On PIX'en and FWSM it is very easy to disable the evil NAT all you need is to enter the "nat 0" command in global configuration mode. This allows the PIX to pass addresses untranslated. The Pixen are still based on intel hardware but to the best of my knowledge they have never had a HDD and I have worked with them since the original PIX and PIX 10000 I attended the initial product announcement seminar they first came out. Scott C. McGrath On Thu, 5 Feb 2004, Crist Clark wrote:
Martin Hepworth wrote:
Alexei Roudnev wrote:
Checkpoint is a very strange brand. On the one hand, it is _well known brand_, _many awards_, _editors choice_, etc etc. I know network consultant, who installed few hundred of them, and it works.
On the other hand, every time, when I have a deal with this beasts (we do not use them, but some our customers use), I have an impression, that it is the worst firewall in the world: - for HA, you need very expansive Solaris cluster (compare with PIX-es) /I can be wrong, but it is overall opinion/. - to change VPN, you must reapply all policy, causing service disruption (I saw 1 day outage due to unsuccesfull Checkpoint reconfiguration); - VPN have numerous bugs (it is not 100% compatible with Cisco's by default; of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers which have this problem); - Configuration is not packed in 1 single file, so making difficult change control, etc etc...
All this is _very_ subjective, of course; but - those customers, who uses Checkpoints, are the only ones who had a problems with firewalls. If I compare it with plain, reliable and _very simple_ PIX (PIX is not state of art, of course) and some others... I begin to think about checkpoint as about one more _brand bubble_. At least, I always advice _against_ it.
PS. Security for dummies... interesting idea. Unfortunately, this book should start with _100% secure computer = dead computer_ -:) Why not? People really need such book!
Of course 'back in days' when Firewall-1 started and firewalls@greatcircle.com was *the* network security ML, PIX was an utter pile of poo and F-1 was very nice thankyou.
Now PIX is quite good,
Is it still very counter intuitive to set up a PIX to _not_ do the eevul NAT? Is the PIX no longer PeeCee hardware underneath (I know they got rid of the HDD) so not as to bring NOs down to the level of the great unwashed throngs of desktop users?
and Firewall-1 has become the Microsoft of firewalls - ie everywhere and not particularly well administratored.
Interesting how things change isn't it?
At least Checkpoint had the sense to kill the FWZ VPN protocol early and go with IPsec. More than I can say for M$. Not that IPsec interoperability is fully realized. Checkpoint has its own proprietary icky tricks to try to sneak IPsec through NAT just like every other commercial vendor. But Checkpoint admins are worst part, "I check the box to use IKE VPN but someone said that uses the ESP service. Which port number is that? I read port 50 somewhere, but should I make it a TCP or UDP service?"
The Checkpoint feature/bug that frustrates me is at the GUI level there is no association between a rule and an interface. To cover up this problem, there is the automatic "anti-spoofing" feature which is a bitch, if not impossible, to properly configure for a complicated topology. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387