Slashdot Mirror
Essential Check Point Firewall-1 NG
Phoneboy (nee Dameon Welch-Abernathy) has proven himself to be extremely knowledgeable about Check Point's FireWall-1 product. In October of 2001, he produced a book (Essential Check Point FireWall-1, Addison-Wesley, 2001) that helped to clarify the vast amount of information collected over the years through the mailing list and the website. Shortly after the book was published, Check Point saw fit to render it almost obsolete by releasing FireWall-1 NG. The new version of Check Point's flagship product was so different, you almost had to start from scratch to understand it. Dameon has taken the necessary next step and updated his original book. The new book, Essential Check Point FireWall-1 NG, (Addison-Wesley, 2004) now covers all existing versions of NG, up to and including NG with Application Intelligence (NGAI).
When you first open the book and look at the Contents pages, two things will strike you. The first is that the Contents page starts with "Frequently Asked Questions." Anyone who has spent any time on technical websites knows that Frequently Asked Questions (or FAQs) are the first place to look to gather the nugget(s) of wisdom you need. The fact that Dameon has included a large list of FAQs in the book makes it valuable for quickly addressing the typical problems and questions an administrator faces. The second thing you will note is that he does not start describing anything about FireWall-1 itself until late into Chapter 2. He takes the time to lay the foundation of what a firewall is, as well as what a good security policy is, and why it's so important to get one and get it right.
As I read through the book, I was pleased to see that Dameon followed one of the cardinal principles of good presentation: tell them what you're going to say, say it, then tell them what you said. Each chapter outlines what you will know by the end, teaches you what you need to know, then summarizes it. Dameon writes in a style I would call clear but not condescending. It takes someone who not only knows his subject well, but understands his audience well, to walk the fine line between the two. Dameon shows his chops by treading that line like a tightrope walker.
Each chapter contains carefully organized information with numerous figures and screen shots interspersed, to keep the text understandable. Starting in Chapter 4, Dameon also includes selected FAQs culled from the many available on his website. I found this much more valuable than collecting them at the end of the book in one gigantic haystack that you needed to search for that one precious needle. Later chapters include sample configurations to clarify the concepts just described. This makes Essential Check Point FireWall-1 NG useful as a teaching resource, as well as a general reference to the product.
While the chapters in the book follow a logical progression, each building on the prior information, Dameon made sure that most chapters (and even sections within the chapters) could stand alone. This means you can pick and choose what you want to read. For example, if you needed to focus on FireWall-1 on IPSO, you don't necessarily have to worry about what was written about Solaris. The information on IPSO would repeat enough information that you wouldn't have to refer to previous pages. Even so, Dameon provides back references when repeating the information would be too cumbersome.
I did notice that Dameon varied the amount of detail used throughout the book. Sometimes he uses a high-level approach, and sometimes he goes into excruciating detail. Unfortunately there were a number of places I wanted him to provide more detail, only to have him skim over the treetops. While he does explain up front that this book was supposed to cover the essential information, covering some areas in detail just whets your appetite for that same amount of detail in all areas.
One other quibble I have revolves around the figures used in his examples. It becomes obvious that this book evolved over a period of time (I believe he took around a year to get this edition put together). Some figures apparently came from an earlier version of the book, as the text referred to something else. One example occurs in Chapter 8 (User Authentication). Dameon's sample configurations are written in a "follow-me" style. One sample configuration has the text "Next, create the group WebAdmins and add bob and dan to this group." If you followed his directions and then referred to the sample rule base in the figure on the next page, you would see that the group is named DMZAdmins instead of WebAdmins. (And the specs given for the same sample configuration specify that S/Key will be used, yet the figure showing the Authentication tab clearly has S/Key un-checked.) Little inconsistencies like this should have been picked up on the proofreading. Their existence mars an otherwise excellent book.
Overall, Essential Check Point FireWall-1 NG is aptly named: essential. If you are responsible for the care and feeding of Check Point's FireWall-1 software on any platform, you need to get and read this book. It's definitely going to stay within arm's reach on my desk.
You can purchase Essential Check Point Firewall-1 NG from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
IMHO, while the book is argueably excellent in its own right; and exactly the kind of thing to build a through working understanding of what is going on: I wonder if the problems covered therein will remain on the cutting edge of firewall management. So, if I were using Checkpoint, I'd probably sleep with the damn thing for the first few weeks, but eventually it would find it's way off the desk and up on the shelf, where it (more than likely) is on its way to the next booksale.
"Can there be a Klein bottle that is an efficient and effective beer pitcher?"
Given the Slashdotting, the past tense used in the article is actually very appropriate.
The owls are not what they seem
I would have said it was OK
sulli
RTFJ.
I was a young impressionable admin when I was first introduced to Checkpoint. At the time, they had barely stepped out of their domestic Israeli market and we had a copy thanks to a co-worker who worked in a kibutz for two years.
Anyways, I was astounded at the fine level of detail that one could control the packets in that FW product. We immediatelly proceeded to deploy Checkpoint in our production Solaris 3 environment. We found the network configuration to be easy and the core install of Solaris 3 satisfied all the requirements.
Little did I know that the product was not yet mature and optimized to deal with the large traffic in our organization. FTP and Gopher services crashed around our ears as we ran around like headless chickens. We deduced right away that it was checkpoint and went back to our original configuration.
Oh, how we laughed after that incident. It sometimes still makes me snicker.
Which is nice.
But you would buy a book on a commercial Unix variant? Or Microsoft training? Etc.
Third-party books are frequently better than the documentation provided by the company, as the third-party is more apt to give you tips and tricks and hacks to get the job done, rather than going on about how great a product it is.
01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
If I'm paying $$$ for Check Point 1 software, I don't wanna have to buy aftermarket book to tell me how to use it.
You're shelling out $50k for the software but complain about a $40 book? Personally I would rather buy a 3rd party book than one from the software maker as they have to compete to explain the topic to the user.
2:47PM up 1 day, 19:07, 24 users, load averages: 138.60, 97.23, 61.14
The views expressed herein are not necessarily those of anyone, including the poster.
I have been administering Check Point systems for about 4 years now, and I must say I'm not even close to surprised by this reviewers comments. Phoneboy's book and site have been essential for FW-1 admins for long before I began working on this software. I've owned 3 revisions of his textbook, and it IS the best text ever written about Check Point products, bar none.
Step one: remove power cord from CheckPoint box.
Step two: load CheckPoint onto trebuchet.
Step three: launch CheckPoint into Low Earth Orbit, or at least into the neighbor's hedges.
Step four: install an OpenBSD box with two ethernet interfaces and configure PF.
(Step four can alternatively be replaced with Linux/Netfilter, FreeBSD/IPF or Solaris/IPF -- whatever your poison is.)
But I'm only bitter because I was stupid enough to buy into CheckPoint's snake oil. Fool me once, shame on me, etc -- that goddamn thing cost me close to six months of time that could have been productively spent doing just about anything else. Never, ever again.
(Okay, just for kicks, here's an actual tidbit of useful Checkpoint info: There's a Rule Zero. It doesn't appear in the rules screen. It's probably not doing what you think it's doing.)
News for Nerds. Stuff that Matters? Like hell.
I could go on for many pages, detailing all of the issues I've had to deal with in the last few weeks. But I've wasted enough time dealing with Checkpoint, and I don't want to waste too much time bitching about them.
We purchased hardware and software through a reseller. My predecessor placed the order, so I came in knowing very little about what we had purchased. I was given the server and an activation code for the software.
I activated it, and found that I was unable to download anything. We had no support contract. I sent off some nasty e-mails to the vendor, and we had an installation CD a couple of days later.
Well, it turns out that the installation CD was old. Shouldn't be a big deal, right? Well, it was. Although we could install the software, we couldn't use any of the management tools. The Windows-based management tools, I should add. For a Linux product.
Conference calls with Checkpoint, more nasty e-mails, we find out that our support contract was never entered. I blame this solely on the vendor, not Checkpoint. Once that went through, we were able to download the needed software from Checkpoint.
Sounds like the problem is resolved, right? I hope so, but I won't know for a few days, as we had to reschedule a network shutdown because of this incompetence. While I blame most of this on the vendor, you have to wonder what sort of approval process the vendors have to go through to become resellers, and why Checkpoint would ever allow such idiots to resell their product.
While I'm pointing fingers, here are some other things to think about:
Checkpoint could easily have allowed us to download a product which we had already purchased, and is available to customers with a support contract.
Tech support could have answered our questions very quickly, if they would have talked to us.
They could have FAQs with this information on their web site.
The FAQs that they do have could have been in a format that is readable from a console (everything is PDF).
Red Hat 7.3 is the latest version of Linux they support. With a kernel that doesn't come standard.
I admin many older Checkpoint boxes, which unfortunately run on Windows NT 4. I inherited them. After the crap I have been through dealing with Checkpoint, I am considering staying with them until I find a better solution. Why should we have to pay thousands of dollars a year just to be able to patch these things? Why are the FAQs useless? Why can't these people get a clue?
Just FYI, I've been using Linux since before it was 1.0, and I have no problem with configuring firewalls and the like. And I also know that Cisco pulls stupid crap like this, too. Now for the fun part - I have a hell of a lot of purchasing power at a very large consulting firm, and as far as I am concerned, we are done with Checkpoint.
You hear that, Checkpoint? Over 70,000 employees, and I can't count how many support contracts. I'm going to do what I can to make sure we never send you another dime.
If I'm paying $$$ for a commercial grade table saw, I don't wanna have to buy an aftermarket book to tell me how to use it?
There is a difference in "how" to use something, i.e. what the levers and dials do, and the art, craft, and wisdom is in applying those dials and levers.
My table saw manufacturer is obliged to provide me with a manual explaining the proper and safe use of the device. He is not obliged to tell how to apply the device specifically to the making a grandfather clock and a Shaker trestle table.
Other people write books to help me figure that out.
KFG
http://smoothwall.org/ rocks like none other
Not everyone needs Firewall-1. But as the number of firewalls you manage goes up, the management features of Firewall-1 really come into their own.
Firewall-1 also assists in reaching the desired level of abstraction where your ruleset stops describing your network topology and starts describing your network policy.
The difference is hard to appreciate until you have worked with both for a while.
The answer is NO! As security techs change the way they handle threats, from the borders and internally FW config and management is currently changing rapidly. Infact CheckPoint is now offering in-line IPS. This better layerd/mesh approach to security does chage what you need to do on your borders and how you do it. Coupled with node/desktop firewalls, current stratergies will change.
- High Availability of management stations
- Coverage of Provider-1, SiteManager-1 installations and the differences between them and the traditional management method
- More detail on Checkpoint log servers (specifically CLMs and what they can and cannot do, including where they should typically be deployed and in what sitations)
- Handling, munging, searching, and maintaining log files for Checkpoint products (there are scads of logfiles available, and some are quite hidden)
- Steps to take to verify proper operation of a Firewall-1 node, including performance tuning ("fw ctl pstat" and how to read it, basically)
- Using Checkpoint State Synchronization with AND without Checkpoint Clustering, and how to troubleshoot it
- More information about tuning and maintenance of SmartDefense (the IPS features of Firewall-1) paying attention to "protocol gotchas" that can be eliminated through altering its configuration
- A tutorial for the new Checkpoint administrator about all the different types of licenses with which one can and will deploy as part of a standard installation
- The mentions of SecureRemote (the Client-to-LAN VPN built in to Checkpoint Firewall-1) are lacking in many respects -- for example, there is little mention of Secure Configuration Verification, Visitor Mode/Office Mode, IP address assignment mechanisms (there are many), etc.
- More detail in the following areas: CIFS blocking, Exchange/Windows RPC custom handling, integration with URL filtering via UFP, differences between the FTP/FTP_BASIC methods, etc.
Of course, I suppose 80% of the administrators that would buy this book don't care one bit about these details if they're only running a couple of standalone Firewall-1 boxes. The funny thing, though, about companies that buy a product as expensive as Checkpoint Firewall-1 is that they tend to expand their investment in the product fairly rapidly -- if they buy enough of it up front to be a serious investment. For those administrators, it's the type of information like the above that is really missing. What's a shame is that it's also generally missing in Checkpoint's own documentation.Instead of simply saying "My site's been slashdotted! Please check back later." you should also say "Oh, yeah btw, please buy my book!" and get some free advertisement from the ordeal.
Too bad I can't post and moderate in the same thread, or I'd mod this up as "insightful."
-- PhoneBoy
The views expressed herein are not necessarily those of anyone, including the poster.