTP-based protocol for sharing data over the Internet platform independently using HTTP. SOAP relies on XML to encode the information to be shared and then adds HTTP headers. This new FP3 feature allows a URI resource to parse SOAP traffic and validate its integrity accord-ing to a user-defined scheme.

SOAP is a call-response protocol. The client calls the server across the Internet, passing commands called methods. The server then provides a response. Both calls and responses are XML documents. FireWall-1 detects these SOAP packets and then decides to accept them all if Allow All SOAP Requests is selected, or to accept them only if a user-defined scheme is met (if Allow SOAP Requests As Specified In The Following File is selected). This option will not block non-SOAP traffic.

The SOAP file must have one of 10 predefined names: scheme1, scheme2, scheme3, and so on. These files already exist in the $FWDIR/conf/XML direc-tory but are blank by default. The file contents are defined very specifically with the namespace and method separated by a space. If the syntax is not correct, the SOAP packets are dropped; so, it’s a good idea to copy and paste the namespace and method information directly from your logs. Here is an example of two lines from a user-defined scheme:

http://test.org/text/ GetScript http://test.org/text/ Total

If you’re using Management High Availability, these files must be duplicated on all SmartCenter Servers.

Now that we’ve looked at the common options shared by all URI resources, let’s backtrack and visit the URI Match Specification Type option;

this option distinguishes the three different ways the firewall can filter web traffic. We’ll begin with filtering by wildcards.