Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1

["Alexei Roudnev" <alex () relcom net>]

Checkpoint is a very strange brand. On the one hand, it is _well known
brand_, _many awards_, _editors choice_, etc etc. I know network consultant,
who installed few hundred of them, and it works.

On the other hand, every time, when I have a deal with this beasts (we do
not use them, but some our customers use), I have an impression, that it is
the worst firewall in the world:
- for HA, you need very expansive Solaris cluster (compare with PIX-es) /I
can be wrong, but it is overall opinion/.
- to change VPN, you must reapply all policy, causing service disruption (I
saw  1 day outage due to unsuccesfull Checkpoint reconfiguration);
- VPN have numerous bugs (it is not 100% compatible with Cisco's by default;
of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers
which have this problem);
- Configuration is not packed in 1 single file, so making difficult change
control, etc etc...

All this is _very_ subjective, of course; but - those customers, who uses
Checkpoints, are the only ones who had a problems with firewalls. If I
compare it with plain, reliable and _very simple_ PIX (PIX is not state of
art, of course) and some others... I begin to think about checkpoint as
about one more _brand bubble_. At least, I always advice _against_ it.

PS. Security for dummies... interesting idea. Unfortunately, this book
should start with _100% secure computer = dead computer_ -:)
Why not? People really need such book!

----- Original Message ----- 
From: "Suresh Ramasubramanian" <suresh () outblaze com>
To: <nanog () merit edu>
Sent: Thursday, February 05, 2004 8:56 AM
Subject: Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and
VPN-1


> > > > > > "Dan" == Ingevaldson, Dan (ISS Atlanta) <dsi () iss net> writes:
>
>     Dan> http://xforce.iss.net/xforce/alerts/id/162
>     Dan> http://xforce.iss.net/xforce/alerts/id/163
>
> You know, I'm quite allergic to that word "checkpoint".  Perhaps I'm
> completely wrong here, but ..
>
> Might be a good idea to deploy openbsd firewalls instead of expensive
> and buggy stuff like Checkpoint :)
>
> Anything which reduces "security" to point and click on a cute web or
> other GUI interface is dangerous... allows untrained and completely
> dumb people to brand themselves "firewall admins".  Like the "admin"
> at a now defunct Indian ISP where my former employer had several
> machines colocated.
>
> That idiot basically saw lots of inbound traffic to port 22 on our
> machines, didn't know what the hell that was, and firewalled port 22
> across the ISP's network.
>
> Getting locked out of all my ssh sessions, having to drive 20 km to
> the datacenter, and then having to reset the block myself while my
> boss was still arguing with the "admin" was kind of an interesting
> experience, I must say.
>
> Yes, his checkpoint management console, running on an unpatched hp/ux
> 10.2 machine, was up and running, and we just walked right into the NOC
> to argue with him.  That made it quite easy to click the right buttons
> while the guy stood up to call his supervisor in to try convince us (me
> and my boss) that yes, he knew what he was doing, he had an MCSE and a
> CCNA after all, etc.
>
> Is there some really good "network security for dummies" book that I
> can point such people at?  Telling them to google doesn't do much
> good, I fear :(
>
>         srs
>
> -- 
> srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
> manager, outblaze.com security and antispam operations