Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Books Media Book Reviews Technology

Essential Check Point Firewall-1 NG 149

Raymond Lodato writes "For the past six years, I've been responsible for the installation, configuration, and maintenance of the firewalls at my company. I was surprised and annoyed at the caliber of documentation supplied by Check Point. Six years ago, you really needed a reseller with the appropriate expertise to teach you how to design and implement a firewall. A year or so later, I found Phoneboy's website (phoneboy.com). It was an oasis for someone drowning in the sea of confusing literature and advice. In the time since, I have frequently referred to Phoneboy's site, as well as his fw1-gurus mailing list, as an unsurpassed source of information." Read below for Lodato's review of Phoneboy's recently updated book on the subject.
Essential Check Point Firewall-1 NG - An Installation, Configuration, and Troubleshooting Guide
author Dameon D. Welch-Abernathy
pages 647
publisher Addison-Wesley
rating 9/10
reviewer Raymond Lodato (rlodato AT yahoo DOT com)
ISBN 0321180615
summary An excellent guide to the ins and outs of configuring Check Point's FireWall-1 NG product, with a guide to the foundations of a good security policy. A 'must read' for any Check Point firewall administrator.

Phoneboy (nee Dameon Welch-Abernathy) has proven himself to be extremely knowledgeable about Check Point's FireWall-1 product. In October of 2001, he produced a book (Essential Check Point FireWall-1, Addison-Wesley, 2001) that helped to clarify the vast amount of information collected over the years through the mailing list and the website. Shortly after the book was published, Check Point saw fit to render it almost obsolete by releasing FireWall-1 NG. The new version of Check Point's flagship product was so different, you almost had to start from scratch to understand it. Dameon has taken the necessary next step and updated his original book. The new book, Essential Check Point FireWall-1 NG, (Addison-Wesley, 2004) now covers all existing versions of NG, up to and including NG with Application Intelligence (NGAI).

When you first open the book and look at the Contents pages, two things will strike you. The first is that the Contents page starts with "Frequently Asked Questions." Anyone who has spent any time on technical websites knows that Frequently Asked Questions (or FAQs) are the first place to look to gather the nugget(s) of wisdom you need. The fact that Dameon has included a large list of FAQs in the book makes it valuable for quickly addressing the typical problems and questions an administrator faces. The second thing you will note is that he does not start describing anything about FireWall-1 itself until late into Chapter 2. He takes the time to lay the foundation of what a firewall is, as well as what a good security policy is, and why it's so important to get one and get it right.

As I read through the book, I was pleased to see that Dameon followed one of the cardinal principles of good presentation: tell them what you're going to say, say it, then tell them what you said. Each chapter outlines what you will know by the end, teaches you what you need to know, then summarizes it. Dameon writes in a style I would call clear but not condescending. It takes someone who not only knows his subject well, but understands his audience well, to walk the fine line between the two. Dameon shows his chops by treading that line like a tightrope walker.

Each chapter contains carefully organized information with numerous figures and screen shots interspersed, to keep the text understandable. Starting in Chapter 4, Dameon also includes selected FAQs culled from the many available on his website. I found this much more valuable than collecting them at the end of the book in one gigantic haystack that you needed to search for that one precious needle. Later chapters include sample configurations to clarify the concepts just described. This makes Essential Check Point FireWall-1 NG useful as a teaching resource, as well as a general reference to the product.

While the chapters in the book follow a logical progression, each building on the prior information, Dameon made sure that most chapters (and even sections within the chapters) could stand alone. This means you can pick and choose what you want to read. For example, if you needed to focus on FireWall-1 on IPSO, you don't necessarily have to worry about what was written about Solaris. The information on IPSO would repeat enough information that you wouldn't have to refer to previous pages. Even so, Dameon provides back references when repeating the information would be too cumbersome.

I did notice that Dameon varied the amount of detail used throughout the book. Sometimes he uses a high-level approach, and sometimes he goes into excruciating detail. Unfortunately there were a number of places I wanted him to provide more detail, only to have him skim over the treetops. While he does explain up front that this book was supposed to cover the essential information, covering some areas in detail just whets your appetite for that same amount of detail in all areas.

One other quibble I have revolves around the figures used in his examples. It becomes obvious that this book evolved over a period of time (I believe he took around a year to get this edition put together). Some figures apparently came from an earlier version of the book, as the text referred to something else. One example occurs in Chapter 8 (User Authentication). Dameon's sample configurations are written in a "follow-me" style. One sample configuration has the text "Next, create the group WebAdmins and add bob and dan to this group." If you followed his directions and then referred to the sample rule base in the figure on the next page, you would see that the group is named DMZAdmins instead of WebAdmins. (And the specs given for the same sample configuration specify that S/Key will be used, yet the figure showing the Authentication tab clearly has S/Key un-checked.) Little inconsistencies like this should have been picked up on the proofreading. Their existence mars an otherwise excellent book.

Overall, Essential Check Point FireWall-1 NG is aptly named: essential. If you are responsible for the care and feeding of Check Point's FireWall-1 software on any platform, you need to get and read this book. It's definitely going to stay within arm's reach on my desk.


You can purchase Essential Check Point Firewall-1 NG from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

This discussion has been archived. No new comments can be posted.

Essential Check Point Firewall-1 NG

Comments Filter:
  • Phoneboy sounds like something else I like to read. On the other hand, I too read this book, and I enjoyed the detail and also the easy way it was presented. Thanks for the review!
  • by stuffduff ( 681819 ) on Friday March 12, 2004 @05:35PM (#8547962) Journal
    IMHO, while the book is argueably excellent in its own right; and exactly the kind of thing to build a through working understanding of what is going on: I wonder if the problems covered therein will remain on the cutting edge of firewall management. So, if I were using Checkpoint, I'd probably sleep with the damn thing for the first few weeks, but eventually it would find it's way off the desk and up on the shelf, where it (more than likely) is on its way to the next booksale.
    • by Chris_Stankowitz ( 612232 ) on Friday March 12, 2004 @06:06PM (#8548216)
      wonder if the problems covered therein will remain on the cutting edge of firewall management.

      The answer is NO! As security techs change the way they handle threats, from the borders and internally FW config and management is currently changing rapidly. Infact CheckPoint is now offering in-line IPS. This better layerd/mesh approach to security does chage what you need to do on your borders and how you do it. Coupled with node/desktop firewalls, current stratergies will change.

      • I loathe Checkpoint. There VPN client is utterly absymal. Totaly and utterly crap.

        Every time the VP rekeys this stupid box blocks out half my laptop's screen for five fucking minutes and does nothing. For some reason the jerk off who designed the piece of utter shit client decided to lock that area of the screen while the client does nothing.

        Eventually the box asks me to select a certificate to log in to the VPN. Well guess what? Its the same one as I used last time the piec of turd asked the same quest

    • Re: (Score:3, Informative)

      Comment removed based on user account deletion
  • by October_30th ( 531777 ) on Friday March 12, 2004 @05:36PM (#8547969) Homepage Journal
    It was an oasis for someone drowning in the sea of confusing literature and advice.

    Given the Slashdotting, the past tense used in the article is actually very appropriate.

  • Props, but... (Score:2, Insightful)

    by Anonymous Coward
    If I'm paying $$$ for Check Point 1 software, I don't wanna have to buy aftermarket book to tell me how to use it.

    How about an OpenBSD firewall guide book, eh?
    • Re:Props, but... (Score:3, Insightful)

      by mgoodman ( 250332 )
      But you would buy a book on a commercial Unix variant? Or Microsoft training? Etc.

      Third-party books are frequently better than the documentation provided by the company, as the third-party is more apt to give you tips and tricks and hacks to get the job done, rather than going on about how great a product it is.
      • But you would buy a book on a commercial Unix variant?

        Third-party books are frequently better than the documentation provided by the company


        I've yet to find a book, which is as good as the OpenBSD man pages.

        Leave the commercial World behind, read the PF man page [openbsd.org] and discover what you've been missing out on.
        • OpenBSD is freeware, not commercial software.

          Not to mention the fact that, however good OpenBSD may be, there simply aren't enough commercial authors on the subject to really promote competition and encourage authors to put out *QUALITY* books.

          But there are some companies that provide great man pages...Legato, for example.

          Again, this is mainly documentation, such as "this command does this and has these options", whereas commercial books generally have that and ways to hack apart the product to get the j
          • OpenBSD is freeware, not commercial software.

            That's why I said, "Leave the commercial World behind".

            Not to mention the fact that, however good OpenBSD may be, there simply aren't enough commercial authors on the subject to really promote competition and encourage authors to put out *QUALITY* books.

            Have you read any of the books?

            I have almost all of them.

            One of them is very high quality, as far as grammar goes and all of them are very high quality as far as technical details go.

            But, who needs books,
            • lol what are you a man-page writer for the openbsd project or something :P

              regardless, it sounds like you're contradicting yourself a bit. we both seem to agree that some man pages rock (like books, some more than others). and you say yourself you've got great openbsd books.

              You said, "who needs books, when you have such fantastic man pages!?" Apparently you did.

              If the manpages have all that you need, why would you consider the books that you own great, rather than just a rehash of the manpages? Clearly yo
              • lol what are you a man-page writer for the openbsd project or something :P

                ; ) No, I just love OpenBSD. I like all the big free BSD's.

                regardless, it sounds like you're contradicting yourself a bit. we both seem to agree that some man pages rock (like books, some more than others). and you say yourself you've got great openbsd books.

                You said, "who needs books, when you have such fantastic man pages!?" Apparently you did.


                I purchase BSD related books when they come out, to encourage the publishing of fur
    • Re:Props, but... (Score:5, Insightful)

      by Anonymous Coward on Friday March 12, 2004 @05:45PM (#8548046)
      If I'm paying $$$ for Check Point 1 software, I don't wanna have to buy aftermarket book to tell me how to use it.

      You're shelling out $50k for the software but complain about a $40 book? Personally I would rather buy a 3rd party book than one from the software maker as they have to compete to explain the topic to the user.
      • by ADRA ( 37398 )
        OT, but that reminds me of another rant.

        I really hate buying hardware and then guys like LinuxAnt being the only ones selling drivers for it. I know these guys gotta eat, but I'd hate to pay $20 on drivers for a $50 piece of hardware!!
      • You're shelling out $50k for the software but complain about a $40 book?

        Uh, if I were shelling out $50,000 for any software, I would complain that the software didn't include so much as a $40 book. If I were a Checkpoint customer I would seriously wonder why they don't include Phoneboy's book with the software, and/or why they aren't paying him for his book.

      • If you're buying a 50K product, and you know absolutely nothing about using it.....

        I hope you bought some consultant time as well. Commercial FWs are nothing to play with for the inexperienced. Pay the consultant (and buy the freakin $40 book) and pay extremely close attention to the consultant, and pump for info (that's what you're paying him for) Odds are, he'll do it wrong, but you won't be 100% vulnerable. (Now there's a confidence statement!)

        (FYI - current external access from my node is pure port 80
    • If I'm paying $$$ for Check Point 1 software, I don't wanna have to buy aftermarket book to tell me how to use it.

      Don't worry, if you get stuck or locked out of your firewall you can call up the Mossad for tech support. *ducks away from the ensuing firewall geek flamewar*

    • Re:Props, but... (Score:3, Insightful)

      by kfg ( 145172 )
      If I'm paying $$$ for a commercial grade table saw, I don't wanna have to buy an aftermarket book to tell me how to use it?

      There is a difference in "how" to use something, i.e. what the levers and dials do, and the art, craft, and wisdom is in applying those dials and levers.

      My table saw manufacturer is obliged to provide me with a manual explaining the proper and safe use of the device. He is not obliged to tell how to apply the device specifically to the making a grandfather clock and a Shaker trestle t
    • if I'm paying $$$ for Check Point 1 software, I don't wanna have to buy aftermarket book to tell me how to use it.

      Well, this sort of sounds better than saying:

      if I'm paying $$$ for software, I don't wanna have read a book to tell me how to use it

      Which is not what you said, but it is what it reminded me of

    • Heh.

      I'll give you three. And a website to cap them. :)

      "Building Linux and Openbsd Firewalls", by Wes Sonnenreich and Tom Yates. Published in February, 2000. Dated, both Linux and OpenBSD have gone through too many changes for this to be an "in the trenches" reference. It's a decent view from 30,000 feet.

      "Absolute OpenBSD", by Michael Lucas. Published in June, 2003. Its ISBN is 1886411999. Covers OpenBSD 3.2, so it's relevance to 3.4 is high. Has a few typos which do not seriously mar the content.
    • I guess that you have never had the luxury of dealing with Checkpoint support.

      I work for an MSSP and regularly deal with Checkpoint. It is also good to get an independant source for tips about Checkpoint. To put it simply, Checkpoint support is sometimes less than helpful.

    • Or no firewall at all. Besides playing anonymous on the web, there is really no point in having them. They can be bypassed so easily...
    • How about an OpenBSD firewall guide book, eh?

      Some books. [openbsd.org] The first two are appropriate, however Building Linux and OpenBSD Firewalls is really out of date.

      The FAQ. [openbsd.org] Is very nice.

      Or the best reference there is! [openbsd.org] Constantly up to date. Print it out, read it, use PF, never ever look back.

      Especially on your fully state synced [openbsd.org] redundant PF firewalls. [openbsd.org]
  • For my simple home firewall/nat i use Shorewall [sourceforge.net] (use IPfilter on Solaris at work), but damn, i love a good read on other firewalls and their setups.

    i must say that i really like the idea of phoneboy.com being TWiki....just allows for such a broader range of information from people.

    Since i can't read the Ma Bell site from the previous article, i'll go check this out for the afternoon.
    • Re:Shorewall (Score:2, Offtopic)

      by Homology ( 639438 )

      For my simple home firewall/nat i use Shorewall (use IPfilter on Solaris at work), but damn, i love a good read on other firewalls and their setups.

      Then I'm sure you'll enjoy reading the PF Example : Firewall for Home or Small Office [openbsd.org] from the very good PF FAQ [openbsd.org].

      One of the reasons for using OpenBSD to replace my Linux firwall, was the very readable PF firewall rules. To be honest, IPtables rule syntax sucks, and projects like Shorewall is a testament to that.

      • IMHO iptables lower level interfaces are terse because its modular.

        "pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state"

        How is this syntax -more- readable? Unless you know what your doing, both will look like absolute garbage! If you know what you're doing, you shouldn't be worrying about syntax. Choose the product that performs what you need, whatever it is.

        I personally like netfilter/iptables because of its excellent extensions. They make Linux a very powerf
        • "pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state"

          How is this syntax -more- readable?

          You mean that "same" IPtable rule

          "iptables -A INPUT -i $ext_if -p tcp --tcp-flags SYN,ACK SYN -s $any_addr -d $ext_if_addr -dport $tcp_services -m state --state NEW -j ACCEPT"

          is more readable?

          • you mean:

            iptables -A INPUT -p tcp -s $any_addr -d $ext_if_addr -dport $tcp_services -m state --state NEW -j ACCEPT
            iptables -A INPUT -m state ESTABLISHED,RELATED -j ACCEPT

            What I am saying is that both systems look intimidating to those who don't know about firewalls, and those that know about firewalls shouldn't care about syntax anyways.
          • "pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state"

            If you know what you're doing, you shouldn't be worrying about syntax. Choose the product that performs what you need, whatever it is.

            You mean that "same" IPtable rule

            "iptables -A INPUT -i $ext_if -p tcp --tcp-flags SYN,ACK SYN -s $any_addr -d $ext_if_addr -dport $tcp_services -m state --state NEW -j ACCEPT"

            is more readable?

            Wow, I knew iptables rules were terse, but that's just ridiculous compared to
        • "pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state"

          How is this syntax -more- readable? Unless you know what your doing, both will look like absolute garbage!


          Actually, it is English.

          Pass packets coming in on the external interface as long as they are tcp protocol, from any IP specifically sent to our external interface (not just subnet noise) and as long as they are tcp services (ports) that we want, when the SYN flag in the tcp flags is ON (S/SA) and allow
  • NG? (Score:4, Funny)

    by sulli ( 195030 ) * on Friday March 12, 2004 @05:43PM (#8548025) Journal
    I would have said it was OK
  • My experience (Score:3, Interesting)

    by Anonymous Coward on Friday March 12, 2004 @05:43PM (#8548028)
    I was a young impressionable admin when I was first introduced to Checkpoint. At the time, they had barely stepped out of their domestic Israeli market and we had a copy thanks to a co-worker who worked in a kibutz for two years.

    Anyways, I was astounded at the fine level of detail that one could control the packets in that FW product. We immediatelly proceeded to deploy Checkpoint in our production Solaris 3 environment. We found the network configuration to be easy and the core install of Solaris 3 satisfied all the requirements.

    Little did I know that the product was not yet mature and optimized to deal with the large traffic in our organization. FTP and Gopher services crashed around our ears as we ran around like headless chickens. We deduced right away that it was checkpoint and went back to our original configuration.

    Oh, how we laughed after that incident. It sometimes still makes me snicker.

    Which is nice.
  • I want to know why someone named Dameon feels compelled to get a nick name...
    • One of my college professors, a Chinese fellow whose command of the english language was not perfect, often called me "Demon." :)

      Here is my explanation on the name PhoneBoy. Since I'm not interested in increasing the slashdot effect on my site, I'll post the relevant bit here:

      For those who care, the name PhoneBoy was given to me by one of the hosts of Radionet Talk Radio [archive.org], a radio show I used to work on in 1996. I used to screen calls for the show. The host forgot my name one day and called me PhoneBoy jus
  • 2:47PM up 1 day, 19:07, 24 users, load averages: 138.60, 97.23, 61.14
  • by octaene ( 171858 ) <.bswilson. .at. .gmail.com.> on Friday March 12, 2004 @05:50PM (#8548077)
    I have been administering Check Point systems for about 4 years now, and I must say I'm not even close to surprised by this reviewers comments. Phoneboy's book and site have been essential for FW-1 admins for long before I began working on this software. I've owned 3 revisions of his textbook, and it IS the best text ever written about Check Point products, bar none.
  • by Doktor Memory ( 237313 ) on Friday March 12, 2004 @05:51PM (#8548079) Journal
    Step one: remove power cord from CheckPoint box.

    Step two: load CheckPoint onto trebuchet.

    Step three: launch CheckPoint into Low Earth Orbit, or at least into the neighbor's hedges.

    Step four: install an OpenBSD box with two ethernet interfaces and configure PF.

    (Step four can alternatively be replaced with Linux/Netfilter, FreeBSD/IPF or Solaris/IPF -- whatever your poison is.)

    But I'm only bitter because I was stupid enough to buy into CheckPoint's snake oil. Fool me once, shame on me, etc -- that goddamn thing cost me close to six months of time that could have been productively spent doing just about anything else. Never, ever again.

    (Okay, just for kicks, here's an actual tidbit of useful Checkpoint info: There's a Rule Zero. It doesn't appear in the rules screen. It's probably not doing what you think it's doing.)
    • I think of myself as a decent iptables admin, and I've always heard decent repute from checkpoint (besides the price).

      Can someone fill me in to why checkpoint is technically inferior to the likes of iptables?

    • OpenBSD does make sense in small business situations, but for the enterprise it does not. Dealing with 25 different openbsd machines with a text-based PF config on each does not sound fun to me. Yeah I'm sure you could script some pretty cool central management out of it all, but that's not realistic for most places.

      But... Checkpoint is a huge pain, I agree. It is arguably the most bloated software product in history. That's why I recommend Netscreen -- the nice management of Checkpoint with rock-solid
      • OpenBSD does make sense in small business situations, but for the enterprise it does not.

        I can tell you, with authority, that I know that the two largest banks in my country, have at least used OpenBSD on some of their perimeters.

        I say "at least" because I haven't seen all the perimeter firewalls and I say "used" because my info is about 2 years old. My guess, is that they use them on all, to this day, but I can't say for certain, I can only go off what internal software developers I still know have told
        • It all comes down to the admin. Many a time, I have achieved things that OEM's, vendors and previous "admins" have claimed to be "impossible". Often figuring out how to do it within minutes, which can be pretty embarassing for the ex admin.

          I do not disagree. Often though, companies discourage such homegrown solutions because:

          What's realistic for one admin, might be unrealistic for another.

          So what happens when the admin with the homegrown solution leaves the company? Hopefully they trained others on

          • I do not disagree. Often though, companies discourage such homegrown solutions because:

            What's realistic for one admin, might be unrealistic for another.


            They must not have much faith in admin candidates then or the current admins documentation skills or willingness. I know there are a lot of bad admins, but a company who typically goes to trouble to find a good admin, is willing to get one that provides real solutions (that work until someone pulls the plug) and documentation.

            I have worked for companies,
            • Can you name a good company helpdesk? One that is as good as say a BSD or Debian mailing list?

              Cisco. At least a couple years ago; I haven't dealt with them much lately. But their TAC (Technical Assistance Center) was outstanding.

              You are describing crappy admins and crappy managers.

              Precisely. I wish everyone did their jobs competently. I also wish for world peace. I don't expect either to happen any time soon.

              I don't work for companies managed by such people.

              Not everyone has that luxury.

              From

              • Cisco. At least a couple years ago; I haven't dealt with them much lately. But their TAC (Technical Assistance Center) was outstanding.

                Fair enough.

                Precisely. I wish everyone did their jobs competently. I also wish for world peace.

                Me too. [sigh] I was looking at that pic of Earth from Mars and thinking, what the hell are we doing to ourselves and our planet. We are mostly blessed by our natural luck and yet completely cursed by ourselves.

                From names like Novell, Microsoft and CA.

                Aren't these companie
    • (Okay, just for kicks, here's an actual tidbit of useful Checkpoint info: There's a Rule Zero. It doesn't appear in the rules screen. It's probably not doing what you think it's doing.)

      I'm not a great fan of FW-1, but it's a shame that whoever plunked down the cash for the software didn't also pay for some training for you; that snippet would have been covered in the basic course.

      --

  • I must say that the Checkpoint Firewalls are excellent pieces of equipment. We use them all throughout our company's WAN. (20+ office across the whole continental United States) I think that anyone interested in a little bit more than just a Do-it-yourself firewall, or a Cisco PIX solution should definitely get this book, and research the Checkpoint.
  • A Checkpoint story (Score:5, Interesting)

    by billh ( 85947 ) on Friday March 12, 2004 @05:59PM (#8548156)
    I could go on for many pages, detailing all of the issues I've had to deal with in the last few weeks. But I've wasted enough time dealing with Checkpoint, and I don't want to waste too much time bitching about them.

    We purchased hardware and software through a reseller. My predecessor placed the order, so I came in knowing very little about what we had purchased. I was given the server and an activation code for the software.

    I activated it, and found that I was unable to download anything. We had no support contract. I sent off some nasty e-mails to the vendor, and we had an installation CD a couple of days later.

    Well, it turns out that the installation CD was old. Shouldn't be a big deal, right? Well, it was. Although we could install the software, we couldn't use any of the management tools. The Windows-based management tools, I should add. For a Linux product.

    Conference calls with Checkpoint, more nasty e-mails, we find out that our support contract was never entered. I blame this solely on the vendor, not Checkpoint. Once that went through, we were able to download the needed software from Checkpoint.

    Sounds like the problem is resolved, right? I hope so, but I won't know for a few days, as we had to reschedule a network shutdown because of this incompetence. While I blame most of this on the vendor, you have to wonder what sort of approval process the vendors have to go through to become resellers, and why Checkpoint would ever allow such idiots to resell their product.

    While I'm pointing fingers, here are some other things to think about:

    Checkpoint could easily have allowed us to download a product which we had already purchased, and is available to customers with a support contract.

    Tech support could have answered our questions very quickly, if they would have talked to us.

    They could have FAQs with this information on their web site.

    The FAQs that they do have could have been in a format that is readable from a console (everything is PDF).

    Red Hat 7.3 is the latest version of Linux they support. With a kernel that doesn't come standard.

    I admin many older Checkpoint boxes, which unfortunately run on Windows NT 4. I inherited them. After the crap I have been through dealing with Checkpoint, I am considering staying with them until I find a better solution. Why should we have to pay thousands of dollars a year just to be able to patch these things? Why are the FAQs useless? Why can't these people get a clue?

    Just FYI, I've been using Linux since before it was 1.0, and I have no problem with configuring firewalls and the like. And I also know that Cisco pulls stupid crap like this, too. Now for the fun part - I have a hell of a lot of purchasing power at a very large consulting firm, and as far as I am concerned, we are done with Checkpoint.

    You hear that, Checkpoint? Over 70,000 employees, and I can't count how many support contracts. I'm going to do what I can to make sure we never send you another dime.
    • What's the name of the vendor?
      • I'm not interested in a lawsuit. But they are going to lose quite a bit of business, and it isn't all Checkpoint related. In fact, most of it isn't. Three cheers for Darwinism.
    • Your experience with Checkpoint's support policies aren't all that strange -- they just recently started offering an "Enterprise Support" model that allows you to not _have_ to attach a support contract to a particular license. Made things a hell of a lot easier for us.

      One note -- the version of Redhat that they last supported _is_ 7.3, but it's far more convienient to run SecurePlatform. That's Checkpoint's own Linux distribution -- a pretty slick little toy, IMHO. It should install nicely on most modern
      • SecurePlatform was an easy install. Except we were not licensed to admin the firewall. I'm sure there is an easy solution to that, but that is another issue I have with Checkpoint.

        As to your comment about not discounting Checkpoint becuase of the reseller - I had many conference calls with Checkpoint, and they were all useless. As far as I am concerned, most of the company is useless. 90% Of this problem would be solved with good FAQs on their website.
        • 90% Of this problem would be solved with good FAQs on their website.

          I wholeheartedly agree with you there -- and with your point about Tech Support. Do yourself a favor, though, and find out who your region's Sales Engineer is... They can answer questions frontline support can't. Plus, for a 70,000 employee company, they would agree to sit in your front pocket and print up fresh $20 bills for you if they thought it would sell more product, trust me. :>
          • I don't care who the region's sales engineer is. Checkpoint is gone. They had their chance, they blew it. Reminds me of the ISP consolidation 6-7 years ago. They failed to realize that many of the shell customers were the decision makers at large companies.
            • Rule#1 of business is "Don't piss of your customers."

              I don't care who the region's sales engineer is. Checkpoint is gone.

              If you have to get into bed with the region's sales engineer to get the the service you need, you need to jump ship because when you really need it, he's gonna be long gone.
    • I used to be a CCSI on 3.x/4.x. "Phoneboy" was in my 3.x training course at Netrex, he was basically heckling (competing with?) the instructor the whole time. I thought it was quite amusing. (yes, the course, and the phoneboy).

      You think it's bad now, you should have seen the early days of FW-1, like when they first started supporting "non Sun" platforms; NT, HP/UX, AIX. I don't know if they still support those "other" *IXes, but it sounds like business as usual with their half-ass tech support.

      "NG" does n
    • Hear Hear. I've dealt with two FW-1 installations at our main site - one on Solaris and one on NT4 which were both installed by consultants before security became my job.

      I have several issues with FW-1, however the main one must surely be the crappy "support" and the "buy now, pay forever" attitude to it that many companies now adhere to, namely that no support = no software updates. Quite frankly for a firewall company to deny you patches for their product if someone discovered a vulnerability ("TEST="
      • ("TEST=" in packets traversing all versions of FW-1 unblocked up until around 2 years ago anyone?)

        /me doubletakes.

        Have you got any more information on that? That appears to be a serious vulnerability that I hadn't previously heard about... Securityfocus.com's vulndb doesn't seem to know about it, either.

        --

  • go here (Score:4, Informative)

    by pair-a-noyd ( 594371 ) on Friday March 12, 2004 @06:01PM (#8548173)
    http://smoothwall.org/ [smoothwall.org] rocks like none other
    • Re:go here (Score:3, Insightful)

      by Homology ( 639438 )
      http://smoothwall.org/ rocks like none other

      PF: The OpenBSD Packet Filter [openbsd.org] shows that it is possible to have a very powerful packet filter with easily understandable and readable filter rules. Smoothwall has a following because the IPtables firewall scripts quickly becomes unreadable and hard to understand with it's sucky syntax.

    • Re:go here (Score:3, Insightful)

      by dlb ( 17444 )
      Yeah, its great -- but smoothwall doesn't address issues like high availability, or any sort of application inspection.

      Oh yeah, and how do you efficiently manage your smoothwall firewalls after you deploy 50 of them?

      It's just the same ugly packet filter with more makeup.
      • Yeah, its great -- but smoothwall doesn't address issues like high availability, or any sort of application inspection.

        Oh yeah, and how do you efficiently manage your smoothwall firewalls after you deploy 50 of them?

        It's just the same ugly packet filter with more makeup.

        Smoothwall was never intended to be an enterprise type of firewall. But yes, it's still the same ugly packet filter at the bottom.

  • by Chomp ( 27607 ) on Friday March 12, 2004 @06:05PM (#8548207) Homepage
    Equating ipf/iptables with Firewall-1 etc is like confusing a Hertz rental truck with DHL.

    Not everyone needs Firewall-1. But as the number of firewalls you manage goes up, the management features of Firewall-1 really come into their own.

    Firewall-1 also assists in reaching the desired level of abstraction where your ruleset stops describing your network topology and starts describing your network policy.

    The difference is hard to appreciate until you have worked with both for a while.

  • Mostly Okay (Score:4, Insightful)

    by irregular_hero ( 444800 ) on Friday March 12, 2004 @06:15PM (#8548274)
    The book is good in many areas, especially dealing with Site-to-Site VPN configuration, but is seriously lacking in other areas. Some of the things missing are:
    • High Availability of management stations
    • Coverage of Provider-1, SiteManager-1 installations and the differences between them and the traditional management method
    • More detail on Checkpoint log servers (specifically CLMs and what they can and cannot do, including where they should typically be deployed and in what sitations)
    • Handling, munging, searching, and maintaining log files for Checkpoint products (there are scads of logfiles available, and some are quite hidden)
    • Steps to take to verify proper operation of a Firewall-1 node, including performance tuning ("fw ctl pstat" and how to read it, basically)
    • Using Checkpoint State Synchronization with AND without Checkpoint Clustering, and how to troubleshoot it
    • More information about tuning and maintenance of SmartDefense (the IPS features of Firewall-1) paying attention to "protocol gotchas" that can be eliminated through altering its configuration
    • A tutorial for the new Checkpoint administrator about all the different types of licenses with which one can and will deploy as part of a standard installation
    • The mentions of SecureRemote (the Client-to-LAN VPN built in to Checkpoint Firewall-1) are lacking in many respects -- for example, there is little mention of Secure Configuration Verification, Visitor Mode/Office Mode, IP address assignment mechanisms (there are many), etc.
    • More detail in the following areas: CIFS blocking, Exchange/Windows RPC custom handling, integration with URL filtering via UFP, differences between the FTP/FTP_BASIC methods, etc.
    Of course, I suppose 80% of the administrators that would buy this book don't care one bit about these details if they're only running a couple of standalone Firewall-1 boxes. The funny thing, though, about companies that buy a product as expensive as Checkpoint Firewall-1 is that they tend to expand their investment in the product fairly rapidly -- if they buy enough of it up front to be a serious investment. For those administrators, it's the type of information like the above that is really missing. What's a shame is that it's also generally missing in Checkpoint's own documentation. :>
  • I'm a CCSA.. I used to come into daily contact with CheckPoint NG.. Can't say I really enjoyed the experience. And the doc.. I really hated it..
    "PhoneBoy" was our light in the dark and only good source of info indeed. So:

    - If you don't have CP, don't buy it. If only because Israeli security software named "Checkpoint" is rather cynical given the way they treat Palestinians.. also because technically it's a monstrum.

    but..

    - If you *do* have CP: buy *any* and all new books PhoneBoy publishes on the subject!
  • Oy (Score:1, Interesting)

    by Anonymous Coward
    The company I used to work for used multiple CheckPoint FW-1 firewalls, which eventually I happened to administer (the version previous to NG).

    Unfortunately, mgmnt decided to run them on NT 4 Server instead of Solaris or even Linux (this is from 2000 - 2002). (CheckPoint was originally a Solaris product ported to Linux and eventually Windows).

    It sucked HARD on NT - in particular because NT 4 had no native ability to limit file size, and the Checkpoint logs grew exponentially if you happened to be a few co
  • I ripped out the Checkpoint f/w on Solaris where I am, and replaced it with some carefully crafted iptables scripts on an Gentoo+grsec x86 box. People immediately noticed it was more responsive. Oh, and no stupid 100 client licence restriction.
    The shitty documentation didn't help Checkpoint. And the remote admin tools were pants too.
    • Another nice tool is ipkungfu - decent tool for home networking and small businesses. For those that say you need a behemoth product to run larger businesses - hire a decent admin who understands bash scripting and whatever ip filtering script supported on his OS of choice - a *bsd is a good choice if only for security by obscurity.
  • Domo origato, Mr Lodato.
  • by greppling ( 601175 ) on Friday March 12, 2004 @07:08PM (#8548676)
    Lesson 1: If you really feel like putting two metaphors into one sentence, check for a moment whether the result might sound like utter non-sense.

    Sincerely, /. style nazi

  • This is a proprietary product, why is it being reviewed on Slashdot? I read a good book on Active Directory, can I post my review?

    Sigh...
  • fwbuilder [fwbuilder.org]? I think it's a smart product but still, I've never played with "enterprise" stuff. Anyway, I do get the feeling that the program is geared towards managing large arrays of machines inside a single interface.
  • Anyone who has ever had to manage a CheckPoint box for a period of time knows about Phoneboy.

    Stors spews forth:
    - Check out phoneboy's stuff for details on FTP configuration. You used to write/patch in some custom inspect to get it to work right in some configurations. i.e. the Policy Editor is not enough.
    - During testing, tcpdump/ethereal are your friends. Also if you're new to all this and you're doing static translations, you might need to get used to futzing with the translations configuration stuff (sr
  • Ugh, checkpoint. Gag me with a spoon. I'd rather use a cisco pix.
  • I'm certified on CheckPoint's NG. I used to work for a rather well-known security integrator in San Diego that sold CheckPoint solutions.

    When I'd peddle CheckPoint, several of our clients would just laugh and say, "For that price, I'll buy hardware and load OpenBSD's pf." Can't say I blamed them.

    There are times, however, in which CheckPoint can really make your life easier. For example, youc can easily (for better or worse) push a policy to multiple endpoints. The graphical logs are cool also.

    Sales re
    • Sales reps (may) try to sell you on the seemless failover crap. Bottom line: lots of hoops, and I don't know that it's any easier than PIX's failover solution.

      OpenBSD, PF, pfsync and carp.

      Don't know whether it is easier or not, but it's bound to be cheaper. Especially if you read the doco and understand it.

      OpenBSD does not need sales reps. It gets by on merit alone. So why not go check out why this is! [openbsd.org]
  • My day job is managing firewalls, specifically Checkpoint FW-1 NG on IPSO. Here's my impressions:
    • Upgrade cycle: Too short. We've taken a year to migrate all our firewalls to FP3/Provider-1 from a combination of 4.1 and FP1/FP2. Now we are being pushed to move to AI. Checkpoints firewall rule migration "tools" to move to Provider-1 were self-admittedly broken, and we ended up hiring a temp to do the mind-numbing job of copying and pasting hundreds of objects and nat rules across!
    • The GUI (smartdashboard
  • Well, as a current CCSE+ certified engineer,
    you do need to make sure you have a support contract, and companies like Nokia are perfect.
    (I'm tooting my own horn, since anyone who deals with Nokia support directly in the States and Canada, will have spoken with me at least once)

    There are lots of good resellers out there to help implement the solutions that Checkpoint provides, and there are others out there I would like to squash and remove their access contracts, but I just work there.

    Everyone who complain
    • I agree with this. I deploy whenever I have the choice, Checkpoint on Nokia. The reason is that I never make that recommendation without also pushing towards Nokia as the single source support contract.

      The latest versions of Checkpoint _finally_ have a logical GUI, it's actually quite remarkable. Addresses the age-old monster problem of finding out host->group->hosts relations. Trust me here, I spent literally months of time doing analysis of legacy Checkpoint installs to clean up and optimize ru

There is nothing so easy but that it becomes difficult when you do it reluctantly. -- Publius Terentius Afer (Terence)

Working...