Essential Check Point Firewall-1 NG

Raymond Lodato writes "For the past six years, I've been responsible for the installation, configuration, and maintenance of the firewalls at my company. I was surprised and annoyed at the caliber of documentation supplied by Check Point. Six years ago, you really needed a reseller with the appropriate expertise to teach you how to design and implement a firewall. A year or so later, I found Phoneboy's website (phoneboy.com). It was an oasis for someone drowning in the sea of confusing literature and advice. In the time since, I have frequently referred to Phoneboy's site, as well as his fw1-gurus mailing list, as an unsurpassed source of information." Read below for Lodato's review of Phoneboy's recently updated book on the subject. Essential Check Point Firewall-1 NG - An Installation, Configuration, and Troubleshooting Guide author Dameon D. Welch-Abernathy pages 647 publisher Addison-Wesley rating 9/10 reviewer Raymond Lodato (rlodato AT yahoo DOT com) ISBN 0321180615 summary An excellent guide to the ins and outs of configuring Check Point's FireWall-1 NG product, with a guide to the foundations of a good security policy. A 'must read' for any Check Point firewall administrator.

Phoneboy (nee Dameon Welch-Abernathy) has proven himself to be extremely knowledgeable about Check Point's FireWall-1 product. In October of 2001, he produced a book (Essential Check Point FireWall-1, Addison-Wesley, 2001) that helped to clarify the vast amount of information collected over the years through the mailing list and the website. Shortly after the book was published, Check Point saw fit to render it almost obsolete by releasing FireWall-1 NG. The new version of Check Point's flagship product was so different, you almost had to start from scratch to understand it. Dameon has taken the necessary next step and updated his original book. The new book, Essential Check Point FireWall-1 NG, (Addison-Wesley, 2004) now covers all existing versions of NG, up to and including NG with Application Intelligence (NGAI).

When you first open the book and look at the Contents pages, two things will strike you. The first is that the Contents page starts with "Frequently Asked Questions." Anyone who has spent any time on technical websites knows that Frequently Asked Questions (or FAQs) are the first place to look to gather the nugget(s) of wisdom you need. The fact that Dameon has included a large list of FAQs in the book makes it valuable for quickly addressing the typical problems and questions an administrator faces. The second thing you will note is that he does not start describing anything about FireWall-1 itself until late into Chapter 2. He takes the time to lay the foundation of what a firewall is, as well as what a good security policy is, and why it's so important to get one and get it right.

As I read through the book, I was pleased to see that Dameon followed one of the cardinal principles of good presentation: tell them what you're going to say, say it, then tell them what you said. Each chapter outlines what you will know by the end, teaches you what you need to know, then summarizes it. Dameon writes in a style I would call clear but not condescending. It takes someone who not only knows his subject well, but understands his audience well, to walk the fine line between the two. Dameon shows his chops by treading that line like a tightrope walker.

Each chapter contains carefully organized information with numerous figures and screen shots interspersed, to keep the text understandable. Starting in Chapter 4, Dameon also includes selected FAQs culled from the many available on his website. I found this much more valuable than collecting them at the end of the book in one gigantic haystack that you needed to search for that one precious needle. Later chapters include sample configurations to clarify the concepts just described. This makes Essential Check Point FireWall-1 NG useful as a teaching resource, as well as a general reference to the product.

While the chapters in the book follow a logical progression, each building on the prior information, Dameon made sure that most chapters (and even sections within the chapters) could stand alone. This means you can pick and choose what you want to read. For example, if you needed to focus on FireWall-1 on IPSO, you don't necessarily have to worry about what was written about Solaris. The information on IPSO would repeat enough information that you wouldn't have to refer to previous pages. Even so, Dameon provides back references when repeating the information would be too cumbersome.

I did notice that Dameon varied the amount of detail used throughout the book. Sometimes he uses a high-level approach, and sometimes he goes into excruciating detail. Unfortunately there were a number of places I wanted him to provide more detail, only to have him skim over the treetops. While he does explain up front that this book was supposed to cover the essential information, covering some areas in detail just whets your appetite for that same amount of detail in all areas.

One other quibble I have revolves around the figures used in his examples. It becomes obvious that this book evolved over a period of time (I believe he took around a year to get this edition put together). Some figures apparently came from an earlier version of the book, as the text referred to something else. One example occurs in Chapter 8 (User Authentication). Dameon's sample configurations are written in a "follow-me" style. One sample configuration has the text "Next, create the group WebAdmins and add bob and dan to this group." If you followed his directions and then referred to the sample rule base in the figure on the next page, you would see that the group is named DMZAdmins instead of WebAdmins. (And the specs given for the same sample configuration specify that S/Key will be used, yet the figure showing the Authentication tab clearly has S/Key un-checked.) Little inconsistencies like this should have been picked up on the proofreading. Their existence mars an otherwise excellent book.

Overall, Essential Check Point FireWall-1 NG is aptly named: essential. If you are responsible for the care and feeding of Check Point's FireWall-1 software on any platform, you need to get and read this book. It's definitely going to stay within arm's reach on my desk.

You can purchase Essential Check Point Firewall-1 NG from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Arms reach on the desk?

[stuffduff]

IMHO, while the book is argueably excellent in its own right; and exactly the kind of thing to build a through working understanding of what is going on: I wonder if the problems covered therein will remain on the cutting edge of firewall management. So, if I were using Checkpoint, I'd probably sleep with the damn thing for the first few weeks, but eventually it would find it's way off the desk and up on the shelf, where it (more than likely) is on its way to the next booksale.

Re:Arms reach on the desk?

[austad]

The technology in the firewall industry changes so quickly, books have out of date information the day they get published. One of the best ways to stay abreast is just use mailing lists, forums, and manufacturer websites.

If you're a Netscreen admin, you can always use netscreenforum.com. Yeah, it's a shameless plug, but not many Netscreen customers know about it. Many of Netscreen's own engineers frequent the site, even though it's not run or sponsored by them.

Slashdotted already

[October_30th]

It was an oasis for someone drowning in the sea of confusing literature and advice.

Given the Slashdotting, the past tense used in the article is actually very appropriate.

Props, but...

If I'm paying $$$ for Check Point 1 software, I don't wanna have to buy aftermarket book to tell me how to use it.

How about an OpenBSD firewall guide book, eh?

Re:Props, but...

[mgoodman]

But you would buy a book on a commercial Unix variant? Or Microsoft training? Etc.

Third-party books are frequently better than the documentation provided by the company, as the third-party is more apt to give you tips and tricks and hacks to get the job done, rather than going on about how great a product it is.

Re:Props, but...

If I'm paying $$$ for Check Point 1 software, I don't wanna have to buy aftermarket book to tell me how to use it.

You're shelling out $50k for the software but complain about a $40 book? Personally I would rather buy a 3rd party book than one from the software maker as they have to compete to explain the topic to the user.

Re:Props, but...

[AKnightCowboy]

If I'm paying $$$ for Check Point 1 software, I don't wanna have to buy aftermarket book to tell me how to use it.

Don't worry, if you get stuck or locked out of your firewall you can call up the Mossad for tech support. *ducks away from the ensuing firewall geek flamewar*

Re:Props, but...

[kfg]

If I'm paying $$$ for a commercial grade table saw, I don't wanna have to buy an aftermarket book to tell me how to use it?

There is a difference in "how" to use something, i.e. what the levers and dials do, and the art, craft, and wisdom is in applying those dials and levers.

My table saw manufacturer is obliged to provide me with a manual explaining the proper and safe use of the device. He is not obliged to tell how to apply the device specifically to the making a grandfather clock and a Shaker trestle table.

Other people write books to help me figure that out.

KFG

Re:Props, but...

[Alien54]

if I'm paying $$$ for Check Point 1 software, I don't wanna have to buy aftermarket book to tell me how to use it.

Well, this sort of sounds better than saying:

if I'm paying $$$ for software, I don't wanna have read a book to tell me how to use it

Which is not what you said, but it is what it reminded me of

Re:Props, but...

[Paws+Across+the+Keyb]

Heh.

I'll give you three. And a website to cap them. :)

"Building Linux and Openbsd Firewalls", by Wes Sonnenreich and Tom Yates. Published in February, 2000. Dated, both Linux and OpenBSD have gone through too many changes for this to be an "in the trenches" reference. It's a decent view from 30,000 feet.

"Absolute OpenBSD", by Michael Lucas. Published in June, 2003. Its ISBN is 1886411999. Covers OpenBSD 3.2, so it's relevance to 3.4 is high. Has a few typos which do not seriously mar the content.

As any decent book on OpenBSD should do, it walks you through an install. The coverage of pf is more than sufficient for most firewall applications. The appendices, with their exhaustive exploration of OpenBSD's maker-specific device prefixes, will save you a great deal of headache.

"Building Firewalls with OpenBSD and PF, 2"nd edition", by Jacek Artymiak. Published in November, 2003. Its ISBN is 8391665119. Covers OpenBSD 3.4, so it's essentially hot off the press. This will answer just about any technical question about PF that you care to ask. A must-read, if you want to get the most out of PF.

"But how do I _harden_an OpenBSD firewall?", I hear you cry. A good place to start looking for the answer to that question is at http://geodsoft.com/howto/harden/

NG?

[sulli]

I would have said it was OK

My experience

I was a young impressionable admin when I was first introduced to Checkpoint. At the time, they had barely stepped out of their domestic Israeli market and we had a copy thanks to a co-worker who worked in a kibutz for two years.

Anyways, I was astounded at the fine level of detail that one could control the packets in that FW product. We immediatelly proceeded to deploy Checkpoint in our production Solaris 3 environment. We found the network configuration to be easy and the core install of Solaris 3 satisfied all the requirements.

Little did I know that the product was not yet mature and optimized to deal with the large traffic in our organization. FTP and Gopher services crashed around our ears as we ran around like headless chickens. We deduced right away that it was checkpoint and went back to our original configuration.

Oh, how we laughed after that incident. It sometimes still makes me snicker.

Which is nice.

Thank you for the slashdotting of my webserver

[phoneboy]

2:47PM up 1 day, 19:07, 24 users, load averages: 138.60, 97.23, 61.14

Essential text and web site for FW-1 admins

[octaene]

I have been administering Check Point systems for about 4 years now, and I must say I'm not even close to surprised by this reviewers comments. Phoneboy's book and site have been essential for FW-1 admins for long before I began working on this software. I've owned 3 revisions of his textbook, and it IS the best text ever written about Check Point products, bar none.

Shorter Essential Checkpoint Administration

[Doktor+Memory]

Step one: remove power cord from CheckPoint box.

Step two: load CheckPoint onto trebuchet.

Step three: launch CheckPoint into Low Earth Orbit, or at least into the neighbor's hedges.

Step four: install an OpenBSD box with two ethernet interfaces and configure PF.

(Step four can alternatively be replaced with Linux/Netfilter, FreeBSD/IPF or Solaris/IPF -- whatever your poison is.)

But I'm only bitter because I was stupid enough to buy into CheckPoint's snake oil. Fool me once, shame on me, etc -- that goddamn thing cost me close to six months of time that could have been productively spent doing just about anything else. Never, ever again.

(Okay, just for kicks, here's an actual tidbit of useful Checkpoint info: There's a Rule Zero. It doesn't appear in the rules screen. It's probably not doing what you think it's doing.)

Re:Shorter Essential Checkpoint Administration

[carlivar]

OpenBSD does make sense in small business situations, but for the enterprise it does not. Dealing with 25 different openbsd machines with a text-based PF config on each does not sound fun to me. Yeah I'm sure you could script some pretty cool central management out of it all, but that's not realistic for most places.

But... Checkpoint is a huge pain, I agree. It is arguably the most bloated software product in history. That's why I recommend Netscreen -- the nice management of Checkpoint with rock-solid hardware reliability and performance.

Netscreen does the "little things" that Checkpoint doesn't. Like scheduled DNS resolution for objects in a firewall policy. (Nope, Checkpoint doesn't do that).

And since Netscreen is one box, you don't deal with firewall/OS seperation issues.

It takes me hours to set up a Checkpoint on a Sun, or Nokia, or whatever (upgrade and lock down the OS, then install & upgrade Checkpoint and do the voodoo for the management station, as well as the licensing).

It takes me 30 minutes or less to get a Netscreen going. Boot it, upgrade the whole thing (5 minutes), configure via http or ssh, and done. I could do it in 10-15 minutes if I took the time to come up with a config template that I could just paste in.

Oh, that's the other beauty of Netscreen - TEXT CONFIG. Ever look at the "config" of a Checkpoint? A nightmare mishmash of .c files that are not very human parseable. Netscreen? You can see everything the machine is doing in a 4k text file.

Carl

A Checkpoint story

[billh]

I could go on for many pages, detailing all of the issues I've had to deal with in the last few weeks. But I've wasted enough time dealing with Checkpoint, and I don't want to waste too much time bitching about them.

We purchased hardware and software through a reseller. My predecessor placed the order, so I came in knowing very little about what we had purchased. I was given the server and an activation code for the software.

I activated it, and found that I was unable to download anything. We had no support contract. I sent off some nasty e-mails to the vendor, and we had an installation CD a couple of days later.

Well, it turns out that the installation CD was old. Shouldn't be a big deal, right? Well, it was. Although we could install the software, we couldn't use any of the management tools. The Windows-based management tools, I should add. For a Linux product.

Conference calls with Checkpoint, more nasty e-mails, we find out that our support contract was never entered. I blame this solely on the vendor, not Checkpoint. Once that went through, we were able to download the needed software from Checkpoint.

Sounds like the problem is resolved, right? I hope so, but I won't know for a few days, as we had to reschedule a network shutdown because of this incompetence. While I blame most of this on the vendor, you have to wonder what sort of approval process the vendors have to go through to become resellers, and why Checkpoint would ever allow such idiots to resell their product.

While I'm pointing fingers, here are some other things to think about:

Checkpoint could easily have allowed us to download a product which we had already purchased, and is available to customers with a support contract.

Tech support could have answered our questions very quickly, if they would have talked to us.

They could have FAQs with this information on their web site.

The FAQs that they do have could have been in a format that is readable from a console (everything is PDF).

Red Hat 7.3 is the latest version of Linux they support. With a kernel that doesn't come standard.

I admin many older Checkpoint boxes, which unfortunately run on Windows NT 4. I inherited them. After the crap I have been through dealing with Checkpoint, I am considering staying with them until I find a better solution. Why should we have to pay thousands of dollars a year just to be able to patch these things? Why are the FAQs useless? Why can't these people get a clue?

Just FYI, I've been using Linux since before it was 1.0, and I have no problem with configuring firewalls and the like. And I also know that Cisco pulls stupid crap like this, too. Now for the fun part - I have a hell of a lot of purchasing power at a very large consulting firm, and as far as I am concerned, we are done with Checkpoint.

You hear that, Checkpoint? Over 70,000 employees, and I can't count how many support contracts. I'm going to do what I can to make sure we never send you another dime.

Re:A Checkpoint story

[skinfitz]

Hear Hear. I've dealt with two FW-1 installations at our main site - one on Solaris and one on NT4 which were both installed by consultants before security became my job.

I have several issues with FW-1, however the main one must surely be the crappy "support" and the "buy now, pay forever" attitude to it that many companies now adhere to, namely that no support = no software updates. Quite frankly for a firewall company to deny you patches for their product if someone discovered a vulnerability ("TEST=" in packets traversing all versions of FW-1 unblocked up until around 2 years ago anyone?) in their product is unacceptable. I mothballed the systems and moved on.

go here

[pair-a-noyd]

http://smoothwall.org/ rocks like none other

Re:go here

[Homology]

http://smoothwall.org/ rocks like none other

PF: The OpenBSD Packet Filter shows that it is possible to have a very powerful packet filter with easily understandable and readable filter rules. Smoothwall has a following because the IPtables firewall scripts quickly becomes unreadable and hard to understand with it's sucky syntax.

Re:go here

[dlb]

Yeah, its great -- but smoothwall doesn't address issues like high availability, or any sort of application inspection.

Oh yeah, and how do you efficiently manage your smoothwall firewalls after you deploy 50 of them?

It's just the same ugly packet filter with more makeup.

Firewall-1 has its place

[Chomp]

Equating ipf/iptables with Firewall-1 etc is like confusing a Hertz rental truck with DHL.

Not everyone needs Firewall-1. But as the number of firewalls you manage goes up, the management features of Firewall-1 really come into their own.

Firewall-1 also assists in reaching the desired level of abstraction where your ruleset stops describing your network topology and starts describing your network policy.

The difference is hard to appreciate until you have worked with both for a while.

Excellent Question!!!

[Chris_Stankowitz]

wonder if the problems covered therein will remain on the cutting edge of firewall management.

The answer is NO! As security techs change the way they handle threats, from the borders and internally FW config and management is currently changing rapidly. Infact CheckPoint is now offering in-line IPS. This better layerd/mesh approach to security does chage what you need to do on your borders and how you do it. Coupled with node/desktop firewalls, current stratergies will change.

Mostly Okay

[irregular_hero]

The book is good in many areas, especially dealing with Site-to-Site VPN configuration, but is seriously lacking in other areas. Some of the things missing are:

• High Availability of management stations
• Coverage of Provider-1, SiteManager-1 installations and the differences between them and the traditional management method
• More detail on Checkpoint log servers (specifically CLMs and what they can and cannot do, including where they should typically be deployed and in what sitations)
• Handling, munging, searching, and maintaining log files for Checkpoint products (there are scads of logfiles available, and some are quite hidden)
• Steps to take to verify proper operation of a Firewall-1 node, including performance tuning ("fw ctl pstat" and how to read it, basically)
• Using Checkpoint State Synchronization with AND without Checkpoint Clustering, and how to troubleshoot it
• More information about tuning and maintenance of SmartDefense (the IPS features of Firewall-1) paying attention to "protocol gotchas" that can be eliminated through altering its configuration
• A tutorial for the new Checkpoint administrator about all the different types of licenses with which one can and will deploy as part of a standard installation
• The mentions of SecureRemote (the Client-to-LAN VPN built in to Checkpoint Firewall-1) are lacking in many respects -- for example, there is little mention of Secure Configuration Verification, Visitor Mode/Office Mode, IP address assignment mechanisms (there are many), etc.
• More detail in the following areas: CIFS blocking, Exchange/Windows RPC custom handling, integration with URL filtering via UFP, differences between the FTP/FTP_BASIC methods, etc.

Of course, I suppose 80% of the administrators that would buy this book don't care one bit about these details if they're only running a couple of standalone Firewall-1 boxes. The funny thing, though, about companies that buy a product as expensive as Checkpoint Firewall-1 is that they tend to expand their investment in the product fairly rapidly -- if they buy enough of it up front to be a serious investment. For those administrators, it's the type of information like the above that is really missing. What's a shame is that it's also generally missing in Checkpoint's own documentation. :>

Buy the book!!!!

Instead of simply saying "My site's been slashdotted! Please check back later." you should also say "Oh, yeah btw, please buy my book!" and get some free advertisement from the ordeal.

Re:Buy the book!!!!

[phoneboy]

Too bad I can't post and moderate in the same thread, or I'd mod this up as "insightful."

-- PhoneBoy

Checkpoint, but Wow Phoneboy

[marienf]

I'm a CCSA.. I used to come into daily contact with CheckPoint NG.. Can't say I really enjoyed the experience. And the doc.. I really hated it..
"PhoneBoy" was our light in the dark and only good source of info indeed. So:

- If you don't have CP, don't buy it. If only because Israeli security software named "Checkpoint" is rather cynical given the way they treat Palestinians.. also because technically it's a monstrum.

but..

- If you *do* have CP: buy *any* and all new books PhoneBoy publishes on the subject! I mean it. doing so will save you much pain, an give you the real answers. Phoneboy is one of the few people around to understand CP totally, and to have access to the inside info, plus a lot of admin feedback. Plus no-nonsense and very professional attitude.

Re:do checkpoint customers even use the fancy feat

[Grave_Rose]

I work for Nokia Support (Same company, different building than phoneboy) and you would be surprised at the amount of people who use these features.

Replacing them with just a box and a few NIC's is a lot different than having a full fledged router in place with Checkpoint loaded on it. Once you've tried both, you'll know what I mean...

--Gr@ve_Rose

Nice review

[Mondorescue]

Domo origato, Mr Lodato.

An oasis for someone drowning in the sea of...?

[greppling]

Lesson 1: If you really feel like putting two metaphors into one sentence, check for a moment whether the result might sound like utter non-sense.

Sincerely, /. style nazi

Re:With a name like Dameon...

[phoneboy]

One of my college professors, a Chinese fellow whose command of the english language was not perfect, often called me "Demon." :)

Here is my explanation on the name PhoneBoy. Since I'm not interested in increasing the slashdot effect on my site, I'll post the relevant bit here:

For those who care, the name PhoneBoy was given to me by one of the hosts of Radionet Talk Radio, a radio show I used to work on in 1996. I used to screen calls for the show. The host forgot my name one day and called me PhoneBoy just to call me something. The thought I had at the time was "[The host] is never going to let this name go, so I might as well embrace it." And embrace it I have. :)

As I've evolved my web presence over the years, the name PhoneBoy became very closely tied to FireWall-1. In fact, if you Google for FireWall-1, you'll see that www.phoneboy.com comes up right after Check Point, the company that makes FireWall-1 (now marketed as VPN-1).