Checkpoint is a very strange brand. On the one hand, it is _well known brand_, _many awards_, _editors choice_, etc etc. I know network consultant, who installed few hundred of them, and it works. On the other hand, every time, when I have a deal with this beasts (we do not use them, but some our customers use), I have an impression, that it is the worst firewall in the world: - for HA, you need very expansive Solaris cluster (compare with PIX-es) /I can be wrong, but it is overall opinion/. - to change VPN, you must reapply all policy, causing service disruption (I saw 1 day outage due to unsuccesfull Checkpoint reconfiguration); - VPN have numerous bugs (it is not 100% compatible with Cisco's by default; of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers which have this problem); - Configuration is not packed in 1 single file, so making difficult change control, etc etc... All this is _very_ subjective, of course; but - those customers, who uses Checkpoints, are the only ones who had a problems with firewalls. If I compare it with plain, reliable and _very simple_ PIX (PIX is not state of art, of course) and some others... I begin to think about checkpoint as about one more _brand bubble_. At least, I always advice _against_ it. PS. Security for dummies... interesting idea. Unfortunately, this book should start with _100% secure computer = dead computer_ -:) Why not? People really need such book! ----- Original Message ----- From: "Suresh Ramasubramanian" <suresh@outblaze.com> To: <nanog@merit.edu> Sent: Thursday, February 05, 2004 8:56 AM Subject: Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
"Dan" == Ingevaldson, Dan (ISS Atlanta) <dsi@iss.net> writes:
Dan> http://xforce.iss.net/xforce/alerts/id/162 Dan> http://xforce.iss.net/xforce/alerts/id/163
You know, I'm quite allergic to that word "checkpoint". Perhaps I'm completely wrong here, but ..
Might be a good idea to deploy openbsd firewalls instead of expensive and buggy stuff like Checkpoint :)
Anything which reduces "security" to point and click on a cute web or other GUI interface is dangerous... allows untrained and completely dumb people to brand themselves "firewall admins". Like the "admin" at a now defunct Indian ISP where my former employer had several machines colocated.
That idiot basically saw lots of inbound traffic to port 22 on our machines, didn't know what the hell that was, and firewalled port 22 across the ISP's network.
Getting locked out of all my ssh sessions, having to drive 20 km to the datacenter, and then having to reset the block myself while my boss was still arguing with the "admin" was kind of an interesting experience, I must say.
Yes, his checkpoint management console, running on an unpatched hp/ux 10.2 machine, was up and running, and we just walked right into the NOC to argue with him. That made it quite easy to click the right buttons while the guy stood up to call his supervisor in to try convince us (me and my boss) that yes, he knew what he was doing, he had an MCSE and a CCNA after all, etc.
Is there some really good "network security for dummies" book that I can point such people at? Telling them to google doesn't do much good, I fear :(
srs
-- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations