Slashdot Mirror
Essential Check Point Firewall-1 NG
Phoneboy (nee Dameon Welch-Abernathy) has proven himself to be extremely knowledgeable about Check Point's FireWall-1 product. In October of 2001, he produced a book (Essential Check Point FireWall-1, Addison-Wesley, 2001) that helped to clarify the vast amount of information collected over the years through the mailing list and the website. Shortly after the book was published, Check Point saw fit to render it almost obsolete by releasing FireWall-1 NG. The new version of Check Point's flagship product was so different, you almost had to start from scratch to understand it. Dameon has taken the necessary next step and updated his original book. The new book, Essential Check Point FireWall-1 NG, (Addison-Wesley, 2004) now covers all existing versions of NG, up to and including NG with Application Intelligence (NGAI).
When you first open the book and look at the Contents pages, two things will strike you. The first is that the Contents page starts with "Frequently Asked Questions." Anyone who has spent any time on technical websites knows that Frequently Asked Questions (or FAQs) are the first place to look to gather the nugget(s) of wisdom you need. The fact that Dameon has included a large list of FAQs in the book makes it valuable for quickly addressing the typical problems and questions an administrator faces. The second thing you will note is that he does not start describing anything about FireWall-1 itself until late into Chapter 2. He takes the time to lay the foundation of what a firewall is, as well as what a good security policy is, and why it's so important to get one and get it right.
As I read through the book, I was pleased to see that Dameon followed one of the cardinal principles of good presentation: tell them what you're going to say, say it, then tell them what you said. Each chapter outlines what you will know by the end, teaches you what you need to know, then summarizes it. Dameon writes in a style I would call clear but not condescending. It takes someone who not only knows his subject well, but understands his audience well, to walk the fine line between the two. Dameon shows his chops by treading that line like a tightrope walker.
Each chapter contains carefully organized information with numerous figures and screen shots interspersed, to keep the text understandable. Starting in Chapter 4, Dameon also includes selected FAQs culled from the many available on his website. I found this much more valuable than collecting them at the end of the book in one gigantic haystack that you needed to search for that one precious needle. Later chapters include sample configurations to clarify the concepts just described. This makes Essential Check Point FireWall-1 NG useful as a teaching resource, as well as a general reference to the product.
While the chapters in the book follow a logical progression, each building on the prior information, Dameon made sure that most chapters (and even sections within the chapters) could stand alone. This means you can pick and choose what you want to read. For example, if you needed to focus on FireWall-1 on IPSO, you don't necessarily have to worry about what was written about Solaris. The information on IPSO would repeat enough information that you wouldn't have to refer to previous pages. Even so, Dameon provides back references when repeating the information would be too cumbersome.
I did notice that Dameon varied the amount of detail used throughout the book. Sometimes he uses a high-level approach, and sometimes he goes into excruciating detail. Unfortunately there were a number of places I wanted him to provide more detail, only to have him skim over the treetops. While he does explain up front that this book was supposed to cover the essential information, covering some areas in detail just whets your appetite for that same amount of detail in all areas.
One other quibble I have revolves around the figures used in his examples. It becomes obvious that this book evolved over a period of time (I believe he took around a year to get this edition put together). Some figures apparently came from an earlier version of the book, as the text referred to something else. One example occurs in Chapter 8 (User Authentication). Dameon's sample configurations are written in a "follow-me" style. One sample configuration has the text "Next, create the group WebAdmins and add bob and dan to this group." If you followed his directions and then referred to the sample rule base in the figure on the next page, you would see that the group is named DMZAdmins instead of WebAdmins. (And the specs given for the same sample configuration specify that S/Key will be used, yet the figure showing the Authentication tab clearly has S/Key un-checked.) Little inconsistencies like this should have been picked up on the proofreading. Their existence mars an otherwise excellent book.
Overall, Essential Check Point FireWall-1 NG is aptly named: essential. If you are responsible for the care and feeding of Check Point's FireWall-1 software on any platform, you need to get and read this book. It's definitely going to stay within arm's reach on my desk.
You can purchase Essential Check Point Firewall-1 NG from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Phoneboy sounds like something else I like to read. On the other hand, I too read this book, and I enjoyed the detail and also the easy way it was presented. Thanks for the review!
-Vib, videogame freelancer for news0r.com, videogame.net, and vnorby.tk
IMHO, while the book is argueably excellent in its own right; and exactly the kind of thing to build a through working understanding of what is going on: I wonder if the problems covered therein will remain on the cutting edge of firewall management. So, if I were using Checkpoint, I'd probably sleep with the damn thing for the first few weeks, but eventually it would find it's way off the desk and up on the shelf, where it (more than likely) is on its way to the next booksale.
"Can there be a Klein bottle that is an efficient and effective beer pitcher?"
Given the Slashdotting, the past tense used in the article is actually very appropriate.
The owls are not what they seem
Are you telling me this is a review of a manual?
If I'm paying $$$ for Check Point 1 software, I don't wanna have to buy aftermarket book to tell me how to use it.
How about an OpenBSD firewall guide book, eh?
For my simple home firewall/nat i use Shorewall (use IPfilter on Solaris at work), but damn, i love a good read on other firewalls and their setups.
i must say that i really like the idea of phoneboy.com being TWiki....just allows for such a broader range of information from people.
Since i can't read the Ma Bell site from the previous article, i'll go check this out for the afternoon.
I would have said it was OK
sulli
RTFJ.
I was a young impressionable admin when I was first introduced to Checkpoint. At the time, they had barely stepped out of their domestic Israeli market and we had a copy thanks to a co-worker who worked in a kibutz for two years.
Anyways, I was astounded at the fine level of detail that one could control the packets in that FW product. We immediatelly proceeded to deploy Checkpoint in our production Solaris 3 environment. We found the network configuration to be easy and the core install of Solaris 3 satisfied all the requirements.
Little did I know that the product was not yet mature and optimized to deal with the large traffic in our organization. FTP and Gopher services crashed around our ears as we ran around like headless chickens. We deduced right away that it was checkpoint and went back to our original configuration.
Oh, how we laughed after that incident. It sometimes still makes me snicker.
Which is nice.
I want to know why someone named Dameon feels compelled to get a nick name...
2:47PM up 1 day, 19:07, 24 users, load averages: 138.60, 97.23, 61.14
The views expressed herein are not necessarily those of anyone, including the poster.
do checkpoint customers even use the fancy features?
One has to wonder how many check point firewalls could be
reaplced with a freebsd box, two nics, and ipfw with dummynet.
I always thought the people who paid for firewall software were the ones who did not have time, needed super duper new features, or were to dumb to use ipfw.
have a bad day.
I have been administering Check Point systems for about 4 years now, and I must say I'm not even close to surprised by this reviewers comments. Phoneboy's book and site have been essential for FW-1 admins for long before I began working on this software. I've owned 3 revisions of his textbook, and it IS the best text ever written about Check Point products, bar none.
Step one: remove power cord from CheckPoint box.
Step two: load CheckPoint onto trebuchet.
Step three: launch CheckPoint into Low Earth Orbit, or at least into the neighbor's hedges.
Step four: install an OpenBSD box with two ethernet interfaces and configure PF.
(Step four can alternatively be replaced with Linux/Netfilter, FreeBSD/IPF or Solaris/IPF -- whatever your poison is.)
But I'm only bitter because I was stupid enough to buy into CheckPoint's snake oil. Fool me once, shame on me, etc -- that goddamn thing cost me close to six months of time that could have been productively spent doing just about anything else. Never, ever again.
(Okay, just for kicks, here's an actual tidbit of useful Checkpoint info: There's a Rule Zero. It doesn't appear in the rules screen. It's probably not doing what you think it's doing.)
News for Nerds. Stuff that Matters? Like hell.
I must say that the Checkpoint Firewalls are excellent pieces of equipment. We use them all throughout our company's WAN. (20+ office across the whole continental United States) I think that anyone interested in a little bit more than just a Do-it-yourself firewall, or a Cisco PIX solution should definitely get this book, and research the Checkpoint.
while true ; do echo this is my sig; done
Their firewall just melted.
Too bad! I wanted to find what this unintelligible posting was about.
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, dwelch@phoneboy.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
I could go on for many pages, detailing all of the issues I've had to deal with in the last few weeks. But I've wasted enough time dealing with Checkpoint, and I don't want to waste too much time bitching about them.
We purchased hardware and software through a reseller. My predecessor placed the order, so I came in knowing very little about what we had purchased. I was given the server and an activation code for the software.
I activated it, and found that I was unable to download anything. We had no support contract. I sent off some nasty e-mails to the vendor, and we had an installation CD a couple of days later.
Well, it turns out that the installation CD was old. Shouldn't be a big deal, right? Well, it was. Although we could install the software, we couldn't use any of the management tools. The Windows-based management tools, I should add. For a Linux product.
Conference calls with Checkpoint, more nasty e-mails, we find out that our support contract was never entered. I blame this solely on the vendor, not Checkpoint. Once that went through, we were able to download the needed software from Checkpoint.
Sounds like the problem is resolved, right? I hope so, but I won't know for a few days, as we had to reschedule a network shutdown because of this incompetence. While I blame most of this on the vendor, you have to wonder what sort of approval process the vendors have to go through to become resellers, and why Checkpoint would ever allow such idiots to resell their product.
While I'm pointing fingers, here are some other things to think about:
Checkpoint could easily have allowed us to download a product which we had already purchased, and is available to customers with a support contract.
Tech support could have answered our questions very quickly, if they would have talked to us.
They could have FAQs with this information on their web site.
The FAQs that they do have could have been in a format that is readable from a console (everything is PDF).
Red Hat 7.3 is the latest version of Linux they support. With a kernel that doesn't come standard.
I admin many older Checkpoint boxes, which unfortunately run on Windows NT 4. I inherited them. After the crap I have been through dealing with Checkpoint, I am considering staying with them until I find a better solution. Why should we have to pay thousands of dollars a year just to be able to patch these things? Why are the FAQs useless? Why can't these people get a clue?
Just FYI, I've been using Linux since before it was 1.0, and I have no problem with configuring firewalls and the like. And I also know that Cisco pulls stupid crap like this, too. Now for the fun part - I have a hell of a lot of purchasing power at a very large consulting firm, and as far as I am concerned, we are done with Checkpoint.
You hear that, Checkpoint? Over 70,000 employees, and I can't count how many support contracts. I'm going to do what I can to make sure we never send you another dime.
http://smoothwall.org/ rocks like none other
Thank you,
Mr Blinky
Not everyone needs Firewall-1. But as the number of firewalls you manage goes up, the management features of Firewall-1 really come into their own.
Firewall-1 also assists in reaching the desired level of abstraction where your ruleset stops describing your network topology and starts describing your network policy.
The difference is hard to appreciate until you have worked with both for a while.
Encrypted traffic across UDP5060 causes checkpoint to eat up all its mbufs and fall over dead. Bad news for checkpoint customers ...
The answer is NO! As security techs change the way they handle threats, from the borders and internally FW config and management is currently changing rapidly. Infact CheckPoint is now offering in-line IPS. This better layerd/mesh approach to security does chage what you need to do on your borders and how you do it. Coupled with node/desktop firewalls, current stratergies will change.
What would be the advantage of using the Checkpoint product versus using one of the BSD versions with PF?
Comparisons of price/performance/security are the types of criteria I had in mind.
I can send you a fire extinguisher if you like?
- High Availability of management stations
- Coverage of Provider-1, SiteManager-1 installations and the differences between them and the traditional management method
- More detail on Checkpoint log servers (specifically CLMs and what they can and cannot do, including where they should typically be deployed and in what sitations)
- Handling, munging, searching, and maintaining log files for Checkpoint products (there are scads of logfiles available, and some are quite hidden)
- Steps to take to verify proper operation of a Firewall-1 node, including performance tuning ("fw ctl pstat" and how to read it, basically)
- Using Checkpoint State Synchronization with AND without Checkpoint Clustering, and how to troubleshoot it
- More information about tuning and maintenance of SmartDefense (the IPS features of Firewall-1) paying attention to "protocol gotchas" that can be eliminated through altering its configuration
- A tutorial for the new Checkpoint administrator about all the different types of licenses with which one can and will deploy as part of a standard installation
- The mentions of SecureRemote (the Client-to-LAN VPN built in to Checkpoint Firewall-1) are lacking in many respects -- for example, there is little mention of Secure Configuration Verification, Visitor Mode/Office Mode, IP address assignment mechanisms (there are many), etc.
- More detail in the following areas: CIFS blocking, Exchange/Windows RPC custom handling, integration with URL filtering via UFP, differences between the FTP/FTP_BASIC methods, etc.
Of course, I suppose 80% of the administrators that would buy this book don't care one bit about these details if they're only running a couple of standalone Firewall-1 boxes. The funny thing, though, about companies that buy a product as expensive as Checkpoint Firewall-1 is that they tend to expand their investment in the product fairly rapidly -- if they buy enough of it up front to be a serious investment. For those administrators, it's the type of information like the above that is really missing. What's a shame is that it's also generally missing in Checkpoint's own documentation.Firewall-1 and Cisco PIX boxes are two of the worst firewalls in terms of security that you could ever purchase. Who the hell buys these things? Why would you buy a product from a company that has to continually supply security updates for their buggy products? Get a decent firewall and be done with it... unfortunately the decent firewalls don't have a big name like Cisco or Checkpoint behind them, but they are the most secure.
Instead of simply saying "My site's been slashdotted! Please check back later." you should also say "Oh, yeah btw, please buy my book!" and get some free advertisement from the ordeal.
> One has to wonder how many check point firewalls could be
> reaplced with a freebsd box, two nics, and ipfw with dummynet.
Probably a lot of them, if you were willing to dedicate an administrator per firewall to configure, monitor, and maintain it. That person would need to go through a bunch of Unix/BSD training beforehand. And, if that person ever left that job, you would need to replicate that process.
The key to commercial firewalls, like Netscreen and Check Point, is the easy graphical interface to manage it.. And, the management structure: you define a policy for your network, and click a button to push it out to all the firewalls. So, one person can realistically manage dozens of firewalls. The logging/reporting tools also ease the job of monitoring the ongoing state of your firewalls.
So, it's worth spending the money if A) The firewall is just one of the many tasks you're responsible for; or B) You have a big network with many firewalls and need to manage them with a small group of people.
Too bad I can't post and moderate in the same thread, or I'd mod this up as "insightful."
-- PhoneBoy
The views expressed herein are not necessarily those of anyone, including the poster.
Your reply was very well taken.
Maybe I am old fashioned but I assume one unix admin can
automate many of his tasks. Would one main workstation using ssh "ipfw command" with ssh keys be any less secure then checkpoint's system? I could see changing 20 firewall configs without rebooting them in 15 minutes using a well thought out and properly ordered script.
I can and do manage many firewalls. Do you not realize how many customers have a freebsd natd box hidden away on a shelf? It also does so many other things too. It is just as important to them as any checkpoint stand alone firewall protecting 1,000 machines. Almost the same needs!
So call me jaded then.
I'm a CCSA.. I used to come into daily contact with CheckPoint NG.. Can't say I really enjoyed the experience. And the doc.. I really hated it..
"PhoneBoy" was our light in the dark and only good source of info indeed. So:
- If you don't have CP, don't buy it. If only because Israeli security software named "Checkpoint" is rather cynical given the way they treat Palestinians.. also because technically it's a monstrum.
but..
- If you *do* have CP: buy *any* and all new books PhoneBoy publishes on the subject! I mean it. doing so will save you much pain, an give you the real answers. Phoneboy is one of the few people around to understand CP totally, and to have access to the inside info, plus a lot of admin feedback. Plus no-nonsense and very professional attitude.
I work for Nokia Support (Same company, different building than phoneboy) and you would be surprised at the amount of people who use these features.
Replacing them with just a box and a few NIC's is a lot different than having a full fledged router in place with Checkpoint loaded on it. Once you've tried both, you'll know what I mean...
--Gr@ve_Rose
!ekoj on si aixelsyD
Too bad it was posted by an AC or you could have rewarded the poster with a percentage of today's sales. If you send it to me instead I'll try to figure out who wrote it.
> Replacing them with just a box and a few NIC's is a lot different than having a full fledged router in place with Checkpoint loaded on it.
I could use http://www.quagga.net/ and make it more router like. Seriously though, in the year 2004 one can do so much with FreeBSD. I just used a multipath kernel patch in one temp project.
I wonder how deep you truly look at alternatives. I bet half those products are bsd code. JunOS at least brags about it.
have a bad day
ahh checkpoint on Windows. Bad, bad, very bad. No wonder you have to call for support. Use Solaris and relax.
The company I used to work for used multiple CheckPoint FW-1 firewalls, which eventually I happened to administer (the version previous to NG).
:)
Unfortunately, mgmnt decided to run them on NT 4 Server instead of Solaris or even Linux (this is from 2000 - 2002). (CheckPoint was originally a Solaris product ported to Linux and eventually Windows).
It sucked HARD on NT - in particular because NT 4 had no native ability to limit file size, and the Checkpoint logs grew exponentially if you happened to be a few connections over your licence limit. If the hard drive volume filled up, you couldn't make any firewall config changes, so you had to stop the services, clear out the log file, restart the services, and you were good.
Also, FloodGate-1 (their traffic-shaping product) didn't work worth a darn on NT either. It was supposed to, the logs said it was running, but it didn't do a darn thing on one firewall, but would work perfectly on a different firewall server in the EXACT SAME CONFIG!! (we had checkpoint support try and help us with this, they couldn't figure it out either)
Mgmnt wouldn't consider even moving to Linux, as I was the only back-end admin with ANY experience with it - even though you spend 90% of your time in the GUI. CheckPoint has even come out with a one-disk "hardened" solution that runs on Linux called SecurePlatform - couldn't be easier.
I haven't had much experience with NG - when I left after the company went bust we had one NG firewall in the mix running on Win2k server. Supposedly they had cleaned up a bunch of the issues that were present in the previous version (and you can limit file size natively on Win2k!! Yay!!)
Anyway, thanks for the rant
I ripped out the Checkpoint f/w on Solaris where I am, and replaced it with some carefully crafted iptables scripts on an Gentoo+grsec x86 box. People immediately noticed it was more responsive. Oh, and no stupid 100 client licence restriction.
The shitty documentation didn't help Checkpoint. And the remote admin tools were pants too.
Get your own free personal location tracker
Domo origato, Mr Lodato.
After working with them for six years
you should be able to write your own
book.
Sincerely, /. style nazi
Unless that box is a Sun Ultra (1/2/5/10/30/60) loaded with QFE's, fiber interfaces, wireless via pcmcia, gigabit, or whatever sbus/pci interface can be stuck in them. Boxes that dont have to put cpu power to licensing, but to routing, blocking, layer2/3 data, and other more valuable things than revenue maintenance. W^X execute protection built in to the CPU, something non trivial. Also, some of those boxes can be filled with enough memory to deal with high loads.
Sorry Checkpoint, but some machines are good enough to compete.
"Forget the engineers." -Carly Fiorina, briber of MIT Technology Review.
This is a proprietary product, why is it being reviewed on Slashdot? I read a good book on Active Directory, can I post my review?
Sigh...
I don't want to sell anything, buy anything, or process anything. I don't want to sell anything bought or processed...
Not too mention he takes his site down and tells us all to go buy his book. /. to try and make a buck.
what a loser using the power of
What is this checkpoint crap? Put some hair on your chest and go buy a Cisco PIX.
It's the only firewall worth buying.
I work for a major healthcare corporation. We have lan-to-lan tunnels with all of our clients because of HIPPA regulations. The customers who buy checkpoint firewalls end up eventually buying a Cisco PIX because checkpoint can't keep a tunnel up and running worth a damn.
Too bad it was posted by an AC or you could have rewarded the poster with a percentage of today's sales. If you send it to me instead I'll try to figure out who wrote it.
/. posting during work hours... and he has been known to search for /. posts I've made, what a sorry bastard, eh?
:-/
/. sez they do not keep any logs) you'll find that the browser that posted it was Moz Firefox 0.8 and it came from ip addr 65.xx.xxx.20 (the xxx's just to keep you curious :-) but the first and last octets will convince someone who has the access logs of /.'s webserver).
I'll bet you would!!!!! LoL!!!!!
Actually I was at work and always have to post from there as AC, lest I incur the wrath of my boss in case he sees my Nickname attached to a
I have no need for monetary reward, but the extra karma from getting modded up might have helped me get some mod point myself a lttle sooner... and I wished I had some today
BTW, I know nothing of FW-1 and would have little use for the book myself... since I usually roll my own firewalls with SuSEfirewall2 and raw iptables scripts, and I also run a Cisco PIX too.
Oh and if you don't believe I'm the original poster of the suggestion, if you do have a way of looking up who made an AC post (which I doubt, cuz
Some machines might be good enough to compete with Check Point running on a typical PC or low end appliance, but the throughput and performance of Check Point completely depends on the platform you choose to run it on, and there are many options out there other then just standard PC hardware. An example would be the Nokia platforms or, for really high end, the Bivio platform which does 80% line rate of even 64 byte packets. I'd like to see a PC (Sun or other) pull this one off.
Checkpoint not only has one of the best Firewall GUIs ever, it had the best log veiwer I have ever seen on a firewall, sorting stuff fast to watch live events that are getting droped or accepted are a huge time saver for trouble shooting fw problems.
Also I am currently running checkpoint NG with AI and ClusterXL on 2 Linux fround ends with fiber GIG-E cards in them. They run either in a load-balenced setup or HA.
VPN is easy to setup and very standard, much better that it used to be.
There is actully tons of things I bet a Checkpoint Firewall can do that your current home firewall can not. ISP redundency was addedd recently.
You can run it on Nokia hardware, Linux, Solaris, Checkpoints own OS called (Secure Platform), belive there is some other hardware out there you can this on also.
Also I think I talked to Phoneboy once, a long time ago, back when I was running 3.0 or something. It was through a reseller I was using or something, he had pointed me at the time to his website, I have to say it hellped alot, and I have used it ever since, and his mailing list daily. so I should give a thinks to him.
fwbuilder? I think it's a smart product but still, I've never played with "enterprise" stuff. Anyway, I do get the feeling that the program is geared towards managing large arrays of machines inside a single interface.
Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
Anyone who has ever had to manage a CheckPoint box for a period of time knows about Phoneboy.
Stors spews forth:
- Check out phoneboy's stuff for details on FTP configuration. You used to write/patch in some custom inspect to get it to work right in some configurations. i.e. the Policy Editor is not enough.
- During testing, tcpdump/ethereal are your friends. Also if you're new to all this and you're doing static translations, you might need to get used to futzing with the translations configuration stuff (src->dst xlate/don't xlate stuff)
- If you've got it on a Solaris box, you ought to harden Solaris' TCP options in the kernel. This is documented... Google for hardening solaris.
- If you've got one of those qfe cards and it's plugged into a Cisco switch (there may be other cards/switches that exhibit this behaviour) you may need to force the speed and duplex (on both devices), otherwise they can go into an autonegotiating frenzy intermittently.
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
Ugh, checkpoint. Gag me with a spoon. I'd rather use a cisco pix.
When I'd peddle CheckPoint, several of our clients would just laugh and say, "For that price, I'll buy hardware and load OpenBSD's pf." Can't say I blamed them.
There are times, however, in which CheckPoint can really make your life easier. For example, youc can easily (for better or worse) push a policy to multiple endpoints. The graphical logs are cool also.
Sales reps (may) try to sell you on the seemless failover crap. Bottom line: lots of hoops, and I don't know that it's any easier than PIX's failover solution.
Checkpoint is teh sux. Here's why.
Another issue is the lack of being able to copy/paste a rule across to a policy editor for another management station/CMA. At present you can skip this if you have Provider-1 installed (put the rule into a global rule - or define the hosts/groups/services globally to speed things up).
The log viewer also has a MAJOR MAJOR issue, which is that it doesn't have the ability to display/log the three-way handshake for TCP connections. So for example, someone has a connectivity issue, we look into the firewall and see that the connection has been "accepted". All this shows is that the initial SYN packet was received on one of the firewall interfaces, checked against the ruleset, and allowed. But the problem still exists. We have no idea whether the remote host responded, whether we routed out the wrong interface, or whether the syn-ack response got lost somewhere. So we always have to check to see 1) is it hitting a rule and being allowed, 2) log onto the master firewall (we use VRRP), and perform a tcpdump on the appropriate interfaces. Multiple steps for something which should be being answered by the log viewer!
I agree checkpoint is a useful tool for an enterprise network security framework, but sometimes it causes much more headaches than it is worth. If you're investigating implementing a new firewall infrastructure, explore multiple vendors and don't be overwhelmed by the marketing...
Man watching 6 MSCE's around a sun box, looks alot like the opening scene's of 2001:space odyssey...
Well, as a current CCSE+ certified engineer,
:)
you do need to make sure you have a support contract, and companies like Nokia are perfect.
(I'm tooting my own horn, since anyone who deals with Nokia support directly in the States and Canada, will have spoken with me at least once)
There are lots of good resellers out there to help implement the solutions that Checkpoint provides, and there are others out there I would like to squash and remove their access contracts, but I just work there.
Everyone who complains about Checkpoint, always complains about the patches and the downtime and the configurations, but lots of time would be saved if people would get this book, and get some proper training and support in place.
On a side note, I have heard from many people who have support contracts with Checkpoint directly, and my own company for the hardware/software, and they always seem to say that Checkpoint support sucks until you get to their Bench support group, or talk to a Nokia support rep
I call B.S. on the whole damn post. An administrator per firewall? Are you on crack? If you do this you will quickly rack up a huge bandwidth bill due to your hundreds of new admins playing UT2k4 because they're bored out of their minds. A single *nix admin worth his salary should be able to handle, at a minimum, 20 servers. 20 is _very_ low.
The funny thing about *nix admins are that they script things very well. In fact, they do this scripting thing so well they generally spend about a half an hour a day reviewing log files that are sent to them via email because they have scripted the process so well, and because a proper *nix should not need tending to.
The real key to commercial firewalls are corporate policy. It is unacceptable in many corporations to allow a single or handful of highly trained administrators to construct their own firewall rulesets out of simple fear. E.g. "what if our BOFH is having a bad day and reroutes all www traffic to goatse.cx?" or "if we piss our admin off and he simply quits, we would have to hire another admin who can work with such-and-such platform. such-and-such platform has no certifications so how can we determine a potential-admin's qualifications?"
A Linux, Solaris, OpenBSD, FreeBSD, NetBSD, Darwin, AIX, HP-UX, etc, etc box can quite easily defend your borders from threats both internal and external and enforce company policy using standard tools which, suprise, allow extensive logging and are fully configurable. Administering a large number of individual machines is very easy and perfectly normal to your average competent admin. Think shell/perl/python/tcl scripting + ssh/stunnell. If the admin can't script he/she doesn't need to be an admin of multiple systems.
By the way, if anyone is in need of these skills, get ahold of me. My personal machine responds at illinois.dyndns.org and I'm bja.