Friday, December 16, 2011

Checkpoint - SecureXL

When SecureXL is enabled, all traffic that matches following conditions will not be accelerated:

* The first packets of any new TCP session, unless a "template" exists.
* The first packet of any new UDP session.
* All traffic that matches a service that uses a resource.
* All traffic that matches a service that is inspected by a SmartDefence or Web Intelligence feature.
* All traffic that is supposed to be dropped or rejected, according to the rule base.
* All traffic that matches a rule, whose source or destination is the gateway itself.
* All traffic that matches a rule with a security server.
* All traffic that matches a rule with user authentication or session authentication.
* Non-TCP/UDP/GRE/ESP trafic (e.g. ICMP, IGRP, etc.)
* All multicast traffic. **** Prior to IPSO-3.9. In IPSO-3.9 has support for Multicast PIM acceleration for IP225x. IPSO-4.2 supports Multicast PIM acceleration for all Nokia Platforms.
* All fragmented traffic.
* All traffic with IP options.
* RST packets, when the "Spoofed Reset Protection" feature is activated.
* Traffic that violates stateful inspection paradigm or that is suspected to be spoofed.
* Rules where the service has an INSPECT handler (e.g. FTP control connection)
* Rules with action "encrypt" with no VPN H/W Accelerator card.
* All VoIP traffic
* All VPN traffic with IP Compression enabled.
* All directed broadcast traff

Connection establishment acceleration ("templates" mechanism)

In order to enhance connection establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the source port. This type of "grouping" enables even the very first packets of a TCP handshake to be accelerated. This is very useful on short connections, in which the percentage of TCP handshake traffic is very high.

The very first packets of the first connection on the same service will be forwarded to the security gateway, which will then create a "template" of the connection and notify the SecureXL device. Any subsequent TCP establishments on the same service (where only the source port is different) will already be accelerated (as well as any other traffic, of course).

Conditions that will prevent a template from being created:

* All connections that cannot be discriminated ONLY by the source port.
* Traffic subject to NAT.
* VPN traffic.
* Non-trivial TCP/UDP connections (FTP, H323, etc.).
* Non-TCP/UDP traffic.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.