Slashdot Mirror
Essential Check Point Firewall-1 NG
Phoneboy (nee Dameon Welch-Abernathy) has proven himself to be extremely knowledgeable about Check Point's FireWall-1 product. In October of 2001, he produced a book (Essential Check Point FireWall-1, Addison-Wesley, 2001) that helped to clarify the vast amount of information collected over the years through the mailing list and the website. Shortly after the book was published, Check Point saw fit to render it almost obsolete by releasing FireWall-1 NG. The new version of Check Point's flagship product was so different, you almost had to start from scratch to understand it. Dameon has taken the necessary next step and updated his original book. The new book, Essential Check Point FireWall-1 NG, (Addison-Wesley, 2004) now covers all existing versions of NG, up to and including NG with Application Intelligence (NGAI).
When you first open the book and look at the Contents pages, two things will strike you. The first is that the Contents page starts with "Frequently Asked Questions." Anyone who has spent any time on technical websites knows that Frequently Asked Questions (or FAQs) are the first place to look to gather the nugget(s) of wisdom you need. The fact that Dameon has included a large list of FAQs in the book makes it valuable for quickly addressing the typical problems and questions an administrator faces. The second thing you will note is that he does not start describing anything about FireWall-1 itself until late into Chapter 2. He takes the time to lay the foundation of what a firewall is, as well as what a good security policy is, and why it's so important to get one and get it right.
As I read through the book, I was pleased to see that Dameon followed one of the cardinal principles of good presentation: tell them what you're going to say, say it, then tell them what you said. Each chapter outlines what you will know by the end, teaches you what you need to know, then summarizes it. Dameon writes in a style I would call clear but not condescending. It takes someone who not only knows his subject well, but understands his audience well, to walk the fine line between the two. Dameon shows his chops by treading that line like a tightrope walker.
Each chapter contains carefully organized information with numerous figures and screen shots interspersed, to keep the text understandable. Starting in Chapter 4, Dameon also includes selected FAQs culled from the many available on his website. I found this much more valuable than collecting them at the end of the book in one gigantic haystack that you needed to search for that one precious needle. Later chapters include sample configurations to clarify the concepts just described. This makes Essential Check Point FireWall-1 NG useful as a teaching resource, as well as a general reference to the product.
While the chapters in the book follow a logical progression, each building on the prior information, Dameon made sure that most chapters (and even sections within the chapters) could stand alone. This means you can pick and choose what you want to read. For example, if you needed to focus on FireWall-1 on IPSO, you don't necessarily have to worry about what was written about Solaris. The information on IPSO would repeat enough information that you wouldn't have to refer to previous pages. Even so, Dameon provides back references when repeating the information would be too cumbersome.
I did notice that Dameon varied the amount of detail used throughout the book. Sometimes he uses a high-level approach, and sometimes he goes into excruciating detail. Unfortunately there were a number of places I wanted him to provide more detail, only to have him skim over the treetops. While he does explain up front that this book was supposed to cover the essential information, covering some areas in detail just whets your appetite for that same amount of detail in all areas.
One other quibble I have revolves around the figures used in his examples. It becomes obvious that this book evolved over a period of time (I believe he took around a year to get this edition put together). Some figures apparently came from an earlier version of the book, as the text referred to something else. One example occurs in Chapter 8 (User Authentication). Dameon's sample configurations are written in a "follow-me" style. One sample configuration has the text "Next, create the group WebAdmins and add bob and dan to this group." If you followed his directions and then referred to the sample rule base in the figure on the next page, you would see that the group is named DMZAdmins instead of WebAdmins. (And the specs given for the same sample configuration specify that S/Key will be used, yet the figure showing the Authentication tab clearly has S/Key un-checked.) Little inconsistencies like this should have been picked up on the proofreading. Their existence mars an otherwise excellent book.
Overall, Essential Check Point FireWall-1 NG is aptly named: essential. If you are responsible for the care and feeding of Check Point's FireWall-1 software on any platform, you need to get and read this book. It's definitely going to stay within arm's reach on my desk.
You can purchase Essential Check Point Firewall-1 NG from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
IMHO, while the book is argueably excellent in its own right; and exactly the kind of thing to build a through working understanding of what is going on: I wonder if the problems covered therein will remain on the cutting edge of firewall management. So, if I were using Checkpoint, I'd probably sleep with the damn thing for the first few weeks, but eventually it would find it's way off the desk and up on the shelf, where it (more than likely) is on its way to the next booksale.
"Can there be a Klein bottle that is an efficient and effective beer pitcher?"
If I'm paying $$$ for Check Point 1 software, I don't wanna have to buy aftermarket book to tell me how to use it.
How about an OpenBSD firewall guide book, eh?
I have been administering Check Point systems for about 4 years now, and I must say I'm not even close to surprised by this reviewers comments. Phoneboy's book and site have been essential for FW-1 admins for long before I began working on this software. I've owned 3 revisions of his textbook, and it IS the best text ever written about Check Point products, bar none.
Not everyone needs Firewall-1. But as the number of firewalls you manage goes up, the management features of Firewall-1 really come into their own.
Firewall-1 also assists in reaching the desired level of abstraction where your ruleset stops describing your network topology and starts describing your network policy.
The difference is hard to appreciate until you have worked with both for a while.
The answer is NO! As security techs change the way they handle threats, from the borders and internally FW config and management is currently changing rapidly. Infact CheckPoint is now offering in-line IPS. This better layerd/mesh approach to security does chage what you need to do on your borders and how you do it. Coupled with node/desktop firewalls, current stratergies will change.
PF: The OpenBSD Packet Filter shows that it is possible to have a very powerful packet filter with easily understandable and readable filter rules. Smoothwall has a following because the IPtables firewall scripts quickly becomes unreadable and hard to understand with it's sucky syntax.
- High Availability of management stations
- Coverage of Provider-1, SiteManager-1 installations and the differences between them and the traditional management method
- More detail on Checkpoint log servers (specifically CLMs and what they can and cannot do, including where they should typically be deployed and in what sitations)
- Handling, munging, searching, and maintaining log files for Checkpoint products (there are scads of logfiles available, and some are quite hidden)
- Steps to take to verify proper operation of a Firewall-1 node, including performance tuning ("fw ctl pstat" and how to read it, basically)
- Using Checkpoint State Synchronization with AND without Checkpoint Clustering, and how to troubleshoot it
- More information about tuning and maintenance of SmartDefense (the IPS features of Firewall-1) paying attention to "protocol gotchas" that can be eliminated through altering its configuration
- A tutorial for the new Checkpoint administrator about all the different types of licenses with which one can and will deploy as part of a standard installation
- The mentions of SecureRemote (the Client-to-LAN VPN built in to Checkpoint Firewall-1) are lacking in many respects -- for example, there is little mention of Secure Configuration Verification, Visitor Mode/Office Mode, IP address assignment mechanisms (there are many), etc.
- More detail in the following areas: CIFS blocking, Exchange/Windows RPC custom handling, integration with URL filtering via UFP, differences between the FTP/FTP_BASIC methods, etc.
Of course, I suppose 80% of the administrators that would buy this book don't care one bit about these details if they're only running a couple of standalone Firewall-1 boxes. The funny thing, though, about companies that buy a product as expensive as Checkpoint Firewall-1 is that they tend to expand their investment in the product fairly rapidly -- if they buy enough of it up front to be a serious investment. For those administrators, it's the type of information like the above that is really missing. What's a shame is that it's also generally missing in Checkpoint's own documentation.Yeah, its great -- but smoothwall doesn't address issues like high availability, or any sort of application inspection.
Oh yeah, and how do you efficiently manage your smoothwall firewalls after you deploy 50 of them?
It's just the same ugly packet filter with more makeup.
> One has to wonder how many check point firewalls could be
> reaplced with a freebsd box, two nics, and ipfw with dummynet.
Probably a lot of them, if you were willing to dedicate an administrator per firewall to configure, monitor, and maintain it. That person would need to go through a bunch of Unix/BSD training beforehand. And, if that person ever left that job, you would need to replicate that process.
The key to commercial firewalls, like Netscreen and Check Point, is the easy graphical interface to manage it.. And, the management structure: you define a policy for your network, and click a button to push it out to all the firewalls. So, one person can realistically manage dozens of firewalls. The logging/reporting tools also ease the job of monitoring the ongoing state of your firewalls.
So, it's worth spending the money if A) The firewall is just one of the many tasks you're responsible for; or B) You have a big network with many firewalls and need to manage them with a small group of people.
Hear Hear. I've dealt with two FW-1 installations at our main site - one on Solaris and one on NT4 which were both installed by consultants before security became my job.
I have several issues with FW-1, however the main one must surely be the crappy "support" and the "buy now, pay forever" attitude to it that many companies now adhere to, namely that no support = no software updates. Quite frankly for a firewall company to deny you patches for their product if someone discovered a vulnerability ("TEST=" in packets traversing all versions of FW-1 unblocked up until around 2 years ago anyone?) in their product is unacceptable. I mothballed the systems and moved on.