Evaluated Product - Details

Return to the EPL index

Checkpoint Firewall-1 Version: 4.0 (SP 5)

Product type: Network and Network Related Devices and Systems
Product Status: Archived
Assurance Level: EAL2

Version: Version: 4.0 (SP 5)

Product Details

Product Description

Certification Country: UNITED STATES (1999)
Certificate Details: Certified 29 October 1999 USA Scheme
Certification Method: CC
Evaluation Facility: CSC
Manufacturer/Vendor/Distributor: Check Point Software Technologies Inc.


Certification Report
Security Target

The evaluated Check Point Firewall-1 Version 4.0 is referred to as the Target of Evaluation (TOE).  The TOE configuration consists of one physical component executing:

  • One Firewall Module, that implements the Security Policy, logs events, and communicates with the Management Module
  • One Management Module which manages the Firewall-1 database: the Rules Base, network objects, services, users, etc. and
  • The Windows NT Server 4.0 operating system with service pack 4 installed.
  • Two network interfaces with one designated as internal and the other as external.

The Firewall-1 is a firewall employing a hybrid application-level gateway and packet filtering called Stateful Multilayer Inspection.  The technology utilises packet filtering's performance and scalability and the security of an application gateway.  As an Application-level Firewall, the Firewall-1 mediates flows between clients and servers located on internal and external networks governed by the firewall.  An application-level firewall may employ security servers to screen information flows.  Security servers on the Firewall-1 for FTP and Telnet, require authentication at the firewall by client users before requests for such services can be authorised.  Only valid requests are relayed to the actual server on either an internal or external network.  As a Traffic-filter Firewall, the Firewall-1 selectively routes information flows between an internal and an external network according to a site's security policy rules, the default policy being deny all.  Only an authorised administrator has the authority to change the security policy rules.  Traffic filtering decisions are made on the source address, destination address, transport level protocol, source port, destination port, and are based on the interface on which the packet arrives or goes out.  The Firewall-1 Inspection Engine applies full application-level security but doesn't permit packets to reach full application level security but doesn't permit packets to reach the operating system of the machine the firewall sites on.  Additionally, the firewall imposes traffic-filtering controls on information flows mediated by the firewall.