Enhanced 3-Way TCP Handshake Enforcement

The standard enforcement for a 3-way handshake that initiates a TCP connection provides adequate security by guaranteeing one-directional stickiness.

This means that it ensures that the SYN-ACK will always arrive after the SYN. However, it does not guarantee that the ACK will always arrive after the SYN-ACK, or that the first data packet will arrive after the ACK.

If you wish to have stricter policy that denies all out-of-state packets, you can configure the synchronization mechanism so that all the TCP connection initiation packets arrive in the right sequence (SYN, SYN-ACK, ACK, followed by the data).

Warning - The price for this extra security is a considerable delay in TCP connection establishment.

  1. Close all SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. windows connected to the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

  2. Connect with Database Tool (GuiDBEdit Tool) (see sk13009) to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server that manages this clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

  3. In the left upper pane, go to Table > Network Objects > network_objects.

  4. In the right upper pane, select the cluster object (the Class Name column shows gateway_cluster).

  5. Press the CTRL+F keys (or go to Search menu > Find).

  6. In the Find window, paste this string and click Find Next:

    sync_tcp_handshake_mode

  7. In the lower pane, right-click on the sync_tcp_handshake_mode property and select Edit.

  8. Choose complete_sync and click OK.

    For more information, see the section "Synchronization modes for TCP 3-way handshake" below.

  9. To save the changes, from the File menu select Save All.

  10. Close Database Tool (GuiDBEdit Tool).

  11. Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this cluster.

  12. In SmartConsole, install the Access Control Policy onto the Cluster object.

Mode

Instructions

Minimal sync

This is the default 3-way handshake synchronization mode.

The 3-way handshake is not enforced.

This mode offers the best connectivity for users who are willing to compromise on security is this case.

Complete sync

All 3-way handshake packets are Sync-and-ACK'ed, and the 3-way handshake is enforced.

This mode slows downClosed State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster. connection establishment considerably.

It may be used when there is no way to know where the next packet goes (for example, in 3rd party clusters).

Smart sync

In most cases, we can assume that if SYN and SYN-ACK were encountered by the same cluster memberClosed Security Gateway that is part of a cluster., then the connection is “sticky”.

ClusterXLClosed Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. uses one additional flag in Connections Table record that says, “If this member encounters a 3-way handshake packet, it should sync all other cluster members”.

When a SYN packet arrives, the member that encountered it, records the connection and turns off its flag. All other members are synchronized, and by using a post-sync handler, their flag is turned on (in their Connections Tables).

If the same member encounters the SYN-ACK packet, the connection is sticky, thus other cluster members are not informed.

Otherwise, the relevant member will inform all other member (since its flag is turned on).

The original member (that encountered the SYN) will now turn on its flag, thus all members will have their flag on.

In this case, the third packet of the 3-way handshake is also synchronized.

If for some reason, our previous assumption is not true (i.e., one cluster member encountered both SYN and SYN-ACK packets, and other members encountered the third ACK), then the “third” ACK will be dropped by the other cluster members, and we rely on the periodic sync and TCP retransmission scheme to complete the 3-way handshake.

This 3-way handshake synchronization mode is a good solution for ClusterXL Load SharingClosed A redundant cluster mode, where all Cluster Members process all incoming traffic in parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS. users that want to enforce 3-way handshake verification with the minimal performance cost.

This 3-way handshake synchronization mode is also recommended for ClusterXL High AvailabilityClosed A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA..