commercial firewall advice (checkpoint FW-1 under Linux?)

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by John Hovel » Mon, 07 Aug 2000 04:00:00



Hello all --

I have been given the assignment of finding a firewall for a
(commercial) 25-user setting.

I was wondering if anyone had experience running Checkpoint's FW-1 under
Linux, and if they had any opinions they might share.

My real only alternative right now is maybe Gauntlet w/ VPN (network
associates) (under NT :-( ) -- anyone tried either or have any
preferences/opinions?

I was quoted around $3000 by a NAI reseller for Gauntlet (25 user)...
(does this sound high?)  anyone know if Checkpoint is any cheaper (or if
more importantly it basically does what Gauntlet does)?

Thanks in advance for any opinions or advice... I would really like to
stick with Linux if possible... just wondering if FW-1 would be out of
my budget (about $3k) or if anyone likes its VPN features.

Thanks,
John

 
 
 

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by Eugene Strulyo » Tue, 08 Aug 2000 04:00:00


I don't see why you would want to shell out $3000+ for some firewall
software when you can use ipchains, the Linux native firewall. Take a look
at ipchains howto. You can find it at www.linuxdoc.org.

Eugene


> Hello all --

> I have been given the assignment of finding a firewall for a
> (commercial) 25-user setting.

> I was wondering if anyone had experience running Checkpoint's FW-1 under
> Linux, and if they had any opinions they might share.

> My real only alternative right now is maybe Gauntlet w/ VPN (network
> associates) (under NT :-( ) -- anyone tried either or have any
> preferences/opinions?

> I was quoted around $3000 by a NAI reseller for Gauntlet (25 user)...
> (does this sound high?)  anyone know if Checkpoint is any cheaper (or if
> more importantly it basically does what Gauntlet does)?

> Thanks in advance for any opinions or advice... I would really like to
> stick with Linux if possible... just wondering if FW-1 would be out of
> my budget (about $3k) or if anyone likes its VPN features.

> Thanks,
> John


 
 
 

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by John Hovel » Tue, 08 Aug 2000 04:00:00


Eugene --

I am _definitely_ a big fan of _free_ software... but IPchains is a very basic
firewall tool (just a  Berkeley Packet Filter with NAT and a few other
goodies).  I use it all the time and think is great, but here is what it
lacks:

- no stateful inspection
- no proxies
- no virus scanning (for Win32 and Mac platforms)
- no ability to filter at application layer (only transport layer)
- no DMZ proxies
- no authentication services
- no bandwidth management
- no Denial of Service prevention support (for other machines behind firewall
-- stuff syn_cookies won't do.)

I have set up _maanny_ a firewall using IPchains, and am looking forward to
IPtables too.

Thanks for the pointer to the HOWTO... but I am looking for a little something
more.  I only wish that these sorts of features could be found in open
source/free products. (I was e*d enough to findout Checkpoint now supports
Linux -- well Red Hat anyway)

I think these features listed here are important, as a good hacker will know
how to tunnel through and trick a BPF if he can get enough access.

I'm interested to know what you think about this though...

Happy linux-ing...

Cheers,
John


> I don't see why you would want to shell out $3000+ for some firewall
> software when you can use ipchains, the Linux native firewall. Take a look
> at ipchains howto. You can find it at www.linuxdoc.org.

> Eugene


> > Hello all --

> > I have been given the assignment of finding a firewall for a
> > (commercial) 25-user setting.

> > I was wondering if anyone had experience running Checkpoint's FW-1 under
> > Linux, and if they had any opinions they might share.

> > My real only alternative right now is maybe Gauntlet w/ VPN (network
> > associates) (under NT :-( ) -- anyone tried either or have any
> > preferences/opinions?

> > I was quoted around $3000 by a NAI reseller for Gauntlet (25 user)...
> > (does this sound high?)  anyone know if Checkpoint is any cheaper (or if
> > more importantly it basically does what Gauntlet does)?

> > Thanks in advance for any opinions or advice... I would really like to
> > stick with Linux if possible... just wondering if FW-1 would be out of
> > my budget (about $3k) or if anyone likes its VPN features.

> > Thanks,
> > John

 
 
 

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by elle.. » Tue, 08 Aug 2000 04:00:00



Quote:> I don't see why you would want to shell out $3000+ for some firewall
> software when you can use ipchains, the Linux native firewall. Take a look
> at ipchains howto. You can find it at www.linuxdoc.org.

Perhaps because it's totally unsuitable for some environments?

--

 
 
 

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by elle.. » Tue, 08 Aug 2000 04:00:00



[...]
Quote:> more.  I only wish that these sorts of features could be found in open
> source/free products.

[...]

They can, but it's more of a cobble-it together scenario.

Quote:> - no stateful inspection

Doable via ipchains + spf or iptables

Quote:> - no proxies

Doable via socks

Quote:> - no virus scanning (for Win32 and Mac platforms)

Not really applicable, but doable via your mail server and a web proxy.

Quote:> - no ability to filter at application layer (only transport layer)

Somewhat douable on a case by case basis, but unfun.

Quote:> - no DMZ proxies

Fakeable with clever routing and/or port forwarding.

Quote:> - no authentication services

I assume you mean for outside users. In that case, nothing springs to
mind, you'd need to cludge it with wrappers and whatnot.

Quote:> - no bandwidth management

Very, very minimal support via TOS to manage the queues. I think this
is the most asked for feature right now.

Quote:> - no Denial of Service prevention support (for other machines behind firewall
> -- stuff syn_cookies won't do.)

Doable with snort, via an new feature (listed as alpha, yuck ;) that
lets you manipulate the connections and ipchains via snort rules.

So basically, it's getting there, but we're not there yet.

--

 
 
 

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by Robert Hallgr » Tue, 08 Aug 2000 04:00:00


On Mon, 07 Aug 2000 06:24:37 GMT,

[...]

Quote:> I only wish that these sorts of features could be found in open source/free
> products.

Did you have a look at T.Rex? Haven't tried it out myself (I probably will,
some day), but it seems like it will do most of the things you're asking for.

<URL: http://www.opensourcefirewall.com/ >

Robert
--

PGP: http://www.lipogram.com/pgpkey.asc
5F1E 95C2 F0D8 25A3 D1BE 0F16 D426 34BD 166A 566C

 
 
 

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by John Hovel » Tue, 08 Aug 2000 04:00:00


Robert --

Wow.  I didn't know anything close to this existed.  Still lacking in a bunch of
areas... mostly virus scanning is totally nonexistent.

Also, may services don't seem to have proxy or content scanning ... just
forwarding.  All the same, I will look into it.

The virus scanning is the big one though.  Anyone know a virus scanner for
firewalls for Linux??

Maybe I could hack them both to work together if one exists. (commercialware is
fine, duh).

Cheers,
John


> On Mon, 07 Aug 2000 06:24:37 GMT,

> [...]
> > I only wish that these sorts of features could be found in open source/free
> > products.

> Did you have a look at T.Rex? Haven't tried it out myself (I probably will,
> some day), but it seems like it will do most of the things you're asking for.

> <URL: http://www.opensourcefirewall.com/ >

> Robert
> --

> PGP: http://www.lipogram.com/pgpkey.asc
> 5F1E 95C2 F0D8 25A3 D1BE 0F16 D426 34BD 166A 566C

 
 
 

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by Dima Maziu » Tue, 08 Aug 2000 04:00:00


...

Quote:

> The virus scanning is the big one though.  Anyone know a virus scanner for
> firewalls for Linux??

You know that they usually recommend running AV s/ware on individual
workstations -- that will stop viruses transferred via floppies etc...

Quote:

> Maybe I could hack them both to work together if one exists. (commercialware is
> fine, duh).

Someone mentioned a perl script that looks for virus signatures...
(Sorry, no reference though I'm sure it was in a security-related ng)
That sounds doable. Also, IIRC both Symantec & Mcafee have Linux
versions of their AV products.

Dima
--
(1)     Office employees will daily sweep the floors, dust the
        furniture, shelves, and showcases.
(2)     Each day fill lamps, clean chimneys, and trim wicks.
        Wash the windows once a week.
(3)     Each clerk will bring a bucket of water and a scuttle of
        coal for the day's business.
(4)     Make your pens carefully.  You may whittle nibs to your
        individual taste.
(5)     This office will open at 7 a.m. and close at 8 p.m. except
        on the Sabbath, on which day we will remain closed.  Each
        employee is expected to spend the Sabbath by attending
        church and contributing liberally to the cause of the Lord.
        -- "Office Worker's Guide", New England Carriage Works, 1872
--------------------------------------------------------------------
*le-*le, 73 Confusion 3166, 136:1:1 (1)

 
 
 

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by John Hovel » Tue, 08 Aug 2000 04:00:00


Dima --


> You know that they usually recommend running AV s/ware on individual
> workstations -- that will stop viruses transferred via floppies etc...

Yeah... I know... this would be in _addition_ to desktop security... to protect if
the user has managed to somehow disable (or doesn't have) AV software.

Quote:

> > Maybe I could hack them both to work together if one exists. (commercialware is
> > fine, duh).

> Someone mentioned a perl script that looks for virus signatures...
> (Sorry, no reference though I'm sure it was in a security-related ng)
> That sounds doable. Also, IIRC both Symantec & Mcafee have Linux
> versions of their AV products.

Really?  That scan for Win32 viruses?  Or for some weird Linux viruses that no one
here has ever heard of?

I couldn't find any of this on either web site (mcafee or symantec)... anyone have
any links?

Thanks,
John

Quote:

> Dima
> --
> (1)     Office employees will daily sweep the floors, dust the
>         furniture, shelves, and showcases.
> (2)     Each day fill lamps, clean chimneys, and trim wicks.
>         Wash the windows once a week.
> (3)     Each clerk will bring a bucket of water and a scuttle of
>         coal for the day's business.
> (4)     Make your pens carefully.  You may whittle nibs to your
>         individual taste.
> (5)     This office will open at 7 a.m. and close at 8 p.m. except
>         on the Sabbath, on which day we will remain closed.  Each
>         employee is expected to spend the Sabbath by attending
>         church and contributing liberally to the cause of the Lord.
>         -- "Office Worker's Guide", New England Carriage Works, 1872
> --------------------------------------------------------------------
> *le-*le, 73 Confusion 3166, 136:1:1 (1)

 
 
 

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by Erik Jan van Weste » Tue, 08 Aug 2000 04:00:00



> Hello all --
> I have been given the assignment of finding a firewall for a
> (commercial) 25-user setting.
> I was wondering if anyone had experience running Checkpoint's FW-1 under
> Linux, and if they had any opinions they might share.

At this moment I would not consider the Linux firewalls to be of
the same level as eg the OpenBSD firewall, which is not at the
same level as FW-1. There is no real competition yet for FW-1. I
know, I know iptables etc, but would you bet you companies money
on alpha or beta releases when it comes to security?

OpenBSD has the best track record there is, and when setting up a
firewall it is considerably easier to set up _and_ maintain than
a Linux ipchains fw. This afternoon we experimented a little bit
with the DANGEROUS java bug (look for brownorifice on the web)
and we felt assured that although netscape opened a backdoor on
port 8080, nobody could come in because of the stateful
inspection. That could also be done with a linux fw, but not as
safe and secure... with only 15-20 rules...:-)

Although I hate to admit, the FW-1 is better.

Quote:> My real only alternative right now is maybe Gauntlet w/ VPN (network
> associates) (under NT :-( ) -- anyone tried either or have any
> preferences/opinions?

Another option is to use a Tunix firewall (www.tunix.nl, I think
they also have a reseller in the States, check their website).
This firewall is in use at lot of big companies but they seem to
take on a low profile, because a lot of their customers are using
it in very sensitive areas.

Quote:> I was quoted around $3000 by a NAI reseller for Gauntlet (25 user)...
> (does this sound high?)  anyone know if Checkpoint is any cheaper (or if
> more importantly it basically does what Gauntlet does)?

I am not sure you will get a better price, but the technology
from Checkpoint is a _little_ bit more advanced ;-).

Quote:> Thanks in advance for any opinions or advice... I would really like to
> stick with Linux if possible... just wondering if FW-1 would be out of
> my budget (about $3k) or if anyone likes its VPN features.

I would go for the BSD solution, moreover I started to do so
already with some of my customers :-).

Quote:> Thanks,

You're welcome.

EJ
--
OpenBSD 2.7 on a sparc (32 MB) and a pentium 75 MHz (32 MB)
Linux 2.2.16 on a pentium 233 MHz (64 MB) and a sparc (32 MB)
FreeBSD 4.0 on a pentium 200 MHz (192 MB)
and the Mac LCII? Still doing nothing.

 
 
 

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by Steve Co » Tue, 08 Aug 2000 04:00:00




> Hello all --

> I have been given the assignment of finding a firewall for a
> (commercial) 25-user setting.

> I was wondering if anyone had experience running Checkpoint's FW-1 under
> Linux, and if they had any opinions they might share.

> My real only alternative right now is maybe Gauntlet w/ VPN (network
> associates) (under NT :-( ) -- anyone tried either or have any
> preferences/opinions?

> I was quoted around $3000 by a NAI reseller for Gauntlet (25 user)...
> (does this sound high?)  anyone know if Checkpoint is any cheaper (or if
> more importantly it basically does what Gauntlet does)?

> Thanks in advance for any opinions or advice... I would really like to
> stick with Linux if possible... just wondering if FW-1 would be out of
> my budget (about $3k) or if anyone likes its VPN features.

> Thanks, John

Hi,

it may be worth considering gnatbox - see
www.gnatbox.com

It has a lot of features, good writeups and is not
too expensive - There's a time unlimited 'lite'
free download too

 
 
 

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by Ma » Tue, 08 Aug 2000 04:00:00


Check out snort. I am not sure but it can be configured to check certain
signatures into the packets passing through. Maybe it can be used for
virus checking purposes.

HTH


> Robert --

> Wow.  I didn't know anything close to this existed.  Still lacking in a bunch of
> areas... mostly virus scanning is totally nonexistent.

 
 
 

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by Erik Jan van Weste » Wed, 09 Aug 2000 04:00:00



Quote:> At this moment I would not consider the Linux firewalls to be of
> the same level as eg the OpenBSD firewall, which is not at the
> same level as FW-1. There is no real competition yet for FW-1. I
> know, I know iptables etc, but would you bet you companies money
> on alpha or beta releases when it comes to security?

Addition: see security portal for interesting news about fw-1. If
they can get penetrated that easily, how about the simpler
commercial products ;-). I would still go for the OpenBSD
solution :-).

EJ
--
OpenBSD 2.7 on a sparc (32 MB) and a pentium 75 MHz (32 MB)
Linux 2.2.16 on a pentium 233 MHz (64 MB) and a sparc (32 MB)
FreeBSD 4.0 on a pentium 200 MHz (192 MB)
and the Mac LCII? Still doing nothing.

 
 
 

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by elle.. » Wed, 09 Aug 2000 04:00:00



Quote:> Addition: see security portal for interesting news about fw-1. If
> they can get penetrated that easily, how about the simpler
> commercial products ;-). I would still go for the OpenBSD
> solution :-).

If you're talking about the "hack" at defcon, bid deal. Anyone can
intentionally misconfigure a firewall and then "sneak" packets through
it. Although a couple minor fixes came out of the discussion it was
much less impressive than portrayed in the popular press.

Remember, it's possible to hold up an armed car too, but if Brinks got
hit tommorrow you wouldn't see banks switching to station wagons. ;)

--

 
 
 

commercial firewall advice (checkpoint FW-1 under Linux?)

Post by elle.. » Wed, 09 Aug 2000 04:00:00



Quote:> it may be worth considering gnatbox - see
> www.gnatbox.com
> It has a lot of features, good writeups and is not
> too expensive - There's a time unlimited 'lite'
> free download too

I thought the same thing when I read the original post. Unfortunatly,
gnatbox now offers a full demo of 3.0.3 which runs for 180 minutes
then halts, decreasing that time by 30 minutes every reboot. They also
don't publish prices on the web.

--

 
 
 

1. VPN connection to a CheckPoint Firewall / FW-1

I need to connect to a VPN from Fedora Core 1. The only way at the moment is to use CheckPoint SecureRemote,
because the VPN server is using CheckPoint Firewall / FW-1 ( dont know the version ).
It's a colocation site / data centre.

The alternatives that I have found are:

1) Use CheckPoint's SecureRemote on linux:

http://www.checkpoint.com/techsupport/downloads_sr.html

Unfortunately, it will only work with RedHat 7.2/7.3 kernels, specifically ( from their documentation ):

        RedHat Linux version 7.2 & 7.3, kernel versions 2.4.9-7, 2.4.9-33, 2.4.18-5 and 2.4.18-10

        http://www.checkpoint.com/techsupport/downloads/html/securemote/sr-5-...

2) Use FreeSWAN. However, FreeSWAN development has stopped.

CheckPoint has a document on how to connect from FreeSWAN:

        http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/fw-lin...

Unfortunately, it is quite old ( was still referring to RH 6.2 ) and it looks like that you need a fixed IP on the client side.

3) Use CheckPoint's SecureRemote on linux on a RH 7.x guest OS using user-mode-linux with Fedora as the host OS.

Unfortunately, binary only modules will not work with user-mode-linux kernels.

4) Use CheckPoint's SecureRemote on linux on a RH 7.x guest OS using plex86 with Fedora as the host OS.

However, there has been no activitity on plex86

5) Use CheckPoint's SecureRemote on winnt4/win2k guest OS using bochs with Fedora as the host OS.

However, was told that this will be too slow for everyday use.

6) Use CheckPoint's SecureRemote on linux on a RH 7.x guest OS using bochs with Fedora as the host OS.

Have not tried yet

7) Use VMWare to run RH 7.2 guest OS on a Fedora host OS.

However, although it may work, it is an unsupported configuration since they will not support Fedora as the host OS.

        http://www.microway.com.au/catalog/vmware/vm_workstation_specs.stm

2. Problem RH6 and DHCP

3. Linux and Checkpoint FW-1

4. ATM Question

5. Nokia IP400 Firewall and Checkpoint (The Fastest Checkpoint Firewall Box)

6. How can I install ICQ for Java in Linux?

7. checkpoint fw-1 usable scripts available !

8. How to NAP() under SYS V?

9. FW-1 vs Checkpoint opinions wanted

10. Checkpoint FW-1, Solaris Routing, and Two ISPs

11. connecting to a VPN behiind CheckPoint FW-1

12. CHeckpoint FW-1 Trial version

13. telnetd on FW-1 checkpoint