nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1

From: Scott McGrath <mcgrath () fas harvard edu>
Date: Thu, 5 Feb 2004 14:32:49 -0500 (EST)


On  PIX'en and FWSM it is very easy to disable the evil NAT all you
need is to enter the "nat 0" command in global configuration mode.  This
allows the PIX to pass addresses untranslated.

The Pixen are still based on intel hardware but to the best of my
knowledge they have never had a HDD and I have worked with them since the
original PIX and PIX 10000 I attended the initial product announcement
seminar they first came out.



                            Scott C. McGrath

On Thu, 5 Feb 2004, Crist Clark wrote:



Martin Hepworth wrote:



Alexei Roudnev wrote:


Checkpoint is a very strange brand. On the one hand, it is _well known
brand_, _many awards_, _editors choice_, etc etc. I know network
consultant,
who installed few hundred of them, and it works.

On the other hand, every time, when I have a deal with this beasts (we do
not use them, but some our customers use), I have an impression, that
it is
the worst firewall in the world:
- for HA, you need very expansive Solaris cluster (compare with
PIX-es) /I
can be wrong, but it is overall opinion/.
- to change VPN, you must reapply all policy, causing service
disruption (I
saw  1 day outage due to unsuccesfull Checkpoint reconfiguration);
- VPN have numerous bugs (it is not 100% compatible with Cisco's by
default;
of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers
which have this problem);
- Configuration is not packed in 1 single file, so making difficult
change
control, etc etc...

All this is _very_ subjective, of course; but - those customers, who uses
Checkpoints, are the only ones who had a problems with firewalls. If I
compare it with plain, reliable and _very simple_ PIX (PIX is not
state of
art, of course) and some others... I begin to think about checkpoint as
about one more _brand bubble_. At least, I always advice _against_ it.

PS. Security for dummies... interesting idea. Unfortunately, this book
should start with _100% secure computer = dead computer_ -:)
Why not? People really need such book!



Of course 'back in days' when Firewall-1 started and
firewalls () greatcircle com was *the* network security ML, PIX was an
utter pile of poo and F-1 was very nice thankyou.

Now PIX is quite good,


Is it still very counter intuitive to set up a PIX to _not_
do the eevul NAT? Is the PIX no longer PeeCee hardware underneath
(I know they got rid of the HDD) so not as to bring NOs down to the
level of the great unwashed throngs of desktop users?


and Firewall-1 has become the Microsoft of
firewalls - ie everywhere and not particularly well administratored.

Interesting how things change isn't it?


At least Checkpoint had the sense to kill the FWZ VPN protocol
early and go with IPsec. More than I can say for M$. Not that
IPsec interoperability is fully realized. Checkpoint has its own
proprietary icky tricks to try to sneak IPsec through NAT just
like every other commercial vendor. But Checkpoint admins are
worst part, "I check the box to use IKE VPN but someone said that
uses the ESP service. Which port number is that? I read port 50
somewhere, but should I make it a TCP or UDP service?"

The Checkpoint feature/bug that frustrates me is at the GUI
level there is no association between a rule and an interface.
To cover up this problem, there is the automatic "anti-spoofing"
feature which is a bitch, if not impossible, to properly configure
for a complicated topology.
--
Crist J. Clark                               crist.clark () globalstar com
Globalstar Communications                                (408) 933-4387
Previous By Date Next
Previous By Thread Next

Current thread: