Essential Check Point Firewall-1 NG

Raymond Lodato writes "For the past six years, I've been responsible for the installation, configuration, and maintenance of the firewalls at my company. I was surprised and annoyed at the caliber of documentation supplied by Check Point. Six years ago, you really needed a reseller with the appropriate expertise to teach you how to design and implement a firewall. A year or so later, I found Phoneboy's website (phoneboy.com). It was an oasis for someone drowning in the sea of confusing literature and advice. In the time since, I have frequently referred to Phoneboy's site, as well as his fw1-gurus mailing list, as an unsurpassed source of information." Read below for Lodato's review of Phoneboy's recently updated book on the subject. Essential Check Point Firewall-1 NG - An Installation, Configuration, and Troubleshooting Guide author Dameon D. Welch-Abernathy pages 647 publisher Addison-Wesley rating 9/10 reviewer Raymond Lodato (rlodato AT yahoo DOT com) ISBN 0321180615 summary An excellent guide to the ins and outs of configuring Check Point's FireWall-1 NG product, with a guide to the foundations of a good security policy. A 'must read' for any Check Point firewall administrator.

Phoneboy (nee Dameon Welch-Abernathy) has proven himself to be extremely knowledgeable about Check Point's FireWall-1 product. In October of 2001, he produced a book (Essential Check Point FireWall-1, Addison-Wesley, 2001) that helped to clarify the vast amount of information collected over the years through the mailing list and the website. Shortly after the book was published, Check Point saw fit to render it almost obsolete by releasing FireWall-1 NG. The new version of Check Point's flagship product was so different, you almost had to start from scratch to understand it. Dameon has taken the necessary next step and updated his original book. The new book, Essential Check Point FireWall-1 NG, (Addison-Wesley, 2004) now covers all existing versions of NG, up to and including NG with Application Intelligence (NGAI).

When you first open the book and look at the Contents pages, two things will strike you. The first is that the Contents page starts with "Frequently Asked Questions." Anyone who has spent any time on technical websites knows that Frequently Asked Questions (or FAQs) are the first place to look to gather the nugget(s) of wisdom you need. The fact that Dameon has included a large list of FAQs in the book makes it valuable for quickly addressing the typical problems and questions an administrator faces. The second thing you will note is that he does not start describing anything about FireWall-1 itself until late into Chapter 2. He takes the time to lay the foundation of what a firewall is, as well as what a good security policy is, and why it's so important to get one and get it right.

As I read through the book, I was pleased to see that Dameon followed one of the cardinal principles of good presentation: tell them what you're going to say, say it, then tell them what you said. Each chapter outlines what you will know by the end, teaches you what you need to know, then summarizes it. Dameon writes in a style I would call clear but not condescending. It takes someone who not only knows his subject well, but understands his audience well, to walk the fine line between the two. Dameon shows his chops by treading that line like a tightrope walker.

Each chapter contains carefully organized information with numerous figures and screen shots interspersed, to keep the text understandable. Starting in Chapter 4, Dameon also includes selected FAQs culled from the many available on his website. I found this much more valuable than collecting them at the end of the book in one gigantic haystack that you needed to search for that one precious needle. Later chapters include sample configurations to clarify the concepts just described. This makes Essential Check Point FireWall-1 NG useful as a teaching resource, as well as a general reference to the product.

While the chapters in the book follow a logical progression, each building on the prior information, Dameon made sure that most chapters (and even sections within the chapters) could stand alone. This means you can pick and choose what you want to read. For example, if you needed to focus on FireWall-1 on IPSO, you don't necessarily have to worry about what was written about Solaris. The information on IPSO would repeat enough information that you wouldn't have to refer to previous pages. Even so, Dameon provides back references when repeating the information would be too cumbersome.

I did notice that Dameon varied the amount of detail used throughout the book. Sometimes he uses a high-level approach, and sometimes he goes into excruciating detail. Unfortunately there were a number of places I wanted him to provide more detail, only to have him skim over the treetops. While he does explain up front that this book was supposed to cover the essential information, covering some areas in detail just whets your appetite for that same amount of detail in all areas.

One other quibble I have revolves around the figures used in his examples. It becomes obvious that this book evolved over a period of time (I believe he took around a year to get this edition put together). Some figures apparently came from an earlier version of the book, as the text referred to something else. One example occurs in Chapter 8 (User Authentication). Dameon's sample configurations are written in a "follow-me" style. One sample configuration has the text "Next, create the group WebAdmins and add bob and dan to this group." If you followed his directions and then referred to the sample rule base in the figure on the next page, you would see that the group is named DMZAdmins instead of WebAdmins. (And the specs given for the same sample configuration specify that S/Key will be used, yet the figure showing the Authentication tab clearly has S/Key un-checked.) Little inconsistencies like this should have been picked up on the proofreading. Their existence mars an otherwise excellent book.

Overall, Essential Check Point FireWall-1 NG is aptly named: essential. If you are responsible for the care and feeding of Check Point's FireWall-1 software on any platform, you need to get and read this book. It's definitely going to stay within arm's reach on my desk.

You can purchase Essential Check Point Firewall-1 NG from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

My experience

I was a young impressionable admin when I was first introduced to Checkpoint. At the time, they had barely stepped out of their domestic Israeli market and we had a copy thanks to a co-worker who worked in a kibutz for two years.

Anyways, I was astounded at the fine level of detail that one could control the packets in that FW product. We immediatelly proceeded to deploy Checkpoint in our production Solaris 3 environment. We found the network configuration to be easy and the core install of Solaris 3 satisfied all the requirements.

Little did I know that the product was not yet mature and optimized to deal with the large traffic in our organization. FTP and Gopher services crashed around our ears as we ran around like headless chickens. We deduced right away that it was checkpoint and went back to our original configuration.

Oh, how we laughed after that incident. It sometimes still makes me snicker.

Which is nice.

Quality product.

[consolidatedbord]

I must say that the Checkpoint Firewalls are excellent pieces of equipment. We use them all throughout our company's WAN. (20+ office across the whole continental United States) I think that anyone interested in a little bit more than just a Do-it-yourself firewall, or a Cisco PIX solution should definitely get this book, and research the Checkpoint.

A Checkpoint story

[billh]

I could go on for many pages, detailing all of the issues I've had to deal with in the last few weeks. But I've wasted enough time dealing with Checkpoint, and I don't want to waste too much time bitching about them.

We purchased hardware and software through a reseller. My predecessor placed the order, so I came in knowing very little about what we had purchased. I was given the server and an activation code for the software.

I activated it, and found that I was unable to download anything. We had no support contract. I sent off some nasty e-mails to the vendor, and we had an installation CD a couple of days later.

Well, it turns out that the installation CD was old. Shouldn't be a big deal, right? Well, it was. Although we could install the software, we couldn't use any of the management tools. The Windows-based management tools, I should add. For a Linux product.

Conference calls with Checkpoint, more nasty e-mails, we find out that our support contract was never entered. I blame this solely on the vendor, not Checkpoint. Once that went through, we were able to download the needed software from Checkpoint.

Sounds like the problem is resolved, right? I hope so, but I won't know for a few days, as we had to reschedule a network shutdown because of this incompetence. While I blame most of this on the vendor, you have to wonder what sort of approval process the vendors have to go through to become resellers, and why Checkpoint would ever allow such idiots to resell their product.

While I'm pointing fingers, here are some other things to think about:

Checkpoint could easily have allowed us to download a product which we had already purchased, and is available to customers with a support contract.

Tech support could have answered our questions very quickly, if they would have talked to us.

They could have FAQs with this information on their web site.

The FAQs that they do have could have been in a format that is readable from a console (everything is PDF).

Red Hat 7.3 is the latest version of Linux they support. With a kernel that doesn't come standard.

I admin many older Checkpoint boxes, which unfortunately run on Windows NT 4. I inherited them. After the crap I have been through dealing with Checkpoint, I am considering staying with them until I find a better solution. Why should we have to pay thousands of dollars a year just to be able to patch these things? Why are the FAQs useless? Why can't these people get a clue?

Just FYI, I've been using Linux since before it was 1.0, and I have no problem with configuring firewalls and the like. And I also know that Cisco pulls stupid crap like this, too. Now for the fun part - I have a hell of a lot of purchasing power at a very large consulting firm, and as far as I am concerned, we are done with Checkpoint.

You hear that, Checkpoint? Over 70,000 employees, and I can't count how many support contracts. I'm going to do what I can to make sure we never send you another dime.

Checkpoint, but Wow Phoneboy

[marienf]

I'm a CCSA.. I used to come into daily contact with CheckPoint NG.. Can't say I really enjoyed the experience. And the doc.. I really hated it..
"PhoneBoy" was our light in the dark and only good source of info indeed. So:

- If you don't have CP, don't buy it. If only because Israeli security software named "Checkpoint" is rather cynical given the way they treat Palestinians.. also because technically it's a monstrum.

but..

- If you *do* have CP: buy *any* and all new books PhoneBoy publishes on the subject! I mean it. doing so will save you much pain, an give you the real answers. Phoneboy is one of the few people around to understand CP totally, and to have access to the inside info, plus a lot of admin feedback. Plus no-nonsense and very professional attitude.

Oy

The company I used to work for used multiple CheckPoint FW-1 firewalls, which eventually I happened to administer (the version previous to NG).

Unfortunately, mgmnt decided to run them on NT 4 Server instead of Solaris or even Linux (this is from 2000 - 2002). (CheckPoint was originally a Solaris product ported to Linux and eventually Windows).

It sucked HARD on NT - in particular because NT 4 had no native ability to limit file size, and the Checkpoint logs grew exponentially if you happened to be a few connections over your licence limit. If the hard drive volume filled up, you couldn't make any firewall config changes, so you had to stop the services, clear out the log file, restart the services, and you were good.

Also, FloodGate-1 (their traffic-shaping product) didn't work worth a darn on NT either. It was supposed to, the logs said it was running, but it didn't do a darn thing on one firewall, but would work perfectly on a different firewall server in the EXACT SAME CONFIG!! (we had checkpoint support try and help us with this, they couldn't figure it out either)

Mgmnt wouldn't consider even moving to Linux, as I was the only back-end admin with ANY experience with it - even though you spend 90% of your time in the GUI. CheckPoint has even come out with a one-disk "hardened" solution that runs on Linux called SecurePlatform - couldn't be easier.

I haven't had much experience with NG - when I left after the company went bust we had one NG firewall in the mix running on Win2k server. Supposedly they had cleaned up a bunch of the issues that were present in the previous version (and you can limit file size natively on Win2k!! Yay!!)

Anyway, thanks for the rant :)

Re:Shorter Essential Checkpoint Administration

[carlivar]

OpenBSD does make sense in small business situations, but for the enterprise it does not. Dealing with 25 different openbsd machines with a text-based PF config on each does not sound fun to me. Yeah I'm sure you could script some pretty cool central management out of it all, but that's not realistic for most places.

But... Checkpoint is a huge pain, I agree. It is arguably the most bloated software product in history. That's why I recommend Netscreen -- the nice management of Checkpoint with rock-solid hardware reliability and performance.

Netscreen does the "little things" that Checkpoint doesn't. Like scheduled DNS resolution for objects in a firewall policy. (Nope, Checkpoint doesn't do that).

And since Netscreen is one box, you don't deal with firewall/OS seperation issues.

It takes me hours to set up a Checkpoint on a Sun, or Nokia, or whatever (upgrade and lock down the OS, then install & upgrade Checkpoint and do the voodoo for the management station, as well as the licensing).

It takes me 30 minutes or less to get a Netscreen going. Boot it, upgrade the whole thing (5 minutes), configure via http or ssh, and done. I could do it in 10-15 minutes if I took the time to come up with a config template that I could just paste in.

Oh, that's the other beauty of Netscreen - TEXT CONFIG. Ever look at the "config" of a Checkpoint? A nightmare mishmash of .c files that are not very human parseable. Netscreen? You can see everything the machine is doing in a 4k text file.

Carl

Re:With a name like Dameon...

[phoneboy]

One of my college professors, a Chinese fellow whose command of the english language was not perfect, often called me "Demon." :)

Here is my explanation on the name PhoneBoy. Since I'm not interested in increasing the slashdot effect on my site, I'll post the relevant bit here:

For those who care, the name PhoneBoy was given to me by one of the hosts of Radionet Talk Radio, a radio show I used to work on in 1996. I used to screen calls for the show. The host forgot my name one day and called me PhoneBoy just to call me something. The thought I had at the time was "[The host] is never going to let this name go, so I might as well embrace it." And embrace it I have. :)

As I've evolved my web presence over the years, the name PhoneBoy became very closely tied to FireWall-1. In fact, if you Google for FireWall-1, you'll see that www.phoneboy.com comes up right after Check Point, the company that makes FireWall-1 (now marketed as VPN-1).