Essential Check Point Firewall-1 NG

Raymond Lodato writes "For the past six years, I've been responsible for the installation, configuration, and maintenance of the firewalls at my company. I was surprised and annoyed at the caliber of documentation supplied by Check Point. Six years ago, you really needed a reseller with the appropriate expertise to teach you how to design and implement a firewall. A year or so later, I found Phoneboy's website (phoneboy.com). It was an oasis for someone drowning in the sea of confusing literature and advice. In the time since, I have frequently referred to Phoneboy's site, as well as his fw1-gurus mailing list, as an unsurpassed source of information." Read below for Lodato's review of Phoneboy's recently updated book on the subject. Essential Check Point Firewall-1 NG - An Installation, Configuration, and Troubleshooting Guide author Dameon D. Welch-Abernathy pages 647 publisher Addison-Wesley rating 9/10 reviewer Raymond Lodato (rlodato AT yahoo DOT com) ISBN 0321180615 summary An excellent guide to the ins and outs of configuring Check Point's FireWall-1 NG product, with a guide to the foundations of a good security policy. A 'must read' for any Check Point firewall administrator.

Phoneboy (nee Dameon Welch-Abernathy) has proven himself to be extremely knowledgeable about Check Point's FireWall-1 product. In October of 2001, he produced a book (Essential Check Point FireWall-1, Addison-Wesley, 2001) that helped to clarify the vast amount of information collected over the years through the mailing list and the website. Shortly after the book was published, Check Point saw fit to render it almost obsolete by releasing FireWall-1 NG. The new version of Check Point's flagship product was so different, you almost had to start from scratch to understand it. Dameon has taken the necessary next step and updated his original book. The new book, Essential Check Point FireWall-1 NG, (Addison-Wesley, 2004) now covers all existing versions of NG, up to and including NG with Application Intelligence (NGAI).

When you first open the book and look at the Contents pages, two things will strike you. The first is that the Contents page starts with "Frequently Asked Questions." Anyone who has spent any time on technical websites knows that Frequently Asked Questions (or FAQs) are the first place to look to gather the nugget(s) of wisdom you need. The fact that Dameon has included a large list of FAQs in the book makes it valuable for quickly addressing the typical problems and questions an administrator faces. The second thing you will note is that he does not start describing anything about FireWall-1 itself until late into Chapter 2. He takes the time to lay the foundation of what a firewall is, as well as what a good security policy is, and why it's so important to get one and get it right.

As I read through the book, I was pleased to see that Dameon followed one of the cardinal principles of good presentation: tell them what you're going to say, say it, then tell them what you said. Each chapter outlines what you will know by the end, teaches you what you need to know, then summarizes it. Dameon writes in a style I would call clear but not condescending. It takes someone who not only knows his subject well, but understands his audience well, to walk the fine line between the two. Dameon shows his chops by treading that line like a tightrope walker.

Each chapter contains carefully organized information with numerous figures and screen shots interspersed, to keep the text understandable. Starting in Chapter 4, Dameon also includes selected FAQs culled from the many available on his website. I found this much more valuable than collecting them at the end of the book in one gigantic haystack that you needed to search for that one precious needle. Later chapters include sample configurations to clarify the concepts just described. This makes Essential Check Point FireWall-1 NG useful as a teaching resource, as well as a general reference to the product.

While the chapters in the book follow a logical progression, each building on the prior information, Dameon made sure that most chapters (and even sections within the chapters) could stand alone. This means you can pick and choose what you want to read. For example, if you needed to focus on FireWall-1 on IPSO, you don't necessarily have to worry about what was written about Solaris. The information on IPSO would repeat enough information that you wouldn't have to refer to previous pages. Even so, Dameon provides back references when repeating the information would be too cumbersome.

I did notice that Dameon varied the amount of detail used throughout the book. Sometimes he uses a high-level approach, and sometimes he goes into excruciating detail. Unfortunately there were a number of places I wanted him to provide more detail, only to have him skim over the treetops. While he does explain up front that this book was supposed to cover the essential information, covering some areas in detail just whets your appetite for that same amount of detail in all areas.

One other quibble I have revolves around the figures used in his examples. It becomes obvious that this book evolved over a period of time (I believe he took around a year to get this edition put together). Some figures apparently came from an earlier version of the book, as the text referred to something else. One example occurs in Chapter 8 (User Authentication). Dameon's sample configurations are written in a "follow-me" style. One sample configuration has the text "Next, create the group WebAdmins and add bob and dan to this group." If you followed his directions and then referred to the sample rule base in the figure on the next page, you would see that the group is named DMZAdmins instead of WebAdmins. (And the specs given for the same sample configuration specify that S/Key will be used, yet the figure showing the Authentication tab clearly has S/Key un-checked.) Little inconsistencies like this should have been picked up on the proofreading. Their existence mars an otherwise excellent book.

Overall, Essential Check Point FireWall-1 NG is aptly named: essential. If you are responsible for the care and feeding of Check Point's FireWall-1 software on any platform, you need to get and read this book. It's definitely going to stay within arm's reach on my desk.

You can purchase Essential Check Point Firewall-1 NG from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

go here

[pair-a-noyd]

http://smoothwall.org/ rocks like none other

Re:Props, but...

[Paws+Across+the+Keyb]

Heh.

I'll give you three. And a website to cap them. :)

"Building Linux and Openbsd Firewalls", by Wes Sonnenreich and Tom Yates. Published in February, 2000. Dated, both Linux and OpenBSD have gone through too many changes for this to be an "in the trenches" reference. It's a decent view from 30,000 feet.

"Absolute OpenBSD", by Michael Lucas. Published in June, 2003. Its ISBN is 1886411999. Covers OpenBSD 3.2, so it's relevance to 3.4 is high. Has a few typos which do not seriously mar the content.

As any decent book on OpenBSD should do, it walks you through an install. The coverage of pf is more than sufficient for most firewall applications. The appendices, with their exhaustive exploration of OpenBSD's maker-specific device prefixes, will save you a great deal of headache.

"Building Firewalls with OpenBSD and PF, 2"nd edition", by Jacek Artymiak. Published in November, 2003. Its ISBN is 8391665119. Covers OpenBSD 3.4, so it's essentially hot off the press. This will answer just about any technical question about PF that you care to ask. A must-read, if you want to get the most out of PF.

"But how do I _harden_an OpenBSD firewall?", I hear you cry. A good place to start looking for the answer to that question is at http://geodsoft.com/howto/harden/

Re:do checkpoint customers even use the fancy feat

[Grave_Rose]

I work for Nokia Support (Same company, different building than phoneboy) and you would be surprised at the amount of people who use these features.

Replacing them with just a box and a few NIC's is a lot different than having a full fledged router in place with Checkpoint loaded on it. Once you've tried both, you'll know what I mean...

--Gr@ve_Rose

Re:Arms reach on the desk?

[austad]

The technology in the firewall industry changes so quickly, books have out of date information the day they get published. One of the best ways to stay abreast is just use mailing lists, forums, and manufacturer websites.

If you're a Netscreen admin, you can always use netscreenforum.com. Yeah, it's a shameless plug, but not many Netscreen customers know about it. Many of Netscreen's own engineers frequent the site, even though it's not run or sponsored by them.

An oasis for someone drowning in the sea of...?

[greppling]

Lesson 1: If you really feel like putting two metaphors into one sentence, check for a moment whether the result might sound like utter non-sense.

Sincerely, /. style nazi

Re:Shorter Essential Checkpoint Administration

Okay ...complicated, bloated and buggy...
I'll buy that.
That netfilter/iptables+variousoOSSadded stuff can't do a 10th of what checkpoint can do, that I dispute.
Name some?!! There are a few integrations that checkpoint has already handled radius authentication etc, but often those integrations are erratic and can be integrated into a linux or openbsd firewall.
Also tieing your firewall device and your VPN device together on a checkpoint is problematic as well, case in point the recent isakmp vulnerability. Gee what do we do now??!!

And I speak as someone who managed 300+ checkpoints in a managed firewall environment for 3+ years,
they SUCK!!!!!