Difference between revisions of "SecureXL Mechanism"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
(Created page with " == SecureXL Mechanism == Solution ID: sk32578 Product: SecureXL Version: All Platform / Model: All Date Created: 15-Feb-2007 Last Modified: 26-Mar-2014 Rate t...")
 
 
(4 intermediate revisions by one user not shown)
Line 1: Line 1:
 
 
== SecureXL Mechanism ==
 
== SecureXL Mechanism ==
  
  
 
Solution ID: sk32578
 
Solution ID: sk32578
 +
 
Product: SecureXL
 
Product: SecureXL
 +
 
Version: All
 
Version: All
 +
 
Platform / Model: All
 
Platform / Model: All
 +
 
Date Created: 15-Feb-2007
 
Date Created: 15-Feb-2007
Last Modified: 26-Mar-2014
+
 
+
Last Modified: 26-Mar-2014  
Rate this document
+
[1=Worst,5=Best]
+
Solution
+
  
 
== Traffic acceleration: ==
 
== Traffic acceleration: ==
  
<nowiki>
+
 
 
When SecureXL is enabled, all traffic should be accelerated, except traffic that matches the following conditions:
 
When SecureXL is enabled, all traffic should be accelerated, except traffic that matches the following conditions:
  
    The first packets of any new TCP session, unless a "template" exists.
+
* The first packets of any new TCP session, unless a "template" exists.
 
+
* The first packet of any new UDP session.
    The first packet of any new UDP session.
+
* All traffic that matches a service that uses a Resource.
 
+
* Certain traffic that matches a service that is inspected by a SmartDefense/IPS or Web Intelligence feature. For example, traffic on which SSH protections are activated is not accelerated. For more details, refer to sk42401 (Factors that adversely affect performance in SecureXL).
    All traffic that matches a service that uses a Resource.
+
* All traffic that is supposed to be dropped or rejected, according to the rule base.
 
+
* All traffic that matches a rule, whose source or destination is the Security Gateway itself.
    Certain traffic that matches a service that is inspected by a SmartDefense/IPS or Web Intelligence feature. For example, traffic on which SSH protections are activated is not accelerated. For more details, refer to sk42401 (Factors that adversely affect performance in SecureXL).
+
* All traffic that matches a rule with a Security Server (e.g., Authenication, Anti-Virus, URL Filtering, Anti-Spam).
 
+
* All traffic that matches a rule with User Authentication or Session Authentication.
    All traffic that is supposed to be dropped or rejected, according to the rule base.
+
* Non-TCP/UDP/GRE/ESP traffic (including ICMP traffic).
 
+
* CIFS traffic.
    All traffic that matches a rule, whose source or destination is the Security Gateway itself.
+
* IPv6 traffic.
 
+
* All multicast traffic.
    All traffic that matches a rule with a Security Server (e.g., Authenication, Anti-Virus, URL Filtering, Anti-Spam).
+
* All fragmented traffic.
 
+
* All traffic with IP options.
    All traffic that matches a rule with User Authentication or Session Authentication.
+
* Connections that will be matched for ISP Redundancy (inbound/outbound interface is one of the interfaces configured for ISP Redundancy).
 
+
* TCP RST packets, when the "Spoofed Reset Protection" feature is activated.
    Non-TCP/UDP/GRE/ESP traffic (including ICMP traffic).
+
* When using ClusterXL in Load Sharing mode with 'Sticky Decision Function'.
 
+
* Traffic that violates stateful inspection paradigm, or that is suspected to be spoofed.
    CIFS traffic.
+
 
+
    IPv6 traffic.
+
 
+
    All multicast traffic.
+
 
+
    All fragmented traffic.
+
 
+
    All traffic with IP options.
+
 
+
    Connections that will be matched for ISP Redundancy (inbound/outbound interface is one of the interfaces configured for ISP Redundancy).
+
 
+
    TCP RST packets, when the "Spoofed Reset Protection" feature is activated.
+
 
+
    When using ClusterXL in Load Sharing mode with 'Sticky Decision Function'.
+
 
+
    Traffic that violates stateful inspection paradigm, or that is suspected to be spoofed.
+
 
+
</nowiki>
+
  
 
'''Connection establishment acceleration ("templates" mechanism):'''
 
'''Connection establishment acceleration ("templates" mechanism):'''
Line 63: Line 44:
 
There are several conditions that will prevent a template from being created:
 
There are several conditions that will prevent a template from being created:
  
    Connections that cannot be discriminated ONLY by the source port cannot be templated.
+
* Connections that cannot be discriminated ONLY by the source port cannot be templated.
 
+
* NATed traffic cannot be templated.
    NATed traffic cannot be templated.
+
* VPN traffic cannot be templated.
 
+
* Complex connections (FTP, H323, SQL, etc.) cannot be templated.
    VPN traffic cannot be templated.
+
* Non-TCP/Non-UDP traffic (including ICMP traffic) cannot be templated.
 
+
* The following rules will prevent a Connection Template from being created.
    Complex connections (FTP, H323, SQL, etc.) cannot be templated.
+
* All subsequent rules below such rules will not be templated as well, regardless of the rule. It is advised that all rules that can be templated, be placed at the top of the rule base (unless of course, this will violate other optimization considerations):
 
+
* Rule with service 'Any' (resolved in R75.40 and above)
    Non-TCP/Non-UDP traffic (including ICMP traffic) cannot be templated.
+
* Rule with a service that has a 'handler' (where a specific protocol is chosen in 'Protocol Type' field - instead of 'None' ; go to service object - right-click - Edit... - Advanced... - Protocol Type:).
 
+
* Rules with the following objects:
    The following rules will prevent a Connection Template from being created.
+
* Time object
 
+
* Port range object (resolved in R75.40 and above)
    All subsequent rules below such rules will not be templated as well, regardless of the rule. It is advised that all rules that can be templated, be placed at the top of the rule base (unless of course, this will violate other optimization considerations):
+
* Dynamic object
 
+
* Domain object
        Rule with service 'Any' (resolved in R75.40 and above)
+
Rules with "complex" services (i.e., services that have anything specified in the "Match" field, or "Enable reply from any port" of their "Advanced" section or Source Port is defined).
 
+
* Rules with RPC/DCOM/DCE-RPC services.
        Rule with a service that has a 'handler' (where a specific protocol is chosen in 'Protocol Type' field - instead of 'None' ; go to service object - right-click - Edit... - Advanced... - Protocol Type:).
+
* Rules with Client Authentication or Session Authentication.
 
+
* When SYN Attack (SYN Defender), or Small PMTU features are activated in SmartDefense/IPS.
        Rules with the following objects:
+
 
+
            Time object
+
 
+
            Port range object (resolved in R75.40 and above)
+
 
+
            Dynamic object
+
 
+
            Domain object
+
 
+
 
+
        Rules with "complex" services (i.e., services that have anything specified in the "Match" field, or "Enable reply from any port" of their "Advanced" section or Source Port is defined).
+
 
+
        Rules with RPC/DCOM/DCE-RPC services.
+
 
+
        Rules with Client Authentication or Session Authentication.
+
 
+
        When SYN Attack (SYN Defender), or Small PMTU features are activated in SmartDefense/IPS.
+

Latest revision as of 17:16, 6 June 2014

SecureXL Mechanism

Solution ID: sk32578

Product: SecureXL

Version: All

Platform / Model: All

Date Created: 15-Feb-2007

Last Modified: 26-Mar-2014

Traffic acceleration:

When SecureXL is enabled, all traffic should be accelerated, except traffic that matches the following conditions:

  • The first packets of any new TCP session, unless a "template" exists.
  • The first packet of any new UDP session.
  • All traffic that matches a service that uses a Resource.
  • Certain traffic that matches a service that is inspected by a SmartDefense/IPS or Web Intelligence feature. For example, traffic on which SSH protections are activated is not accelerated. For more details, refer to sk42401 (Factors that adversely affect performance in SecureXL).
  • All traffic that is supposed to be dropped or rejected, according to the rule base.
  • All traffic that matches a rule, whose source or destination is the Security Gateway itself.
  • All traffic that matches a rule with a Security Server (e.g., Authenication, Anti-Virus, URL Filtering, Anti-Spam).
  • All traffic that matches a rule with User Authentication or Session Authentication.
  • Non-TCP/UDP/GRE/ESP traffic (including ICMP traffic).
  • CIFS traffic.
  • IPv6 traffic.
  • All multicast traffic.
  • All fragmented traffic.
  • All traffic with IP options.
  • Connections that will be matched for ISP Redundancy (inbound/outbound interface is one of the interfaces configured for ISP Redundancy).
  • TCP RST packets, when the "Spoofed Reset Protection" feature is activated.
  • When using ClusterXL in Load Sharing mode with 'Sticky Decision Function'.
  • Traffic that violates stateful inspection paradigm, or that is suspected to be spoofed.

Connection establishment acceleration ("templates" mechanism):

In order to enhance connection establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the Source Port. This type of "grouping" enables even the very first packets of a TCP handshake to be accelerated. This is very useful on short connections, in which the percentage of TCP handshake traffic is very high. The very first packets of the first connection on the same service will be forwarded to the Security Gateway's kernel, which will then create a "template" of the connection and notify the SecureXL device. Any subsequent TCP connections established on the same service (where only the source port is different) will already be accelerated (as well as any other traffic, of course).

There are several conditions that will prevent a template from being created:

  • Connections that cannot be discriminated ONLY by the source port cannot be templated.
  • NATed traffic cannot be templated.
  • VPN traffic cannot be templated.
  • Complex connections (FTP, H323, SQL, etc.) cannot be templated.
  • Non-TCP/Non-UDP traffic (including ICMP traffic) cannot be templated.
  • The following rules will prevent a Connection Template from being created.
  • All subsequent rules below such rules will not be templated as well, regardless of the rule. It is advised that all rules that can be templated, be placed at the top of the rule base (unless of course, this will violate other optimization considerations):
  • Rule with service 'Any' (resolved in R75.40 and above)
  • Rule with a service that has a 'handler' (where a specific protocol is chosen in 'Protocol Type' field - instead of 'None' ; go to service object - right-click - Edit... - Advanced... - Protocol Type:).
  • Rules with the following objects:
  • Time object
  • Port range object (resolved in R75.40 and above)
  • Dynamic object
  • Domain object
  • Rules with "complex" services (i.e., services that have anything specified in the "Match" field, or "Enable reply from any port" of their "Advanced" section or Source Port is defined).
  • Rules with RPC/DCOM/DCE-RPC services.
  • Rules with Client Authentication or Session Authentication.
  • When SYN Attack (SYN Defender), or Small PMTU features are activated in SmartDefense/IPS.