Re: Checkpoint 13500 Next Generation Firewall/Security

["Flynn, Gary - flynngn" <flynngn () JMU EDU>]

No experience with checkpoint but I'll share some observations.

 

When we first attempted to install a network IPS system around 2002-2003 the
product crashed immediately when we put traffic through it. The vendor was
unable to get it to work in our environment even though it was used in
corporate environments.

 

A year or two later, we tried again and were successful with the stability
of several products including the original one we tested.  It appeared,
however, that the products were impacted in our environment more by the
number and type of sessions than throughput. Lots of in-house servers. Lots
of in-house clients with unrestricted outbound traffic.

 

In the late 2000's, it became increasingly more important to inspect traffic
from servers to clients as client attacks became more common. In our case,
inspection of this traffic had detrimental effects on the performance of our
product.  I'm not sure why but I suspect it is because a lot more state has
to be maintained. On top of that, the number and variety of client
components and associated attacks against their vulnerabilities needing
inspection is probably higher than the number of server components. This
probably made the number of attack signatures traffic had to traverse for
client attacks higher than those for server attacks.

 

In recent years, Netflix and other streaming traffic also adversely affected
the already burdened server to client inspection processes. Depending on
your priorities, you can deal with this by altering inspection based on
traffic source/destination (e.g. Netflix), file type, and/or content-type
and adjusting inspection order, depth of inspection, and/or exemption lists
accordingly.

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Timothy Pierson
Sent: Friday, December 05, 2014 3:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Checkpoint 13500 Next Generation Firewall/Security

 

Greetings,

 

I am not sure if this is the place to post this query, however it seems the
likely place to start.  We have purchased Checkpoint's Next Generation
Firewall/Security Appliance. The model is 13500 and we have the 11 software
blade suite with application and DLP services.  

 

Early September we turned the application security blade service on and it
took our internet connection out, dropping the overall throughput from 750
Mbs to less than 50 Mbs.  Naturally this had us turning the application
service off and engaging checkpoint.  After a couple of months, the issue,
albeit somewhat improved, is not resolved to where it continues to
significantly throttle our throughput, with massive packet drop and overall
inferior end user experience.

 

We are not performing any blocking, we have merely turned the software blade
feature.  Checkpoint had not been able to resolve the issue and spent a
couple of months not even knowing what the problem was and were sure it is
because of the unusual traffic patterns from our RESNET.

 

One of the things I asked was if there were any Institutions equal to or
greater than 14,000 students, with a significant resident hall presence,
that was using the Checkpoint 13500, with the 11 security feature suite,
with application and DLP services.  Their response was that they did in fact
have customers, however none of them would care to share their experience
with this product and feature set.  Knowing our constituencies, I am a
little skeptical of this, as I have never had a circumstance where there was
an unwillingness to share common experiences.

 

I would like to ask if anyone is using this product, configured similarly to
above, and what your experience was in hopes of hearing of a work around or
fix.  The feeling is that the resnet traffic, which is 29% Netflix and 24%
software download (gaming, MS, Apple or other updates), and other student
behavior is at the root of the Checkpoint system going "belly up" under
minimal load.

 

I would appreciate hearing within this forum or privately, from anyone who
might have some experience with this product.

 

Thank You,

 

Tim Pierson

DCIO

Tenn Tech University

Attachment: smime.p7s
Description: