North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
Checkpoint is a very strange brand. On the one hand, it is _well known brand_, _many awards_, _editors choice_, etc etc. I know network consultant, who installed few hundred of them, and it works. On the other hand, every time, when I have a deal with this beasts (we do not use them, but some our customers use), I have an impression, that it is the worst firewall in the world: - for HA, you need very expansive Solaris cluster (compare with PIX-es) /I can be wrong, but it is overall opinion/. - to change VPN, you must reapply all policy, causing service disruption (I saw 1 day outage due to unsuccesfull Checkpoint reconfiguration); - VPN have numerous bugs (it is not 100% compatible with Cisco's by default; of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers which have this problem); - Configuration is not packed in 1 single file, so making difficult change control, etc etc... All this is _very_ subjective, of course; but - those customers, who uses Checkpoints, are the only ones who had a problems with firewalls. If I compare it with plain, reliable and _very simple_ PIX (PIX is not state of art, of course) and some others... I begin to think about checkpoint as about one more _brand bubble_. At least, I always advice _against_ it. PS. Security for dummies... interesting idea. Unfortunately, this book should start with _100% secure computer = dead computer_ -:) Why not? People really need such book! ----- Original Message ----- From: "Suresh Ramasubramanian" <[email protected]> To: <[email protected]> Sent: Thursday, February 05, 2004 8:56 AM Subject: Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 > > >>>>> "Dan" == Ingevaldson, Dan (ISS Atlanta) <[email protected]> writes: > > Dan> http://xforce.iss.net/xforce/alerts/id/162 > Dan> http://xforce.iss.net/xforce/alerts/id/163 > > You know, I'm quite allergic to that word "checkpoint". Perhaps I'm > completely wrong here, but .. > > Might be a good idea to deploy openbsd firewalls instead of expensive > and buggy stuff like Checkpoint :) > > Anything which reduces "security" to point and click on a cute web or > other GUI interface is dangerous... allows untrained and completely > dumb people to brand themselves "firewall admins". Like the "admin" > at a now defunct Indian ISP where my former employer had several > machines colocated. > > That idiot basically saw lots of inbound traffic to port 22 on our > machines, didn't know what the hell that was, and firewalled port 22 > across the ISP's network. > > Getting locked out of all my ssh sessions, having to drive 20 km to > the datacenter, and then having to reset the block myself while my > boss was still arguing with the "admin" was kind of an interesting > experience, I must say. > > Yes, his checkpoint management console, running on an unpatched hp/ux > 10.2 machine, was up and running, and we just walked right into the NOC > to argue with him. That made it quite easy to click the right buttons > while the guy stood up to call his supervisor in to try convince us (me > and my boss) that yes, he knew what he was doing, he had an MCSE and a > CCNA after all, etc. > > Is there some really good "network security for dummies" book that I > can point such people at? Telling them to google doesn't do much > good, I fear :( > > srs > > -- > srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 > manager, outblaze.com security and antispam operations >
|