North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 andVPN-1

  • From: Scott McGrath
  • Date: Thu Feb 05 14:39:49 2004

On  PIX'en and FWSM it is very easy to disable the evil NAT all you
need is to enter the "nat 0" command in global configuration mode.  This
allows the PIX to pass addresses untranslated.

The Pixen are still based on intel hardware but to the best of my
knowledge they have never had a HDD and I have worked with them since the
original PIX and PIX 10000 I attended the initial product announcement
seminar they first came out.

                            Scott C. McGrath

On Thu, 5 Feb 2004, Crist Clark wrote:

> Martin Hepworth wrote:
> >
> > Alexei Roudnev wrote:
> >
> >> Checkpoint is a very strange brand. On the one hand, it is _well known
> >> brand_, _many awards_, _editors choice_, etc etc. I know network
> >> consultant,
> >> who installed few hundred of them, and it works.
> >>
> >> On the other hand, every time, when I have a deal with this beasts (we do
> >> not use them, but some our customers use), I have an impression, that
> >> it is
> >> the worst firewall in the world:
> >> - for HA, you need very expansive Solaris cluster (compare with
> >> PIX-es) /I
> >> can be wrong, but it is overall opinion/.
> >> - to change VPN, you must reapply all policy, causing service
> >> disruption (I
> >> saw  1 day outage due to unsuccesfull Checkpoint reconfiguration);
> >> - VPN have numerous bugs (it is not 100% compatible with Cisco's by
> >> default;
> >> of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers
> >> which have this problem);
> >> - Configuration is not packed in 1 single file, so making difficult
> >> change
> >> control, etc etc...
> >>
> >> All this is _very_ subjective, of course; but - those customers, who uses
> >> Checkpoints, are the only ones who had a problems with firewalls. If I
> >> compare it with plain, reliable and _very simple_ PIX (PIX is not
> >> state of
> >> art, of course) and some others... I begin to think about checkpoint as
> >> about one more _brand bubble_. At least, I always advice _against_ it.
> >>
> >> PS. Security for dummies... interesting idea. Unfortunately, this book
> >> should start with _100% secure computer = dead computer_ -:)
> >> Why not? People really need such book!
> >
> >
> > Of course 'back in days' when Firewall-1 started and
> > [email protected] was *the* network security ML, PIX was an
> > utter pile of poo and F-1 was very nice thankyou.
> >
> > Now PIX is quite good,
> Is it still very counter intuitive to set up a PIX to _not_
> do the eevul NAT? Is the PIX no longer PeeCee hardware underneath
> (I know they got rid of the HDD) so not as to bring NOs down to the
> level of the great unwashed throngs of desktop users?
> > and Firewall-1 has become the Microsoft of
> > firewalls - ie everywhere and not particularly well administratored.
> >
> > Interesting how things change isn't it?
> At least Checkpoint had the sense to kill the FWZ VPN protocol
> early and go with IPsec. More than I can say for M$. Not that
> IPsec interoperability is fully realized. Checkpoint has its own
> proprietary icky tricks to try to sneak IPsec through NAT just
> like every other commercial vendor. But Checkpoint admins are
> worst part, "I check the box to use IKE VPN but someone said that
> uses the ESP service. Which port number is that? I read port 50
> somewhere, but should I make it a TCP or UDP service?"
> The Checkpoint feature/bug that frustrates me is at the GUI
> level there is no association between a rule and an interface.
> To cover up this problem, there is the automatic "anti-spoofing"
> feature which is a bitch, if not impossible, to properly configure
> for a complicated topology.
> --
> Crist J. Clark                               [email protected]
> Globalstar Communications                                (408) 933-4387