Slashdot Mirror
Checkpoint Porting Firewall-1 to Linux
booboo writes " Stuck with a firewall on NT? InformationWeek has the news that Checkpoint has announced plans to port their Firewall-1 and VPN-1 code to Linux (2.2 kernel) "
← Back to Stories (view on slashdot.org)
True, ipchains doesn't do those things you describe. It's not supposed to; but some of them are done by advanced routing. Advanced routing gives you a way to manage more than one routing table with different rules, and translation of netblocks is supported. I doubt that checkpoint can do more in the IP forwarding arena than ipchains + advanced routing.
;) If you want to filter what external URL's your users access, the place for that is the proxy server, not IP routing.
``Antivirus'' at the firewall level is ridiculous to me. Good operating systems don't suffer from viruses anyway.
That leaves VPNs: bit out of my area. But aren't there IPsec solutions for Linux? Someone also wrote open source PPTP client and server software, so you can support the native Windows VPN mechanism.
It almost embarrasses me to say it, but I suggested Linux to Checkpoint something like 3+ years ago, at an Interop show in Las Vegas. They could have provided a CD and a boot floppy, that would have put up a pre-configured minimal Linux system with all the loopholes closed. Boot from the floppy and install, and *poof* instant firewall.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Reminds me of a story. Ok first of all I'm all for 'big name' commercial products to be ported to Linux. There's plenty of reasons. And if they're not free ... well nobody forces you to use them. ... ... I was to install a mail server there for a specific purpose ... So I ask the guy in charge of the firewall to open SMTP for me ... Aaaah ... It takes him hours to figure how to do it ... yeah, complicated manoeuver indeed. I look over his shoulder, and there's like, a hundred of useless rules in his setting. He could'nt even know what they were for. ... for 'SECURITY REASONS'!!!!!!!! AHAHHHHAHAHHAHA.
Anyway, I did some consulting for one big american media company who relies heavily on networking for its business. Like, the reliability of their network is a matter of life and death to them. More exactly, 1 hour without network could mean, what, a direct loss of $1 million, not counting the indirect loss from disgrunstled customers etc
Aaaanyway
So what, he opens port 25. Great. He learnt something that day, port 25=SMTP. I set up my thingie, and shit, it does not work!
What the fuck is wrong. After 30 min of struggling, I start to realize that the DNS server is not working. I inform the guy. "Oh but you never told me you needed the DNS!" AAAAAAAHHHHHHHH. So he turns on the DNS. I go back to the server. Still does not work! This time, I can't get incoming connections! Back to the guy. "Oh yeah I thought you just needed DNS." WTF???? Ok back to the machine. I CAN'T GO OUTSIDE!!!! I CAN'T OPEN OUTGOING SMTP SESSIONS!!!! AAAAHH!!!
The guy had forbidden outgoing SMTP connections
I try to not LART him. The scariest part, of course, was the fact that despite his misplaced paranoia, there were probably dozens of REAL security threats wide open in his configuration.
Bottom line: a GUI will not make a network administrator. And if a sysadmin is expensive, that's because there's a reason to it!
when ipchains in the kernel can do it all and more ?
JERUSALEM CITY, ISRAEL - November 1, 1999 - The Mossad.
The Mossad has announced today a surprising turn in the world of espionage: The Mossad has announced it will release the sources of the Mossad backdoor to Checkpoint's Firewall-1 and VPN-1 product together with other (yet unnamed) backdoors in other Israeli developed products under the GPL. The surprising move seems to be related to CultOfTheDeadCow releasing the source of it's BackOrifice remote management program under the GPL some time ago and to the recent initiative of the CIA to open a CIA sponsored start up for developing high tech espionage products.
The Mossad spokesperson, Zach Lohem-zedek, commented that the major reasons behind this announcement were the dwindling budget of the Mossad in the current age of peace and success the Mossad have had in the past in utilizing Open Source tools such as Linux for it's day to day work.
About the Mossad
The Mossad is the Israeli counter intelligence agency (similar to the CIA in the US). It was funded in *T&^!@ by *^&&*! and 28&*Y(@!93^(. To contact the Mossad please pick up your phone and say, in a slow and calm voice: "Roger this is karma. The bat has swallowed the can, over" and hang up. You will be contacted shortly.
(C) 1999 Mossad, Israel.
Gilad.
(Just being silly.)
---
"'Is not a quine' is not a quine" is a quine.
"'Is not a quine' is not a quine" is a quine.
Quine "quine?
Alas, it's exactly that kind of sucker attitude among customers that has brought us to where we are today in the software world.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
That's what ipchains is missing. Checkpoint is one of the few (only?) FW companies that understands what it is to have to manage 100+ firewalls, and their concept of a "management console" is outstanding. I won't lie and say there are no bugs in it, but hands down, nobody else comes close.
Now that they're porting it to Linux, looks like I'll be throwing ipchains out the window for home use and in some small installations. We primarily run it on Solaris, but Linux will have its place as well, I believe.
"You can never have too many elephants on your team."
My big question is this:
I'm pretty sure they're gonna have the firewall be a kernel module. What kind of license can they apply to it? I'm not sure that you can distribute kernel modules without some kind of GPL.
-earl
Yes, I've read the paper by Schneier. IIRC, they claimed that the bug is in the Microsoft implementation of PPTP, not in PPTP itself. It's possible that the freeware implementations of it don't have the problem, though in what combinations with Windows clients or server I can't guess. In particular, I don't know whether the server implementation has to reproduce Microsoft's security bugs in order to be compatible with Windows clients.