Cooperative Enforcement

Cooperative Enforcement works with Check Point Endpoint Security servers. This feature utilizes the Endpoint Security server compliance capability to verify connections arriving from various hosts across the internal network.

Endpoint Security server is a centrally managed, multi-layered Endpoint Security solution that employs policy-based security enforcement for internal and remote PCs. Easily deployed and managed, the Endpoint Security server mitigates the risk of hackers, worms, spyware, and other security threats.

Features such as predefined policy templates, an intuitive Web-based management interface, and PC firewall and application privilege controls, enable administrators to develop, manage, and enforce Cooperative Enforcement quickly and easily.

Using Cooperative Enforcement, any host initiating a connection through a gateway is tested for compliance. This increases the integrity of the network because it prevents hosts with malicious software components from accessing the network.

This feature acts as a middle-man between hosts managed by an Endpoint Security server and the Endpoint Security server itself. It relies on the Endpoint Security server compliance feature, which defines whether a host is secure and can block connections that do not meet the defined prerequisites of software components.

The following is a typical Cooperative Enforcement workflow:

1. A host opens a connection to the network through a firewall gateway. The first packet from the client to the server is allowed. It is only on the first server's reply to the client that the Cooperative Enforcement feature begins to perform.
2. The firewall checks for host compliance in its tables and queries the Endpoint Security server, if required.
3. Upon receiving a reply, connections from compliant hosts are allowed and connections from non-compliant hosts are blocked.

When activating the cooperative enforcement feature on a gateway, the following implied rules are automatically enabled:

1. Allow all firewall GUI clients to connect to the Endpoint Security server via HTTP or HTTPS (port 80 or 443).
2. Allow all internal clients to access the Endpoint Security server via the firewall for heartbeats.
3. Allow the firewall to communicate with the Endpoint Security server on port 5054.

If additional access permissions are required (such as allow external clients to connect to the Endpoint Security server, or for other machines to access the administration portion of the Endpoint Security server), explicit rules should be defined.

Enforcement Mode

When in Enforcement Mode, non-compliant host connections are blocked by the firewall endpoint security feature. For HTTP connections, the host is notified that it is non-compliant. The user can then perform appropriate actions to achieve compliance. For example, the user may upgrade the version of the Endpoint Security client.

NAT Environments

Cooperative Enforcement feature is not supported by all the NAT configurations.

For Cooperative Enforcement to work in a NAT environment, the gateway and the Endpoint Security Server must relate to the same IP address of a specific client. Therefore, when NAT is used, if NAT is causing the Client IP received by gateway to be different than the Client IP received by the Endpoint Security Server, Cooperative Enforcement will not work properly.

Monitor Only Deployment Mode

In the Monitor Only deployment mode, the firewall requests authorization statuses from the Endpoint Security server but, regardless of the received statuses, connections are not dropped. In addition (if configured by the administrator) the Cooperative Enforcement feature generates logs regardless of the deployment mode.

Configuring Cooperative Enforcement

To configure Cooperative Enforcement:

From the gateway's Cooperative Enforcement page, select Authorize clients using Endpoint Security Server to enable Cooperative Enforcement.

1. Select Monitor Only for traffic to pass successfully and to track only connections that would otherwise have been dropped.
2. Track unauthorized client status allows you to set the appropriate track or alert option. The default setting is Log.
3. In the Endpoint Security Server Selection section, select which Endpoint Security server will be used:
   • To use this machine, select Use Endpoint Security Server installed on this machine.
   • To use another machine, select a server from the Select Endpoint Security Server drop down menu. Click New to create a new server.
4. In the Client Authorization section, select one of the following methods:
   • Check authorization of all clients: Inspects all clients.
   • Bypass authorization of the following clients: Permits all clients in the selected groups drop-down list to pass without inspection.
   • Check authorization only of the following clients: Verifies the authorization of clients from the selected groups drop-down list.