Slashdot Mirror

← Back to Domains

Domain: checkpoint.com

Stories and comments across the archive that link to checkpoint.com.

Comments · 64

  1. So quite a few products are illegal... by Anonymous Coward · · Score: 0 · on Linux: the GPL and Binary Modules

    E.g. quite a few Linux based security products.

    Checkpoint SecurePlatform for example is based of Redhat and the modified sources are not available.

    And the firewall itself is inside the kernel, not even sure that it is a module...

    The good point is that Checkpoint have very deep pockets, some developpers could make big bucks suing....

  2. For the Confused or Speculative . . . by Maradine · · Score: 1 · on Cisco Working to Block Viruses at the Router

    What Cisco is developing is a Host Integrity System, something it lacks in its current offerings. A good example to use would be Sygate's Secure Enterprise.

    Cisco's new offering serves as a checkpoint at the router or L3 switch level. Hosts incoming must pass a certain set of criteria (MD5 hash of approved AV running, sig file at certain level, hotfix X installed) before they are allowed to pass. While previously used to protoct remote users (Aventail and Checkpoint are good examples), Cisco is moving to market the technology as an endpoint solution for all enterprise users.

    This is also a consolidation play. The new version of Cisco's Secure Agent will tie into the new gateway system as a required host integrity piece. If you add that to the new WebVPN SSL VPN code that is currently in beta 3 and will be out over the holidays as v4.1 of the 3000 series concentrator software, you get a pretty clear indication of where Cisco's going with this.

    All I can say is our Fortune clients dig the whole shebang. Keep in mind that once you start talking about enterprise security, the more authoritarian, the better.

  3. Mod parent down... this is a troll by Ingolfke · · Score: 2, Informative · on Merrill Lynch Rips Sun

    Who are these moderators? This one is WAY too obvious...

    Sun was founded in 1982... see Sun's website

    Bruce Perens worked for HP... see article here

    The Checkpoint firewall is not a Sun product... see Checkpoint Software Technologies

  4. Re:Is Checkpoint violating the GPL? by LiteForce · · Score: 1 · on Is Linksys Violating The GPL?
    Disclaimer: I work for Checkpoint's No. 1 reseller.

    The Linux versions of all Checkpoint products (FireWall-1 4.1, Checkpoint NG) achieve their functionality by means of a binary module which is loaded into the kernel at runtime. This is expressly permitted by Linus as an exception to the GPL license which ships with Linux.

    Of course, Checkpoint also produce their own cut-down version of Red Hat Linux 7.0 (known as SecurePlatform) which is designed to turn any standard PC into a fully functioning Checkpoint NG install with the minimum of effort.

    The copy of the GPL license contained in the root of the CD filesystem asks that you e-mail gpl-source@checkpoint.com for instructions on where to obtain the source.

    I did so... and within 24 hours, I received a password-protected login to a Checkpoint FTP server which contained all the relevant source RPMS (and the Checkpoint-written patches) for SecurePlatform.

    So, the answer is no - to the best of my knowledge Checkpoint have not violated the GPL.

  5. SecurePlatform by Anonymous Coward · · Score: 0 · on Linux on Nokia IP Series Hardware

    If you're going to install Linux on the Nokia box, that means you already bought the FireWall-1 software.. Rather than throwing that powerful firewall and VPN solution, install Check Point's Linux on it!

    SecurePlatform is Check Point's totally hardened Linux distro. It is a bootable CD, that blasts your hard drive, installs a minimal/hardened Linux, and FireWall-1 in one shot. It takes about 3 minutes on a fast PC. It has a basic www management interface, or simple config shell (via ssh).

    It's got great performance, and firewall/VPN features that the no other product can touch (not to mention the free Linux stuff), and the configuration is really easy via a nice GUI.

    And, really surprising for those of us familiar with Check Point: they don't charge for it. The OS portion is free... you just need the license for the firewall application running on it.

  6. Theft (piracy) of the Linux kernel? by Matthew+Hopkins · · Score: 1 · on 3D Visualization of Linux Kernel Development

    OK it's off-topic but enquiring minds want to know... it *seems* (I stress SEEMS) to me that Checkpoint has basically stolen the Linux kernel. They've got a product called "SecurePlatform" which is basically Firewall/1 on a bootable CD, with a custom hardened OS. Well three guesses what OS that is. Yup it's Linux, apparently based off of RedHat with heavy mods. Where's the source? OK I know it's only customers who HAVE to get it under the terms of the GPL but I can't believe none of the customers who bought this product would have put the source up somewhere. So Checkpoint, what's going on? References -- search checkpoint.com for "SecurePlatform" (Produts -> Enterprise). See also http://dir.securepoint.com/Hardening/Linux/ and http://www.ems-global.com/securitynewsletter/secur ityvol2issue9.htm -- search for "checkpoint" on those pages.

  7. Run Linux and a real firewall at the same time... by dijit · · Score: 1 · on Symantec Security Gateway vs. Custom Linux Box?
    Checkpoint's products run on Red Hat Linux as well as they have their own customized Linux distro which I must say is very easy and best of all, it's (the OS, not their software) free and open source!

    Check Point's Website

    // Chris

  8. How I'd do it by Xenophon+Fenderson, · · Score: 4, Insightful · on Building a Wireless Network for an Apartment Complex?

    There's several ways to go about this.

    1. Buy CheckPoint FireWall-1 in addition to your access points. There are SOHO versions of FW1 on dedicated hardware (e.g. Nokia IP71) that retail for less than $1000 and can accomodate up to 50 users. Use its Session Authentication agent to arbitrate access to anything other than DHCP and don't bother with enabling WEP. Unfortunately, the agent seems to be only available for Windows 9X/ME/NT/2K/XP.
    2. Buy Cisco access points and Cisco ACS software and enable LEAP. While non-standard, you are probably forcing them to buy a wireless card anyway, and Cisco's client devices aren't all that expensive. The Aironet device is supported in Windows and Windows CE, Linux, and MacOS 9.x and 10.x. My employer uses LEAP and it works great.
    3. Hack your own. Set up Linux and Squid and Apache and transparent forwarding to redirect unauthenticated web traffic to a HTTPS login form. Have the form automatically add the necessary firewall rules to allow them out, and have a cron job remove them after a delay. Upside: A five banana problem once you've mirrored enough of CPAN to write the Perl scripts. Downside: Easily spoofed/hacked with a copy of AirSnort, Kismet, and Ettercap.
    WEP key management sucks so hard that relying on it is stupid. I'd probably go the LEAP route just because it is so damn easy on both the client side and on the server side, even though I hate Cisco. The build-it-yourself solution would be a complete kludge and would be totally unsupportable except by the author, i.e. lots of work. The CheckPoint firewall is in between the Cisco (easy) and do-it-yourself (really hard) in terms of difficulty.

    Anyway, I'm rambling now, so hopefully this helps and makes sense. If you have questions, post 'em here.

  9. How I'd do it by Xenophon+Fenderson, · · Score: 4, Insightful · on Building a Wireless Network for an Apartment Complex?

    There's several ways to go about this.

    1. Buy CheckPoint FireWall-1 in addition to your access points. There are SOHO versions of FW1 on dedicated hardware (e.g. Nokia IP71) that retail for less than $1000 and can accomodate up to 50 users. Use its Session Authentication agent to arbitrate access to anything other than DHCP and don't bother with enabling WEP. Unfortunately, the agent seems to be only available for Windows 9X/ME/NT/2K/XP.
    2. Buy Cisco access points and Cisco ACS software and enable LEAP. While non-standard, you are probably forcing them to buy a wireless card anyway, and Cisco's client devices aren't all that expensive. The Aironet device is supported in Windows and Windows CE, Linux, and MacOS 9.x and 10.x. My employer uses LEAP and it works great.
    3. Hack your own. Set up Linux and Squid and Apache and transparent forwarding to redirect unauthenticated web traffic to a HTTPS login form. Have the form automatically add the necessary firewall rules to allow them out, and have a cron job remove them after a delay. Upside: A five banana problem once you've mirrored enough of CPAN to write the Perl scripts. Downside: Easily spoofed/hacked with a copy of AirSnort, Kismet, and Ettercap.
    WEP key management sucks so hard that relying on it is stupid. I'd probably go the LEAP route just because it is so damn easy on both the client side and on the server side, even though I hate Cisco. The build-it-yourself solution would be a complete kludge and would be totally unsupportable except by the author, i.e. lots of work. The CheckPoint firewall is in between the Cisco (easy) and do-it-yourself (really hard) in terms of difficulty.

    Anyway, I'm rambling now, so hopefully this helps and makes sense. If you have questions, post 'em here.

  10. Re:Just one example of the stupidity of this speec by ajv · · Score: 2 · on MS VP Speech Online
    Microsoft's approach to security can be found at the links below, not at the Register. The Register is a fine publication I read avidly, but like /., it's not exactly an unbiased view of the matter.

    In addition, please take to me to the Sun pages for Security advice, or Checkpoint's (I couldn't find any, and I have partner access), or Redhat (there's no dedicated security pages - it's under "errata") and say that Microsoft doesn't take security as seriously or more seriously than these other respected companies.

  11. Here's how I do it... by Ron+Harwood · · Score: 1 · on On Building High Volume Dynamic Web Sites

    For case 1, let's assume complete a complete linux front to back solution, with as much free (or mostly free) software as possible:

    Needed Software Components:

    1. Favourite Distro of Linux
    2. MySQL or Postgres Database (personal pref is for MySQL... not going to get into the pros and cons here...)
    3. Dynaminc Web-Scripting Language (PHP, Perl, whatever... personal pref for this kind of thing is PHP... again, I'm not debating at the moment...)
    4. Linux Vitrual Server Project - very solid load-balancing from my experience. Don't know how it compares with the appliances on the market... but it's still solid.
    5. HA/Redundancy software (Linux HA project isn't quite there... but they're getting close... there are some commercial packages available - one that's free for non-profit use - http://www.high-availability.com

    Hardware:

    NB: For maximum up-time I recommend systems with redundant hardware (backup power supplies, dual NICs, and RAID arrays)

    1. Firewall/Load-balancer - preferably using HA/Redundancy software on two machines... Mirrored (RAID 1, right?) boot/system hot-plug drives are a good idea.
    2. Web-farm - up to X systems (where X+1 breaks your budget... ;) ) load balanced with Virtual Server Project. For a reasonably heavy duty method of doing this relatively cheaply, see Cubix and their "density" series... up to 8 servers in a single box... with hot plug everything. RAID isn't as necessary here... as the systems themselves are effective your RAID...
    3. Database system - again preferably an HA/Redundancy cluster for maximum availability. I recommend a mirrored boot/system disk again, with a RAID 5 array (or RAID 5+5 - mirrored RAID arrays) for speed and maximum availability... highest RPM drives you can afford can help here a lot for speed, too.
    4. 100 BaseT Switch for maximum through-put. Personal preference is for Cisco but your budget dollars may vary.
    5. I've mentioned RAID a couple of times... you can get SCSI and IDE raid these days (SCSI being more common)... the cheapest/fastest one I've see is from Raidzone - very nice, check them out (up to 15 - 40 GIG hot-plug IDE drives in one array, with a very high through-put). You can also do software RAID, taking a performance hit, but saving coin...

    Case 2 assumes that you don't mind using some commercial stuff... and have a bigger budget:

    1. Replace Virtual Server with an appliance. (Alteon, F5 and Cisco all make good products... presently my preference is with F5's BigIP.
    2. Replace in born Linux firewall with Checkpoint's firewall-1 running under linux - or an appliance firewall, a Cisco PIX is very nice, and has very high though-put. The Nokia appliance running Checkpoint and a BSD bastardisation is quite nice.

  12. How to fix the vulnerabilities (technical) by Animats · · Score: 3 · on FBI Releases Updated DDoS Detection Tools
    These vulnerabilities can be fixed. Here's how:
    • SYN flooding
      The basic problem is that protocol stacks derived from BSD commit substantial resources on the receipt of a SYN packet. That makes them vulnerable to TCP SYN packets with forged source IP addresses. The proper solution is to allocate only a small control block at the LISTEN -> SYN_RCVD transition, and allocate the full resources for a TCP connection only at the SYN_RCVD -> ESTAB transition. In a SYN flood, the connection never gets beyond SYN_RCVD, so this confines the attack to using up these small control blocks.

      The lookup used during SYN_RCVD should be hashed, so it doesn't slow down as the number of connections in that state increases, and the allowed number of connections in SYN_RCVD should be made very large (maybe as big as 100,000) in a large server. This allows for a huge SYN flooding overload without impacting real connections much.

      There's a commercial firewall from Israel that does something like this, but it really should be part of the protocol stack.

    • ICMP broadcast floods
      Don't reply to ICMP packets sent to broadcast addresses. This is an out-and-out bug, known for over a decade, and should have been fixed everywhere by now. Vendors that haven't fixed it yet should be subjected to public embarassment, if not litigation.

    • HTTP request overload
      This is the tough one - being attacked by a large number of completely valid requests. One answer is to impose fairness by source IP address within the server, so that each source IP address gets equal responsiveness. This fix won't stop the problem, but it will slow it down substantially. It's going to take some new development, but the concept is conceptually similar to fair queuing, which I invented long ago. Most of the same issues apply within a server as apply in a congested router.

    Implement all this, and the problem will go from being headline news to a minor nusance. Linux network hackers, get going.

    I'm not currently doing protocol implementations, but I'd be glad to talk to anybody working actively on the problem. I did substantial work on TCP/IP in its early days, before going on to other things, so I do know what I'm talking about here.

  13. Some good info by 1010011010 · · Score: 1 · on Linux FreeS/WAN and Checkpoint Firewall1

    ... that makes up for Checkpoint's incorrect and incomplete, and sometimes non-existant, documentation: Checkpoint Quick Reference, provided by some guy named "joe".

  14. This is one thread I hope picks up soon by 1010011010 · · Score: 3 · on Linux FreeS/WAN and Checkpoint Firewall1
    This is a question I, personally, would love to have answered. We use Checkpoint FW/1 on Solaris where I work. It's a bit of a pain to get into the office network from outside (say, via my dialup account from Mindspring) when using Linux. The SecuRemote clients exist only for Windows. If Free S/WAN will let me use my home dialup router/firewall (Linux) machine as a VPN client, yay.

    I hunted through the mail-list archive and found the following: Looking other places (Google, Yahoo, etc), I found this: ... anyone know of anything else?