Checkpoint Applications

Summary

Chainmail is a complete Mail Transport Agent (MTA, or "Mail Server") solution featuring integrated spam and malware (malicious software - viruses etc.) filtering. It's specifically designed to be easy to install and configure, even by an inexperienced system administrator. It's targeted towards smaller organisations and individuals who nevertheless need a full-strength solution.

Features and highlights

• Chainmail uses standard protocols (SMTP, POP3) and is therefore compatible with all Mail User Agent (MUA - "mail client" or just "mail program") applications which use these standard protocols, which is most of them. This includes Outlook Express (we do not recommend this product), Eudora, Opera, Mozilla Thunderbird and many others.
• Chainmail can be deployed in several different configurations, ranging from a full SME or departmental mail service to a filtering local POP3 proxy for home users.
• Chainmail provides a webmail service for users who are temporarily off-site, or who don't have a desktop computer of their own.
• Chainmail offers a "one-stop shop" which replaces any OS-specific MTA / malware scanner / spam-filter combination. This is much easier to configure than the traditional "glued-together modules" approach seen in unix mail systems.
• Chainmail filters spam using (inter alia) a configurable set of publicly-available databases, which stay up to date without local tuning. Tyipcally these block about 90% of incoming spam. (We recommend MUA-based bayesian filtering to ditch the final 10%.) Blocked spam never even enters the system, reducing bandwidth costs. Chainmail supports RFC-2505 conformant (and legal!) DoS counterattacking against confirmed spammers (this works by clogging the spammers' MTAs with undeliverable mail).
• Chainmail's malware filtering is a "behaviour blocker". This does not require "signature file" updates, and is effective even against completely new malware that has never been seen before - modern email worms often spread extremely quickly, so this is important.
• Chainmail is written in Java, and is therefore inherently immune to the predominant category of security flaws (buffer overruns). This also allows it to sit on top of most operating systems equally, including Linux and Windows. (Solaris and OS X are not yet supported, but we intend to fix this as soon as resources permit.)
• Although Chainmail is not formally "fault-tolerant" - such systems are usually highly expensive and generally only needed in safety-critical applications - its database engine is optimised for robustness rather than ultimate performance. When combined with a modern, journalling filesystem such as ReiserFS, ext3, or NTFS (we recommend such a combination) messages should not be lost even if power fails during a transaction.

Summary

Chameleon started life as our in-house issue (ie. bug report or feature request) tracking system - Checkpoint Reporting and Issue Tracking System, or CRAITS. From the very first, it was used to manage its own development, and was so much better than our previous system (based on private newsgroups) that it rapidly took over managing the rest of our development as well.

It has subsequently shown itself to be highly flexible, and is now used for applications which are a long way from its origins.

Applications of Chameleon

Chameleon is customisable enough to be used for a range of applications, such as:

• Managing software development. The original use, and still indispensable in-house! We've been using it for this purpose internally for over five years now; it's stable.
• Developing documents. Similar beneath the skin, but this isn't always recognised.
• Discussion server. A more structured alternative to newsgroups, email lists or web fora. Keeps the discussion on-track and makes it easier to search.
• Secure web-server. If you just want controlled access to some resources, using the Chameleon filestore (and ignoring the actual issues) may be easier to set up and manage than setting up security on a conventional webserver such as Apache.
• Cataloguing resources. Chameleon can store externally-sourced documents and / or multimedia objects such that, with some input from you, you may be able to find them again.

Features and Highlights

• Uses standard web protocols and features: works with any standards-compliant browser.
• Designed to be easy to install and configure, even by an inexperienced system administrator.
• Integrated system. Chameleon is installed from the Checkpoint Command Centre and is configured from within itself. [OK, nearly: there's a separate tool to create the first user, otherwise you can't get in.] No separate database back-end to configure.
• Integrated user authentication. Chameleon uses Checkpoint's user authentication repository.
• Built-in user access-control. Each Chameleon has its own set of users, each of which may be assigned different capabilities / privileges.
• Email updates. Users can set themselves to be notified when issues they care about are updated. [Chameleon has been carefully designed so that it cannot be subverted for mailbombing or other network abuse.]
• User digests. Each user can maintain their own "clipboard" of issues they're interested in.
• Automatic notification of new issues. Users can set themselves to be notified whenever a new issue comes in on a subject they're interested in.
• Remote filestore upload. Any user (who has been given the privilege) can upload arbitrary folder structures to the Chameleon filestore in a single operation.
• Optional TLS support. [Recent versions only.]
• Issue import / export coming soon.

Summary

Dumper is Checkpoint's automated backup system. It's still in beta, but has been in use internally for some time.

Features and highlights

• Dumps files or CDBs.
• Application-aware locking. Checkpoint application databases can safely be dumped while the application is running, even if the application is heavily loaded. No risk of deadlock.
• Scripting support allows use of near-line backup devices. The backup device can be automatically mounted and unmounted as required.
• Networked backup coming soon.

Summary

COBRA (Certificate Origination for Back-office Registration Authorities) is Checkpoint's X.509 certificate signing tool.

Features and highlights

• Integrates with Checkpoint's built-in X.509 management facilities.
• Easy to use with minimal training. Designed for use by local, devolved registration authorities within organisations (eg. departmental secretaries), not by centralised specialists.
• Uses standard formats. Interoperates with any X.509 certificate management solution which uses the same formats, not just with other Checkpoint installations.
• Requests and responses are signed and tamper-evident. No secure channels needed.
• Loose coupling works easily with existing email or other messaging systems.