Essential Check Point Firewall-1 NG 149
| Essential Check Point Firewall-1 NG - An Installation, Configuration, and Troubleshooting Guide | |
| author | Dameon D. Welch-Abernathy |
| pages | 647 |
| publisher | Addison-Wesley |
| rating | 9/10 |
| reviewer | Raymond Lodato (rlodato AT yahoo DOT com) |
| ISBN | 0321180615 |
| summary | An excellent guide to the ins and outs of configuring Check Point's FireWall-1 NG product, with a guide to the foundations of a good security policy. A 'must read' for any Check Point firewall administrator. |
Phoneboy (nee Dameon Welch-Abernathy) has proven himself to be extremely knowledgeable about Check Point's FireWall-1 product. In October of 2001, he produced a book (Essential Check Point FireWall-1, Addison-Wesley, 2001) that helped to clarify the vast amount of information collected over the years through the mailing list and the website. Shortly after the book was published, Check Point saw fit to render it almost obsolete by releasing FireWall-1 NG. The new version of Check Point's flagship product was so different, you almost had to start from scratch to understand it. Dameon has taken the necessary next step and updated his original book. The new book, Essential Check Point FireWall-1 NG, (Addison-Wesley, 2004) now covers all existing versions of NG, up to and including NG with Application Intelligence (NGAI).
When you first open the book and look at the Contents pages, two things will strike you. The first is that the Contents page starts with "Frequently Asked Questions." Anyone who has spent any time on technical websites knows that Frequently Asked Questions (or FAQs) are the first place to look to gather the nugget(s) of wisdom you need. The fact that Dameon has included a large list of FAQs in the book makes it valuable for quickly addressing the typical problems and questions an administrator faces. The second thing you will note is that he does not start describing anything about FireWall-1 itself until late into Chapter 2. He takes the time to lay the foundation of what a firewall is, as well as what a good security policy is, and why it's so important to get one and get it right.
As I read through the book, I was pleased to see that Dameon followed one of the cardinal principles of good presentation: tell them what you're going to say, say it, then tell them what you said. Each chapter outlines what you will know by the end, teaches you what you need to know, then summarizes it. Dameon writes in a style I would call clear but not condescending. It takes someone who not only knows his subject well, but understands his audience well, to walk the fine line between the two. Dameon shows his chops by treading that line like a tightrope walker.
Each chapter contains carefully organized information with numerous figures and screen shots interspersed, to keep the text understandable. Starting in Chapter 4, Dameon also includes selected FAQs culled from the many available on his website. I found this much more valuable than collecting them at the end of the book in one gigantic haystack that you needed to search for that one precious needle. Later chapters include sample configurations to clarify the concepts just described. This makes Essential Check Point FireWall-1 NG useful as a teaching resource, as well as a general reference to the product.
While the chapters in the book follow a logical progression, each building on the prior information, Dameon made sure that most chapters (and even sections within the chapters) could stand alone. This means you can pick and choose what you want to read. For example, if you needed to focus on FireWall-1 on IPSO, you don't necessarily have to worry about what was written about Solaris. The information on IPSO would repeat enough information that you wouldn't have to refer to previous pages. Even so, Dameon provides back references when repeating the information would be too cumbersome.
I did notice that Dameon varied the amount of detail used throughout the book. Sometimes he uses a high-level approach, and sometimes he goes into excruciating detail. Unfortunately there were a number of places I wanted him to provide more detail, only to have him skim over the treetops. While he does explain up front that this book was supposed to cover the essential information, covering some areas in detail just whets your appetite for that same amount of detail in all areas.
One other quibble I have revolves around the figures used in his examples. It becomes obvious that this book evolved over a period of time (I believe he took around a year to get this edition put together). Some figures apparently came from an earlier version of the book, as the text referred to something else. One example occurs in Chapter 8 (User Authentication). Dameon's sample configurations are written in a "follow-me" style. One sample configuration has the text "Next, create the group WebAdmins and add bob and dan to this group." If you followed his directions and then referred to the sample rule base in the figure on the next page, you would see that the group is named DMZAdmins instead of WebAdmins. (And the specs given for the same sample configuration specify that S/Key will be used, yet the figure showing the Authentication tab clearly has S/Key un-checked.) Little inconsistencies like this should have been picked up on the proofreading. Their existence mars an otherwise excellent book.
Overall, Essential Check Point FireWall-1 NG is aptly named: essential. If you are responsible for the care and feeding of Check Point's FireWall-1 software on any platform, you need to get and read this book. It's definitely going to stay within arm's reach on my desk.
You can purchase Essential Check Point Firewall-1 NG from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Well written. (Score:1)
Arms reach on the desk? (Score:4, Insightful)
Excellent Question!!! (Score:4, Insightful)
The answer is NO! As security techs change the way they handle threats, from the borders and internally FW config and management is currently changing rapidly. Infact CheckPoint is now offering in-line IPS. This better layerd/mesh approach to security does chage what you need to do on your borders and how you do it. Coupled with node/desktop firewalls, current stratergies will change.
Re:Excellent Question!!! (Score:1, Troll)
Every time the VP rekeys this stupid box blocks out half my laptop's screen for five fucking minutes and does nothing. For some reason the jerk off who designed the piece of utter shit client decided to lock that area of the screen while the client does nothing.
Eventually the box asks me to select a certificate to log in to the VPN. Well guess what? Its the same one as I used last time the piec of turd asked the same quest
Re: (Score:3, Informative)
Slashdotted already (Score:4, Funny)
Given the Slashdotting, the past tense used in the article is actually very appropriate.
Re:Slashdotted already (Score:1)
Props, but... (Score:2, Insightful)
How about an OpenBSD firewall guide book, eh?
Re:Props, but... (Score:3, Insightful)
Third-party books are frequently better than the documentation provided by the company, as the third-party is more apt to give you tips and tricks and hacks to get the job done, rather than going on about how great a product it is.
Re:Props, but... (Score:2)
Third-party books are frequently better than the documentation provided by the company
I've yet to find a book, which is as good as the OpenBSD man pages.
Leave the commercial World behind, read the PF man page [openbsd.org] and discover what you've been missing out on.
Re:Props, but... (Score:1)
Not to mention the fact that, however good OpenBSD may be, there simply aren't enough commercial authors on the subject to really promote competition and encourage authors to put out *QUALITY* books.
But there are some companies that provide great man pages...Legato, for example.
Again, this is mainly documentation, such as "this command does this and has these options", whereas commercial books generally have that and ways to hack apart the product to get the j
Re:Props, but... (Score:2)
That's why I said, "Leave the commercial World behind".
Not to mention the fact that, however good OpenBSD may be, there simply aren't enough commercial authors on the subject to really promote competition and encourage authors to put out *QUALITY* books.
Have you read any of the books?
I have almost all of them.
One of them is very high quality, as far as grammar goes and all of them are very high quality as far as technical details go.
But, who needs books,
Re:Props, but... (Score:1)
regardless, it sounds like you're contradicting yourself a bit. we both seem to agree that some man pages rock (like books, some more than others). and you say yourself you've got great openbsd books.
You said, "who needs books, when you have such fantastic man pages!?" Apparently you did.
If the manpages have all that you need, why would you consider the books that you own great, rather than just a rehash of the manpages? Clearly yo
Re:Props, but... (Score:2)
; ) No, I just love OpenBSD. I like all the big free BSD's.
regardless, it sounds like you're contradicting yourself a bit. we both seem to agree that some man pages rock (like books, some more than others). and you say yourself you've got great openbsd books.
You said, "who needs books, when you have such fantastic man pages!?" Apparently you did.
I purchase BSD related books when they come out, to encourage the publishing of fur
Re:Props, but... (Score:5, Insightful)
You're shelling out $50k for the software but complain about a $40 book? Personally I would rather buy a 3rd party book than one from the software maker as they have to compete to explain the topic to the user.
Re:Props, but... (Score:1, Offtopic)
I really hate buying hardware and then guys like LinuxAnt being the only ones selling drivers for it. I know these guys gotta eat, but I'd hate to pay $20 on drivers for a $50 piece of hardware!!
Re:Props, but... (Score:2)
Uh, if I were shelling out $50,000 for any software, I would complain that the software didn't include so much as a $40 book. If I were a Checkpoint customer I would seriously wonder why they don't include Phoneboy's book with the software, and/or why they aren't paying him for his book.
Re:Props, but... (Score:2)
I hope you bought some consultant time as well. Commercial FWs are nothing to play with for the inexperienced. Pay the consultant (and buy the freakin $40 book) and pay extremely close attention to the consultant, and pump for info (that's what you're paying him for) Odds are, he'll do it wrong, but you won't be 100% vulnerable. (Now there's a confidence statement!)
(FYI - current external access from my node is pure port 80
Re:Props, but... (Score:3, Funny)
Don't worry, if you get stuck or locked out of your firewall you can call up the Mossad for tech support. *ducks away from the ensuing firewall geek flamewar*
Re:Props, but... (Score:3, Insightful)
There is a difference in "how" to use something, i.e. what the levers and dials do, and the art, craft, and wisdom is in applying those dials and levers.
My table saw manufacturer is obliged to provide me with a manual explaining the proper and safe use of the device. He is not obliged to tell how to apply the device specifically to the making a grandfather clock and a Shaker trestle t
Re:Props, but... (Score:3)
Well, this sort of sounds better than saying:
if I'm paying $$$ for software, I don't wanna have read a book to tell me how to use it
Which is not what you said, but it is what it reminded me of
Re:Props, but... (Score:2, Informative)
I'll give you three. And a website to cap them.
"Building Linux and Openbsd Firewalls", by Wes Sonnenreich and Tom Yates. Published in February, 2000. Dated, both Linux and OpenBSD have gone through too many changes for this to be an "in the trenches" reference. It's a decent view from 30,000 feet.
"Absolute OpenBSD", by Michael Lucas. Published in June, 2003. Its ISBN is 1886411999. Covers OpenBSD 3.2, so it's relevance to 3.4 is high. Has a few typos which do not seriously mar the content.
Re:Props, but... (Score:2)
I work for an MSSP and regularly deal with Checkpoint. It is also good to get an independant source for tips about Checkpoint. To put it simply, Checkpoint support is sometimes less than helpful.
Re:Props, but... (Score:1)
Re:Props, but... (Score:2)
Some books. [openbsd.org] The first two are appropriate, however Building Linux and OpenBSD Firewalls is really out of date.
The FAQ. [openbsd.org] Is very nice.
Or the best reference there is! [openbsd.org] Constantly up to date. Print it out, read it, use PF, never ever look back.
Especially on your fully state synced [openbsd.org] redundant PF firewalls. [openbsd.org]
Shorewall (Score:1, Offtopic)
i must say that i really like the idea of phoneboy.com being TWiki....just allows for such a broader range of information from people.
Since i can't read the Ma Bell site from the previous article, i'll go check this out for the afternoon.
Re:Shorewall (Score:2, Offtopic)
Then I'm sure you'll enjoy reading the PF Example : Firewall for Home or Small Office [openbsd.org] from the very good PF FAQ [openbsd.org].
One of the reasons for using OpenBSD to replace my Linux firwall, was the very readable PF firewall rules. To be honest, IPtables rule syntax sucks, and projects like Shorewall is a testament to that.
Re:Shorewall (Score:2)
"pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state"
How is this syntax -more- readable? Unless you know what your doing, both will look like absolute garbage! If you know what you're doing, you shouldn't be worrying about syntax. Choose the product that performs what you need, whatever it is.
I personally like netfilter/iptables because of its excellent extensions. They make Linux a very powerf
Re:Shorewall (Score:2)
You mean that "same" IPtable rule
"iptables -A INPUT -i $ext_if -p tcp --tcp-flags SYN,ACK SYN -s $any_addr -d $ext_if_addr -dport $tcp_services -m state --state NEW -j ACCEPT"
is more readable?
Re:Shorewall (Score:2)
iptables -A INPUT -p tcp -s $any_addr -d $ext_if_addr -dport $tcp_services -m state --state NEW -j ACCEPT
iptables -A INPUT -m state ESTABLISHED,RELATED -j ACCEPT
What I am saying is that both systems look intimidating to those who don't know about firewalls, and those that know about firewalls shouldn't care about syntax anyways.
Re:Shorewall (Score:2)
If you know what you're doing, you shouldn't be worrying about syntax. Choose the product that performs what you need, whatever it is.
You mean that "same" IPtable rule
"iptables -A INPUT -i $ext_if -p tcp --tcp-flags SYN,ACK SYN -s $any_addr -d $ext_if_addr -dport $tcp_services -m state --state NEW -j ACCEPT"
is more readable?
Wow, I knew iptables rules were terse, but that's just ridiculous compared to
Re:Shorewall (Score:2)
How is this syntax -more- readable? Unless you know what your doing, both will look like absolute garbage!
Actually, it is English.
Pass packets coming in on the external interface as long as they are tcp protocol, from any IP specifically sent to our external interface (not just subnet noise) and as long as they are tcp services (ports) that we want, when the SYN flag in the tcp flags is ON (S/SA) and allow
NG? (Score:4, Funny)
My experience (Score:3, Interesting)
Anyways, I was astounded at the fine level of detail that one could control the packets in that FW product. We immediatelly proceeded to deploy Checkpoint in our production Solaris 3 environment. We found the network configuration to be easy and the core install of Solaris 3 satisfied all the requirements.
Little did I know that the product was not yet mature and optimized to deal with the large traffic in our organization. FTP and Gopher services crashed around our ears as we ran around like headless chickens. We deduced right away that it was checkpoint and went back to our original configuration.
Oh, how we laughed after that incident. It sometimes still makes me snicker.
Which is nice.
With a name like Dameon... (Score:1)
Re:With a name like Dameon... (Score:3, Interesting)
Here is my explanation on the name PhoneBoy. Since I'm not interested in increasing the slashdot effect on my site, I'll post the relevant bit here:
For those who care, the name PhoneBoy was given to me by one of the hosts of Radionet Talk Radio [archive.org], a radio show I used to work on in 1996. I used to screen calls for the show. The host forgot my name one day and called me PhoneBoy jus
Thank you for the slashdotting of my webserver (Score:5, Funny)
Re:Thank you for the slashdotting of my webserver (Score:1)
Re:Thank you for the slashdotting of my webserver (Score:1)
sorry about that
Buy the book!!!! (Score:4, Funny)
Re:Buy the book!!!! (Score:5, Funny)
-- PhoneBoy
Re:Buy the book!!!! (Score:2)
Re:do checkpoint customers even use the fancy feat (Score:1, Insightful)
> One has to wonder how many check point firewalls could be
> reaplced with a freebsd box, two nics, and ipfw with dummynet.
Probably a lot of them, if you were willing to dedicate an administrator per firewall to configure, monitor, and maintain it. That person would need to go through a bunch of Unix/BSD training beforehand. And, if that person ever left that job, you would need to replicate that process.
The key to commercial firewalls, like Netscreen and Check Point, is the easy graphical interfa
Re:do checkpoint customers even use the fancy feat (Score:2, Informative)
Replacing them with just a box and a few NIC's is a lot different than having a full fledged router in place with Checkpoint loaded on it. Once you've tried both, you'll know what I mean...
--Gr@ve_Rose
Re:do checkpoint customers even use the fancy feat (Score:1)
Sorry Checkpoint, but some machines are go
Re:do checkpoint customers even use the fancy feat (Score:1)
Re:do checkpoint customers even use the fancy feat (Score:1)
Also I am currently running checkpoint NG with AI and ClusterXL on 2 Linux fround ends with fiber GIG-E cards in them. They run either in a load-balenced setup or HA.
VPN is easy to setup and very standard, much better that it used to be.
There is actully tons of
Essential text and web site for FW-1 admins (Score:4, Insightful)
Shorter Essential Checkpoint Administration (Score:5, Funny)
Step two: load CheckPoint onto trebuchet.
Step three: launch CheckPoint into Low Earth Orbit, or at least into the neighbor's hedges.
Step four: install an OpenBSD box with two ethernet interfaces and configure PF.
(Step four can alternatively be replaced with Linux/Netfilter, FreeBSD/IPF or Solaris/IPF -- whatever your poison is.)
But I'm only bitter because I was stupid enough to buy into CheckPoint's snake oil. Fool me once, shame on me, etc -- that goddamn thing cost me close to six months of time that could have been productively spent doing just about anything else. Never, ever again.
(Okay, just for kicks, here's an actual tidbit of useful Checkpoint info: There's a Rule Zero. It doesn't appear in the rules screen. It's probably not doing what you think it's doing.)
Re:Shorter Essential Checkpoint Administration (Score:2)
Can someone fill me in to why checkpoint is technically inferior to the likes of iptables?
Re:Shorter Essential Checkpoint Administration (Score:1, Informative)
I'll buy that.
That netfilter/iptables+variousoOSSadded stuff can't do a 10th of what checkpoint can do, that I dispute.
Name some?!! There are a few integrations that checkpoint has already handled radius authentication etc, but often those integrations are erratic and can be integrated into a linux or openbsd firewall.
Also tieing your firewall device and your VPN device together on a checkpoint is problematic as well, case in point the recent isakmp vulnerability.
Re:Shorter Essential Checkpoint Administration (Score:2, Interesting)
But... Checkpoint is a huge pain, I agree. It is arguably the most bloated software product in history. That's why I recommend Netscreen -- the nice management of Checkpoint with rock-solid
Re:Shorter Essential Checkpoint Administration (Score:2)
I can tell you, with authority, that I know that the two largest banks in my country, have at least used OpenBSD on some of their perimeters.
I say "at least" because I haven't seen all the perimeter firewalls and I say "used" because my info is about 2 years old. My guess, is that they use them on all, to this day, but I can't say for certain, I can only go off what internal software developers I still know have told
Re:Shorter Essential Checkpoint Administration (Score:1)
I do not disagree. Often though, companies discourage such homegrown solutions because:
What's realistic for one admin, might be unrealistic for another.
So what happens when the admin with the homegrown solution leaves the company? Hopefully they trained others on
Re:Shorter Essential Checkpoint Administration (Score:2)
What's realistic for one admin, might be unrealistic for another.
They must not have much faith in admin candidates then or the current admins documentation skills or willingness. I know there are a lot of bad admins, but a company who typically goes to trouble to find a good admin, is willing to get one that provides real solutions (that work until someone pulls the plug) and documentation.
I have worked for companies,
Re:Shorter Essential Checkpoint Administration (Score:1)
Cisco. At least a couple years ago; I haven't dealt with them much lately. But their TAC (Technical Assistance Center) was outstanding.
You are describing crappy admins and crappy managers.
Precisely. I wish everyone did their jobs competently. I also wish for world peace. I don't expect either to happen any time soon.
I don't work for companies managed by such people.
Not everyone has that luxury.
From
Re:Shorter Essential Checkpoint Administration (Score:2)
Fair enough.
Precisely. I wish everyone did their jobs competently. I also wish for world peace.
Me too. [sigh] I was looking at that pic of Earth from Mars and thinking, what the hell are we doing to ourselves and our planet. We are mostly blessed by our natural luck and yet completely cursed by ourselves.
From names like Novell, Microsoft and CA.
Aren't these companie
Re:Shorter Essential Checkpoint Administration (Score:2)
I'm not a great fan of FW-1, but it's a shame that whoever plunked down the cash for the software didn't also pay for some training for you; that snippet would have been covered in the basic course.
--
Re:Shorter Essential Checkpoint Administration (Score:2)
No, I tried to make SecuRemote work as advertised. (Or, really, at all.) Silly me.
(The rule zero comment was a throwaway line to appease the moderators; you may safely assume that I did in fact read the documentation and knew what I was doing.)
I'll happily concede that there are situations in which a commercially supported firewall with central management and deployment capability are a better choice than a unix box with a bolt
Re:Shorter Essential Checkpoint Administration (Score:2)
I find comments like this, about Unix, hilarious. In Unix, the limit is YOU and your knowledge, intelligence and immagination.
PF is welded (very carefully) into the OpenBSD kernel. It is not "bolted on". A good packet filter is one of the most important parts of OpenBSD, and PF and the rest of the ker
Re:Shorter Essential Checkpoint Administration (Score:2)
Wow, there are certainly [cvshome.org] no [samba.org] tools [cfengine.org] at [openssh.com] all [perl.org] that I could think of that would help me do that...
To quote one of my favorite legendary assholes: "This is unix. Stop acting so helpless."
(In all seriousness: yes, there are probably plenty of cases where there's no business case to be made for rolling your own system, and where Checkpoint's management console or a similar tool is probably a good choice.)
What i
Quality product. (Score:1, Interesting)
A Checkpoint story (Score:5, Interesting)
We purchased hardware and software through a reseller. My predecessor placed the order, so I came in knowing very little about what we had purchased. I was given the server and an activation code for the software.
I activated it, and found that I was unable to download anything. We had no support contract. I sent off some nasty e-mails to the vendor, and we had an installation CD a couple of days later.
Well, it turns out that the installation CD was old. Shouldn't be a big deal, right? Well, it was. Although we could install the software, we couldn't use any of the management tools. The Windows-based management tools, I should add. For a Linux product.
Conference calls with Checkpoint, more nasty e-mails, we find out that our support contract was never entered. I blame this solely on the vendor, not Checkpoint. Once that went through, we were able to download the needed software from Checkpoint.
Sounds like the problem is resolved, right? I hope so, but I won't know for a few days, as we had to reschedule a network shutdown because of this incompetence. While I blame most of this on the vendor, you have to wonder what sort of approval process the vendors have to go through to become resellers, and why Checkpoint would ever allow such idiots to resell their product.
While I'm pointing fingers, here are some other things to think about:
Checkpoint could easily have allowed us to download a product which we had already purchased, and is available to customers with a support contract.
Tech support could have answered our questions very quickly, if they would have talked to us.
They could have FAQs with this information on their web site.
The FAQs that they do have could have been in a format that is readable from a console (everything is PDF).
Red Hat 7.3 is the latest version of Linux they support. With a kernel that doesn't come standard.
I admin many older Checkpoint boxes, which unfortunately run on Windows NT 4. I inherited them. After the crap I have been through dealing with Checkpoint, I am considering staying with them until I find a better solution. Why should we have to pay thousands of dollars a year just to be able to patch these things? Why are the FAQs useless? Why can't these people get a clue?
Just FYI, I've been using Linux since before it was 1.0, and I have no problem with configuring firewalls and the like. And I also know that Cisco pulls stupid crap like this, too. Now for the fun part - I have a hell of a lot of purchasing power at a very large consulting firm, and as far as I am concerned, we are done with Checkpoint.
You hear that, Checkpoint? Over 70,000 employees, and I can't count how many support contracts. I'm going to do what I can to make sure we never send you another dime.
Re:A Checkpoint story (Score:2)
Re:A Checkpoint story (Score:2)
Re:A Checkpoint story (Score:2)
One note -- the version of Redhat that they last supported _is_ 7.3, but it's far more convienient to run SecurePlatform. That's Checkpoint's own Linux distribution -- a pretty slick little toy, IMHO. It should install nicely on most modern
Re:A Checkpoint story (Score:2)
As to your comment about not discounting Checkpoint becuase of the reseller - I had many conference calls with Checkpoint, and they were all useless. As far as I am concerned, most of the company is useless. 90% Of this problem would be solved with good FAQs on their website.
Re:A Checkpoint story (Score:2)
I wholeheartedly agree with you there -- and with your point about Tech Support. Do yourself a favor, though, and find out who your region's Sales Engineer is... They can answer questions frontline support can't. Plus, for a 70,000 employee company, they would agree to sit in your front pocket and print up fresh $20 bills for you if they thought it would sell more product, trust me.
Re:A Checkpoint story (Score:2)
Re:A Checkpoint story (Score:2)
I don't care who the region's sales engineer is. Checkpoint is gone.
If you have to get into bed with the region's sales engineer to get the the service you need, you need to jump ship because when you really need it, he's gonna be long gone.
Re:A Checkpoint story (Score:1)
You think it's bad now, you should have seen the early days of FW-1, like when they first started supporting "non Sun" platforms; NT, HP/UX, AIX. I don't know if they still support those "other" *IXes, but it sounds like business as usual with their half-ass tech support.
"NG" does n
Re:A Checkpoint story (Score:3, Insightful)
I have several issues with FW-1, however the main one must surely be the crappy "support" and the "buy now, pay forever" attitude to it that many companies now adhere to, namely that no support = no software updates. Quite frankly for a firewall company to deny you patches for their product if someone discovered a vulnerability ("TEST="
Re:A Checkpoint story (Score:2)
Have you got any more information on that? That appears to be a serious vulnerability that I hadn't previously heard about... Securityfocus.com's vulndb doesn't seem to know about it, either.
--
Re:A Checkpoint story (Score:2)
That's probably the biggest reason why support is lacking for RedHat 8 and 9. (Of course, the security frameworks that have been provided don't seem to be in use as alternative methods. Not sure what the deal with that is.)
go here (Score:4, Informative)
Re:go here (Score:3, Insightful)
PF: The OpenBSD Packet Filter [openbsd.org] shows that it is possible to have a very powerful packet filter with easily understandable and readable filter rules. Smoothwall has a following because the IPtables firewall scripts quickly becomes unreadable and hard to understand with it's sucky syntax.
Re:go here (Score:3, Insightful)
Oh yeah, and how do you efficiently manage your smoothwall firewalls after you deploy 50 of them?
It's just the same ugly packet filter with more makeup.
Re:go here (Score:2)
Smoothwall was never intended to be an enterprise type of firewall. But yes, it's still the same ugly packet filter at the bottom.
Re:go here (Score:2)
If you need more then by all means, do more...
Firewall-1 has its place (Score:4, Insightful)
Not everyone needs Firewall-1. But as the number of firewalls you manage goes up, the management features of Firewall-1 really come into their own.
Firewall-1 also assists in reaching the desired level of abstraction where your ruleset stops describing your network topology and starts describing your network policy.
The difference is hard to appreciate until you have worked with both for a while.
Mostly Okay (Score:4, Insightful)
- High Availability of management stations
- Coverage of Provider-1, SiteManager-1 installations and the differences between them and the traditional management method
- More detail on Checkpoint log servers (specifically CLMs and what they can and cannot do, including where they should typically be deployed and in what sitations)
- Handling, munging, searching, and maintaining log files for Checkpoint products (there are scads of logfiles available, and some are quite hidden)
- Steps to take to verify proper operation of a Firewall-1 node, including performance tuning ("fw ctl pstat" and how to read it, basically)
- Using Checkpoint State Synchronization with AND without Checkpoint Clustering, and how to troubleshoot it
- More information about tuning and maintenance of SmartDefense (the IPS features of Firewall-1) paying attention to "protocol gotchas" that can be eliminated through altering its configuration
- A tutorial for the new Checkpoint administrator about all the different types of licenses with which one can and will deploy as part of a standard installation
- The mentions of SecureRemote (the Client-to-LAN VPN built in to Checkpoint Firewall-1) are lacking in many respects -- for example, there is little mention of Secure Configuration Verification, Visitor Mode/Office Mode, IP address assignment mechanisms (there are many), etc.
- More detail in the following areas: CIFS blocking, Exchange/Windows RPC custom handling, integration with URL filtering via UFP, differences between the FTP/FTP_BASIC methods, etc.
Of course, I suppose 80% of the administrators that would buy this book don't care one bit about these details if they're only running a couple of standalone Firewall-1 boxes. The funny thing, though, about companies that buy a product as expensive as Checkpoint Firewall-1 is that they tend to expand their investment in the product fairly rapidly -- if they buy enough of it up front to be a serious investment. For those administrators, it's the type of information like the above that is really missing. What's a shame is that it's also generally missing in Checkpoint's own documentation.Checkpoint, but Wow Phoneboy (Score:2, Interesting)
"PhoneBoy" was our light in the dark and only good source of info indeed. So:
- If you don't have CP, don't buy it. If only because Israeli security software named "Checkpoint" is rather cynical given the way they treat Palestinians.. also because technically it's a monstrum.
but..
- If you *do* have CP: buy *any* and all new books PhoneBoy publishes on the subject!
Oy (Score:1, Interesting)
Unfortunately, mgmnt decided to run them on NT 4 Server instead of Solaris or even Linux (this is from 2000 - 2002). (CheckPoint was originally a Solaris product ported to Linux and eventually Windows).
It sucked HARD on NT - in particular because NT 4 had no native ability to limit file size, and the Checkpoint logs grew exponentially if you happened to be a few co
I dumped CP for iptables. (Score:1, Offtopic)
The shitty documentation didn't help Checkpoint. And the remote admin tools were pants too.
Re:I dumped CP for iptables. (Score:1)
Nice review (Score:2, Funny)
An oasis for someone drowning in the sea of...? (Score:3, Informative)
Sincerely, /. style nazi
Why is this book being reviewed anyway? (Score:1)
Sigh...
Anyone care to comment on... (Score:1)
Phoneboy (Score:2)
Stors spews forth:
- Check out phoneboy's stuff for details on FTP configuration. You used to write/patch in some custom inspect to get it to work right in some configurations. i.e. the Policy Editor is not enough.
- During testing, tcpdump/ethereal are your friends. Also if you're new to all this and you're doing static translations, you might need to get used to futzing with the translations configuration stuff (sr
Yuck (Score:1)
My take on CP (Score:1)
When I'd peddle CheckPoint, several of our clients would just laugh and say, "For that price, I'll buy hardware and load OpenBSD's pf." Can't say I blamed them.
There are times, however, in which CheckPoint can really make your life easier. For example, youc can easily (for better or worse) push a policy to multiple endpoints. The graphical logs are cool also.
Sales re
Re:My take on CP (Score:2)
OpenBSD, PF, pfsync and carp.
Don't know whether it is easier or not, but it's bound to be cheaper. Especially if you read the doco and understand it.
OpenBSD does not need sales reps. It gets by on merit alone. So why not go check out why this is! [openbsd.org]
My beefs with Checkpoint (Score:2)
This book is needed by so many out there.. (Score:1)
you do need to make sure you have a support contract, and companies like Nokia are perfect.
(I'm tooting my own horn, since anyone who deals with Nokia support directly in the States and Canada, will have spoken with me at least once)
There are lots of good resellers out there to help implement the solutions that Checkpoint provides, and there are others out there I would like to squash and remove their access contracts, but I just work there.
Everyone who complain
Re:This book is needed by so many out there.. (Score:1)
The latest versions of Checkpoint _finally_ have a logical GUI, it's actually quite remarkable. Addresses the age-old monster problem of finding out host->group->hosts relations. Trust me here, I spent literally months of time doing analysis of legacy Checkpoint installs to clean up and optimize ru
Re:Get a real firewall! (Score:1)
The company I work for first built a stateful iptables based firewall with TCP/UDP session offl