Re: Checkpoint 13500 Next Generation Firewall/Security

[Timothy Pierson <Timothy.Pierson () LIVE COM>]

Ian,

 

The vendor has eluded to the traffic characteristics, however after over two
months of their engineers and developers troubleshooting, they clearly
didn’t have a clue and the traffic reasoning was not a definite at all.

 

I am trying to determine if others have experienced this problem and may
have input into what was done at their institution.  

 

I am being told by Checkpoint that no one in higher education is willing to
have the discussion and therefore cannot facilitate the contact.  This in
itself seems at odds with the way our community has historically worked.

 

Tim

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ian McDonald
Sent: Saturday, December 6, 2014 3:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Checkpoint 13500 Next Generation Firewall/Security

 

I've heard various excuses from various manufacturers where they claim that
our traffic, or our networks, are somehow 'different' from what they see
'anywhere' else. 

It isn't. It's streams of packets. Probably more concurrent streams than
their product was designed to handle, but nevertheless not unusual in
networks the world over, in academia and ISP land.

I suspect that in many cases we're taking products designed for super locked
down enterprise networks, with 'single mission' policies in place (which
contain consequences for many activities we actively encourage) and trying
to apply them to our 'multi-mission' open environments, where one finds that
we're walking a line, where we need enterprise features at ISP-like
performance levels (and vendors products which probably normally play in ISP
land). 

Has the vendor in question actually indicated what particular features of
the flows or patterns in your traffic is causing the product to become
impaired?

Best Regards, 

--
ian

Sent from my phone, please excuse brevity and/or misspelling.

  _____  

From: Timothy Pierson <mailto:Timothy.Pierson () LIVE COM> 
Sent: ‎05/‎12/‎2014 20:14
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: [SECURITY] Checkpoint 13500 Next Generation Firewall/Security

Greetings,

 

I am not sure if this is the place to post this query, however it seems the
likely place to start.  We have purchased Checkpoint’s Next Generation
Firewall/Security Appliance. The model is 13500 and we have the 11 software
blade suite with application and DLP services.  

 

Early September we turned the application security blade service on and it
took our internet connection out, dropping the overall throughput from 750
Mbs to less than 50 Mbs.  Naturally this had us turning the application
service off and engaging checkpoint.  After a couple of months, the issue,
albeit somewhat improved, is not resolved to where it continues to
significantly throttle our throughput, with massive packet drop and overall
inferior end user experience.

 

We are not performing any blocking, we have merely turned the software blade
feature.  Checkpoint had not been able to resolve the issue and spent a
couple of months not even knowing what the problem was and were sure it is
because of the unusual traffic patterns from our RESNET.

 

One of the things I asked was if there were any Institutions equal to or
greater than 14,000 students, with a significant resident hall presence,
that was using the Checkpoint 13500, with the 11 security feature suite,
with application and DLP services.  Their response was that they did in fact
have customers, however none of them would care to share their experience
with this product and feature set.  Knowing our constituencies, I am a
little skeptical of this, as I have never had a circumstance where there was
an unwillingness to share common experiences.

 

I would like to ask if anyone is using this product, configured similarly to
above, and what your experience was in hopes of hearing of a work around or
fix.  The feeling is that the resnet traffic, which is 29% Netflix and 24%
software download (gaming, MS, Apple or other updates), and other student
behavior is at the root of the Checkpoint system going “belly up” under
minimal load.

 

I would appreciate hearing within this forum or privately, from anyone who
might have some experience with this product.

 

Thank You,

 

Tim Pierson

DCIO

Tenn Tech University