North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1

  • From: Crist Clark
  • Date: Thu Feb 05 14:06:57 2004

Martin Hepworth wrote:

Alexei Roudnev wrote:

Checkpoint is a very strange brand. On the one hand, it is _well known
brand_, _many awards_, _editors choice_, etc etc. I know network consultant,
who installed few hundred of them, and it works.

On the other hand, every time, when I have a deal with this beasts (we do
not use them, but some our customers use), I have an impression, that it is
the worst firewall in the world:
- for HA, you need very expansive Solaris cluster (compare with PIX-es) /I
can be wrong, but it is overall opinion/.
- to change VPN, you must reapply all policy, causing service disruption (I
saw 1 day outage due to unsuccesfull Checkpoint reconfiguration);
- VPN have numerous bugs (it is not 100% compatible with Cisco's by default;
of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers
which have this problem);
- Configuration is not packed in 1 single file, so making difficult change
control, etc etc...

All this is _very_ subjective, of course; but - those customers, who uses
Checkpoints, are the only ones who had a problems with firewalls. If I
compare it with plain, reliable and _very simple_ PIX (PIX is not state of
art, of course) and some others... I begin to think about checkpoint as
about one more _brand bubble_. At least, I always advice _against_ it.

PS. Security for dummies... interesting idea. Unfortunately, this book
should start with _100% secure computer = dead computer_ -:)
Why not? People really need such book!

Of course 'back in days' when Firewall-1 started and [email protected] was *the* network security ML, PIX was an utter pile of poo and F-1 was very nice thankyou.

Now PIX is quite good,
Is it still very counter intuitive to set up a PIX to _not_
do the eevul NAT? Is the PIX no longer PeeCee hardware underneath
(I know they got rid of the HDD) so not as to bring NOs down to the
level of the great unwashed throngs of desktop users?

and Firewall-1 has become the Microsoft of firewalls - ie everywhere and not particularly well administratored.

Interesting how things change isn't it?
At least Checkpoint had the sense to kill the FWZ VPN protocol
early and go with IPsec. More than I can say for M$. Not that
IPsec interoperability is fully realized. Checkpoint has its own
proprietary icky tricks to try to sneak IPsec through NAT just
like every other commercial vendor. But Checkpoint admins are
worst part, "I check the box to use IKE VPN but someone said that
uses the ESP service. Which port number is that? I read port 50
somewhere, but should I make it a TCP or UDP service?"

The Checkpoint feature/bug that frustrates me is at the GUI
level there is no association between a rule and an interface.
To cover up this problem, there is the automatic "anti-spoofing"
feature which is a bitch, if not impossible, to properly configure
for a complicated topology.
Crist J. Clark                               [email protected]
Globalstar Communications                                (408) 933-4387