Checkpoint Porting Firewall-1 to Linux 133
booboo writes " Stuck with a firewall on NT? InformationWeek has the news that Checkpoint has announced plans to port their Firewall-1 and VPN-1 code to Linux (2.2 kernel) "
I THINK THEY SHOULD CONTINUE the policy of not giving a Nobel Prize for paneling. -- Jack Handley, The New Mexican, 1988.
No GUI on the server. (Score:1)
Ipchains != advanced routing. (Score:2)
``Antivirus'' at the firewall level is ridiculous to me. Good operating systems don't suffer from viruses anyway.
That leaves VPNs: bit out of my area. But aren't there IPsec solutions for Linux? Someone also wrote open source PPTP client and server software, so you can support the native Windows VPN mechanism.
No VPN? (Score:1)
Just wondering.
Ahem. (Score:2)
...phil
Re:What about a client? (Score:1)
Scary Firewall Sights (Score:2)
Anyway, I did some consulting for one big american media company who relies heavily on networking for its business. Like, the reliability of their network is a matter of life and death to them. More exactly, 1 hour without network could mean, what, a direct loss of $1 million, not counting the indirect loss from disgrunstled customers etc
Aaaanyway
So what, he opens port 25. Great. He learnt something that day, port 25=SMTP. I set up my thingie, and shit, it does not work!
What the fuck is wrong. After 30 min of struggling, I start to realize that the DNS server is not working. I inform the guy. "Oh but you never told me you needed the DNS!" AAAAAAAHHHHHHHH. So he turns on the DNS. I go back to the server. Still does not work! This time, I can't get incoming connections! Back to the guy. "Oh yeah I thought you just needed DNS." WTF???? Ok back to the machine. I CAN'T GO OUTSIDE!!!! I CAN'T OPEN OUTGOING SMTP SESSIONS!!!! AAAAHH!!!
The guy had forbidden outgoing SMTP connections
I try to not LART him. The scariest part, of course, was the fact that despite his misplaced paranoia, there were probably dozens of REAL security threats wide open in his configuration.
Bottom line: a GUI will not make a network administrator. And if a sysadmin is expensive, that's because there's a reason to it!
Re: Firewall-1 features (Score:1)
Stateful inspection can be defined for new protocols by writing a relatively simple script - quite a bit easier than writing an ipmasq module.
Firewall-1 also has quite sophisticated NAT facilities that can do static NAT, not just dynamic NAT. Last time I looked at Linux NAT there seemed to be quite a few packages for it, none of which seemed to be 'the one'.
Firewall-1 is also quite well packaged, with a decent GUI for viewing and modifying rules. Although it's a pretty complex product, it is well integrated and tested as a whole.
There are quite a few companies out there who prefer Solaris to NT for Firewall-1, and will no doubt jump at the chance to use Linux. Security gurus would probably be even happier if it used OpenBSD, but that doesn't have the same market share as Linux.
Re:No VPN? (Score:1)
Re:Probably next year sometime (Score:1)
What about VPN Client? (Score:1)
So does this mean they are going to release the SecuRemote VPN client for Linux as well?
whats the point ? (Score:2)
Maybe I'm being dense here... (Score:1)
What can a commercial firewall do that Linux can't (Score:1)
More accurately (Score:1)
The big thing in my case being, I've got a Debian box that I haven't updated in forever, cause I haven't needed to. (Mama taught me that if it's not broken...)
So, how is this going to affect me? Probably not at all, as I won't be purchasing this router at home. At work, we keep a lot more current (for obvious reasons) than I feel I have to for my little proxy setup.
Maybe it's just me, but it seems like it would have been smarter to port the hardware to older kernel versions, as your newer kernels are going to be more backwards compatible than the old ones can be forward.
Oh well, notch one for good intention I guess...
Whoops, ignore hardware. (Score:1)
Re:whats the point ? (Score:1)
No, you are not dense... (Score:1)
Probably an nice GUI, advanced auditing, and an integrated easy to use solution with good support.
Checkpoint is (IMHO) THE leader in firewall security, so it is very likely they have a few tricks up their sleeves that we do not (for now.)
Re:Will the Linux port include the Mossad backdoor (Score:2)
The Mossad has announced today a surprising turn in the world of espionage: The Mossad has announced it will release the sources of the Mossad backdoor to Checkpoint's Firewall-1 and VPN-1 product together with other (yet unnamed) backdoors in other Israeli developed products under the GPL. The surprising move seems to be related to CultOfTheDeadCow releasing the source of it's BackOrifice remote management program under the GPL some time ago and to the recent initiative of the CIA to open a CIA sponsored start up for developing high tech espionage products.
The Mossad spokesperson, Zach Lohem-zedek, commented that the major reasons behind this announcement were the dwindling budget of the Mossad in the current age of peace and success the Mossad have had in the past in utilizing Open Source tools such as Linux for it's day to day work.
About the Mossad
The Mossad is the Israeli counter intelligence agency (similar to the CIA in the US). It was funded in *T&^!@ by *^&&*! and 28&*Y(@!93^(. To contact the Mossad please pick up your phone and say, in a slow and calm voice: "Roger this is karma. The bat has swallowed the can, over" and hang up. You will be contacted shortly.
(C) 1999 Mossad, Israel.
Re:Nice, but not serious about security (Score:1)
Wayne
Lotus Notes / Domino (Score:1)
Stuck on NT??? (Score:1)
Re:sooner than I thought (Score:1)
distribute kernel modules without some kind of GPL
As an exception Linus made, you may distribute binary-only modules, and the kernel has not to be modified in any way. But then the maintenance is completely up to you. This is how it has been done for the SBLive drivers, until Creative released the sources.
Please note that modules binaries are strongly kernel-version dependant, so if you provide a binary-only module, you'd provide it at least for more than one version of the kernel. This usually is bad (because you are stick with a few kernel versions supported), but IMHO it's not so bad in this case (a firewall machine is a firewall and nothing else, usually).
My 0.02 Euro.
What's the point of a commercial firewall? (Score:1)
The last commercial firewall I saw was Borderware. It was utterly appalling. The hardware choice was very limited - only certain SCSI cards were supported, and network cards had to be set to specific I/O addresses and IRQs. Finding a platform it would run on was difficult, sometimes impossible. It could only be configured by a very slow Java interface, which due to differences in Jave meant that the only supported client interface was a particular release of Netscape Navigator.
Finally, and most insulting, a customer of mine had a serious security breach, allowing remote users to use the firewall as a mail relay. Borderware were aware of the fault, and stated that a fix would be available in the next release, due out in 6 months time. Unbelievable!
I will never run a commercial firewall - they are mainly installed by the ignorant.
Re:Ipchains != advanced routing. (Score:1)
Why is that? Like it or not, there are Windoze users out there. They will email eachother stupid files laden with virii. You can't dispute that. Why not build protection for that into the firewall (by transparently redirecting the SMTP data streams)?
PPTP? You must be kidding. You've read the papers by Mudge and Bruce Schneier about the gaping holes in PPTP, haven't you?
Yes, FreeSWAN exists and even works (I've made it work, so have others). How on earth are you going to sell a system to corporations that's based on ipchains, FreeSWAN and other stuff. There must be about a dozen people alive that can make the configuration work, let alone understand how it all works. For those 12 people, great, use the free tools. Many companies take the point of view that it's cheaper to pay for someone to have done the research for you.
With respect to the "advanced routing" of 2.2 and higher, the sum of policy routing, equal cost multipath routing, large routing tables, etc doesn't equal the stuff Check Point provides.. They're getting there, but they're not there yet...
Re:sooner than I thought (Score:1)
15% annually to get every stinking upgrade that comes down the pike is cheap, IMHO.
FW-1 NT vs. Linux here's some thoroughput #'s (Score:1)
Re:FW-1 sucks (Score:1)
Re:What's the point of a commercial firewall? (Score:1)
This is great! (Score:1)
That's one more Windows app I can throw in the garbage.
Re:OpenBSD a logical choice. (Score:1)
A Line-by-line security audit makes a big difference.
Do you think MS will do a Line-by-line security audit to Win2K? Ya right!
You wouldn't put a top of the line Medeco on a balsa-wood door would you?
Re:Scary Firewall Sights (Score:1)
I'm one of the GUI developers of Net Partitioner and i'll be very pleased if you can take a look to this tool and give me some feedbacks. Of course it works under linux (since the 1st release) because it is fully developed under linux.
Please don't consider this message as a add, i HATE marketing but i think commercial products have their place under linux too.
http://www.solsoft.com [solsoft.com]
Re:What's the point of a commercial firewall? (Score:1)
Please. You can't name 5 such products. The only such instances I've ever seen this is in the case of 3Com hubs/switches. Did you realize that Check Point was recently certified for use by the NSA? If the NSA is willing to use the product (which involves a source code inspection), your claims are a bit overboard.
I do, however agree that Borderware is an utter nightmare. (I'm a former Borderware victim^H^H^H^H^H^Huser).
This is a good announcement. (Score:1)
Europe's a country? (Score:2)
(Just being silly.)
---
"'Is not a quine' is not a quine" is a quine.
Re:sooner than I thought (Score:1)
Re:FreeBSD & CheckPoint == GREAT (Score:1)
Most likely, he was referring to the VPN-1 appliances. The OS in these devices was based on FreeBSD, but has been highly customized. Look at http://www.checkpoint.com/prod ucts/vpn1/applianceds.html for more information.
PeeWee
Re:FreeBSD & CheckPoint == GREAT (Score:1)
Pay Checkpoint for getting them to fix their bugs? (Score:2)
Re:whats the point ? (Score:1)
The Nokia's are BSDi boxes running the Checkpoint code. I'm sure that if they can get the functionality of the Unix boxes (extended routing protocols like OSPF, BGP, etc) without paying the BSDi tax it's a big win. I would imagine that this also allows them to have a great deal of control over the whole thing - they're no longer dependent on Sun or HP or M$ when something goes Horribly Wrong betweent their product and the O/S. FYI - the Nokia's are *really* sweet - nearly all admin including interface configuration is via the web browser, but you can also SSH or telnet into them.
I *really* hope that this means that they're also releasing the GUI adming tool - it sucks editing their rulebases by hand.
Enterprise Management (Score:2)
Now that they're porting it to Linux, looks like I'll be throwing ipchains out the window for home use and in some small installations. We primarily run it on Solaris, but Linux will have its place as well, I believe.
Re:FW-1 NT vs. Linux here's some thoroughput #'s (Score:1)
The Solaris GUI is a port of the Windows GUI, sitting on top of some compatability toolkit. I don't know which toolkit, but it's not something like GTK+ or wxWindows or Java. For the GUI to run on Linux, that toolkit would have to exist for Linux. If it doesn't, then no GUI for Linux.
Also, the Solaris GUI only runs under Solaris Sparc, not Solaris x86.
PeeWee
(Yes, I work for Check Point. No, I don't speak for the company. If you think what I'm saying is official Check Point Gospel, you're insane.)
Re:FW-1 NT vs. Linux here's some thoroughput #'s (Score:1)
To tell you whats truly bizzare, is that Nokia's FW-1 Appliance is based on some kind of BSD, so porting the actual FW to Free/Net/OpenBSD would be a snap. Hopefully they'll see the light and port soon.
Regardless, porting the CP GUI to Linux is great because its so well emulated on other platforms. Solaris, Open/Net/FreeBSD all can run Linux X86 binaries. I'd still rather have a native binary, but any binary is better than none.
Re:FW-1 NT vs. Linux here's some thoroughput #'s (Score:1)
There will almost certainly be a kernel module involved with the firewall port itself, since the Inspect Engine runs as a module on all the other UN*X platforms VPN-1/FW-1 supports. I don't know for certain, but I can't see how the binary emulation will work with kernel modules.
See my previous comments with regards to the GUI.
(Again, yes, I work for Check Point. No, this is not official Check Point Gospel. I speak for me, not Check Point.)
PeeWee
Re:whats the point ? (Score:2)
Of course, the applications built upon netfilter in newer versions of Linux will be better, but it's going to be a while before it's even close to checkpoints product.
It is, however, good enough for the home and small business applications.
----------
Why use BSDi in the first place? (Score:1)
--
Re:Scary Firewall Sights (Score:1)
Instead they thought to tell me that the internet IP of the mainframe blocked by the firewall was a LAN IP address...The poor soul didn't even understand the meaning of a positive result from an nslookup query...:-(
OpenBSD? (Score:1)
OpenBSD is already the de facto standard free unix to use as a firewall, and checkpoint could package an entire OpenBSD/FW-1 system together and sell it as a single, ready-to-go-out-of-the-box product.
Re:Stuck on NT??? (Score:1)
So we ended up with FW1 on a cheap NT license and cheap clone hardware. If we can run it on free Linux and cheap clone hardware, I'll be much happier..
Re:FW-1 NT vs. Linux here's some thoroughput #'s (Score:1)
Uhm.. you sure?
I'm sure that when I looked on the FW1 CD and did a 'file' on the executables in the Solaris/x86/gui area (can't remember the proper path), they were i386-elf
Or maybe that was just my imagination?
Re:Firewall-1 could be better on Linux than Solari (Score:1)
Re:Excellent (Score:1)
commercial applications, it's starting to look like dedicated PIX hardware is the answer only because checkpoint has a 50,000 connection limit.
Do we know what the connection limit in Linuxs native firewall is?
fw-1 experience (Score:1)
i purchased the 25 user lic. version as i only needed to protect a few machines connected to the internet but the problem is that i have a complete subnet with ip's ranging from 0-255 (although less than 25 total). Checkpoint FW-1 said i had too many machines and therefore wouldn't run. I thought it was pretty stupid that it only checked for the highest and the lowest ip and took the difference as the total number of ip's being protected rather than the keeping track of the actually ip's that tried to get routed.
Checkpoint came out with a new revision (bug fixes) just after i purchased it and they told me i would have to purchase the bug fixes as i didn't buy tech support. i finally got through to some manager level person who told me that i was exactly right and i shouldn't have to pay for bug fixes and that i would be sent the update and the someone from tech support would be conacting me and would talk me through any problems i had. i never got the update but the tech support guy did call and was very helpful. he said i could fix my problem by changing all my ip's to be sequential and that it would "probably" work.
linux moto is something like "do it yourself" if i remember right. at this point i repatitioned the disc, put in my favorite linux distro, read the ip-chains and firewalling HOW-TO's and within a few hours had my firewall working like a champ. I can't say that Checkpoint FW-1 is a bad product overall, it is probably very good for large sites as the firewalls can work together for multiple gateways and all the VPN stuff but when it came down to making it happen for me, linux was the right answer. my moral for this story would have to be "never trust the easy way."
Also this was the first linux box i was able to sneak into work, other are slowly making it in now and replacing a few our older Sun workstations. The boss loves linux now.
So too get back on topic, Checkpoint FW-1 for linux could be a very good thing for a lot of companies who need some of its features but linux with ipchains will probably work for more than 98% of the site out there, IMHO.
sooner than I thought (Score:2)
My big question is this:
I'm pretty sure they're gonna have the firewall be a kernel module. What kind of license can they apply to it? I'm not sure that you can distribute kernel modules without some kind of GPL.
-earl
Re:whats the point ? (Score:1)
Wonderful! (Score:1)
Re:sooner than I thought (Score:1)
Yes, you can. Linus made an exception for loadable modules - you can make them any license you want.
AHH! (Score:1)
What about a client? (Score:1)
ICSA certified Firewall for Linux already here... (Score:1)
Progressive systems makes a firewall/VPN, that is ICSA certified.
http://www.progressive-systems.com/pro ducts/ [progressive-systems.com]Re:What about a client? (Score:1)
I run a FW-1 v4 box at work, on NT. Unbelievably, it hasn't crashed yet. Over 6 months! Of course, I've got everything turned off...
BTW, Roblimo - put a damned spel cheker in here will ya?
"There are two things which are truly universal: hydrogen and stupidity." -- Frank Zappa
webmaster: http://amazing.divingdeals.com
Re:AHH! (Score:1)
Re:FW-1 NT vs. Linux here's some thoroughput #'s (Score:1)
Untrue.
Both the OpenLook GUI (the older style GUI from the 1.x and 2.x days) and the Motif GUI (the port of the Windows GUI) run under Solaris.
PeeWee
Re:FW-1 NT vs. Linux here's some thoroughput #'s (Score:1)
Re:whats the point ? (Score:1)
Checkpoint hmmm.... (Score:1)
but a nice feature for knowable intruders to penetrate these firewalls without getting burned.
Sorry to say that www.diligence.co.uk [diligence.co.uk] is non longer online. Search the bugtrac archives.
Personally, I would prefer to rely on a firewall which is available in source code. Why 'poison'
my setup where there are such nice things as
ipchains?
Check Point 90% firewall market (Score:1)
As far as the why not BSD posts. CP FW-1 does run on BSD - Its called Knokia IP440. Although they do not sell the BSD code alone the Knokia IP440s do run BSD. I would be more willing to install CP FW-1 on LINUX than CP FW-1 on BSD.
Check Point has 90% of the market share for commercial firewall products. The reason is because of the superior product they produce. Statefull Inspection, interoperable VPN, modular design and proven track record are just a few reasons Check Point is the predominant firewall on the market.
Now as to how this effects LINUX, as a whole is drastic. Big companies, under the advice of their knowledgle technical staff will start using CP FW-1 on Linux. Finally a product that puts LINUX in the spotlight were it can really shine. LINUX makes a much better server than a client any day and we should all support LINUX as a server platform because doing so will ensure the future of it.
Re:OpenBSD? (Score:1)
They already have ported it to a flavour of BSD, the Nokia 'appliance' box runs CP FW-1 under IPSO, a variant of BSD.
Re:Excellent (Score:1)
Re:Firewall-1 could be better on Linux than Solari (Score:1)
For quirk two, upgrade to Solaris 2.6 and be happy. (Check with your reseller if you're still
on FW-1 v3.0b as there are some gotchas...)
Re:fw-1 experience (Score:1)
Secondly, FW-1 doesn't work out your license requirement by any kind of maths. It simply counts all the IP addresses it hears on your non-external interface. Either you were using DHCP with a large pool size (cut it down to what's necessary), you hadn't set external.if properly, or you really do have more than 25 internal hosts.
Thirdly, you won't generally get patches/upgrades unless you pay for maintenance. I'll agree with anyone who says that bug-fix patches should always be gratis! Feature upgrades are another matter...
Re:whats the point ? (Score:2)
ipchains provides basic packet filtering and masquerading. It does NOT provide features like:
VPN (IPsec compliant, site to site, AND client to firewall)
Multimode NAT (hide, static, hide-pool)
Integration with 3rd party stuff like antivirus, URL filtering, intrusion detection
Integration with bandwidth management software
The bottom line? In the low-end firewall market, Check Point on NT is extremely popular. If we could provide users with the same functionality only costs less, and is more reliable, it won't lose.
I personally knew about this port about 2 months ago, but was sworn to silence. :-)
more commercial software (Score:1)
Over the last while there have been a huge number of reports of commercial software packages being released for Linux. I wonder if people are soon going to forget about all the free software that is avialable too.
Sooner or later someone is going to figure out a way to overlay a commercial API on top of Linux, and everyone is going to need to buy that package in order to run their favorite applications.
Maybe Microsoft will do it--they could make a commercial Win32 available for Linux and make us all pay for explorer (after grinding WINE and Netscape into the dust, of course).
Re:What about a client? (Score:1)
Besides, most of the SR users of the world are sales critters that can only grok Windoze anyhow..
Re:More accurately (Score:1)
ipchains allows for lots of tricks you could not do with ipfwadm, the new netfilter stuff which will be in 2.4 allows even more tricks.
There are some howtos and stuff which you might want to read to mentally prepare yourself for 2.4 on netfilter.kernelnotes.org [kernelnotes.org].
Quote from the ipnatctl howto:
Excellent. (Score:1)
--
Excellent (Score:1)
Re:Maybe I'm being dense here (patents) (Score:1)
Re:FW-1 NT vs. Linux here's some thoroughput #'s (Score:1)
fwui: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked, stripped
I just assumed this was the GUI executable, but I guess that might not be true then?
No point trying to get iBCS2 to run them in that case
Re:Check Point 90% firewall market (Score:1)
FW-1 is a respectable product in many ways. Unfortunately the documentation is filled with FUD slams against other techniques. It's really expensive though, so you can hardly blame them.
My experience with FW1 was that it was actually less secure than what I could build with other tools, but probably more secure than what your average new-to-security employee would create as a first attempt.
Something important to keep in mind about large corporations is that they (and their security groups) are more concerned about insurance and liability containment than security in the sense most people think of it.
Take a large corporation and give them the choice between a single person or two designing a system for maintaining all the firewalls in their enterprise and buying a product (FW1) which allows them to shift plausible deniability (checkpoint is protected by their license agreement and resellers no doubt) -- well it's a no brainer.
FW-1's best feature was the slick way you could setup NAT. NAT should be a niche function, but the IPv4 shortage is making it all too common.
One downside was the license counting (you are licensed by internal clients but the mechanism that counts these won't time out entry -- even after weeks).
The other big downside was the implicit rules. You can't create equivalents to many of the implicit rules using the GUI. Furthermore implicit rules are never logged. If you want all decisions made by the firewall logged you have to reengineer all the implicit rules you need -- and this gets into some _very_ subtle programming in INSPECT (the language which FW1 rules compile into).
The GUI also doesn't let you select ranges of origination ports unless you know some INSPECT.
Finally, the GUI log file viewer, for reasons I never determined, would occasionally incorrectly display entries. It took me a while to realize that I could only trust the UNIX command line log viewer.
PPTP (Score:2)
Re:Ipchains != advanced routing. (Score:1)
It can, and it is much easier to configure and is more elegant (ipchains + "advanced routing" is a hack).
I speak from experience.
Re:Excellent. (Score:1)
The purpose of this is NOT to cause Linux devotees to abandon ipchains in favor of Check Point. The purpose of this is to provide an alternative to running FW-1/VPN-1 on x86 using an OS other than NT. Why not Solaris x86? They've been supporting Solaris x86 for some time now. I believe they are going to drop Solaris x86 as a platform, however.
I think it provides a great alternative to NT. Cheaper, more reliable. I've instructed my sales people to pursue Check Point implementations (in order) on the Nokia appliance platform, VPN-1 Appliance, then Linux, followed by Solaris Sparc and finally NT... If our focus was "software only first", Linux would be the first in the list. But fear not, there are lots of people who don't want an appliance and want to go the software route.
--j
More is better (Score:1)
We always need "another one", because more is better
1. More competition for me (random developer of product xyz) encourages me to improve my product. That helps me, and my competitor (in the same way), and most importantly the users.
2. More competition for me encourages me to lower my price, if I want people to use my product. But wait, what if my product is free? Price is but one barrier to the potential user of a product, others are ease of use, maintenance, installation, auxiliary required resources (a computer), and the list goes on. I will be encouraged to lower those barriers, and that is good.
3. Moving NT products to Linux helps to move NT users to Linux. More Linux users is a good thing. Fewer NT users is a good thing.
4. Moving NT products to Linux raises awareness of Linux as a real viable useful good thing in managers' eyes (and others who hold those all important purse strings).
Ever heard the phrase a rising tide lifts all boats ?