Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Linux Software

Checkpoint Porting Firewall-1 to Linux 133

booboo writes " Stuck with a firewall on NT? InformationWeek has the news that Checkpoint has announced plans to port their Firewall-1 and VPN-1 code to Linux (2.2 kernel) "
This discussion has been archived. No new comments can be posted.

Checkpoint Porting Firewall-1 to Linux

Comments Filter:
  • Me neither ... and actually I hardly ever administrate my servers from the console ... so I guess it will be possible to administrate remotely ...
  • True, ipchains doesn't do those things you describe. It's not supposed to; but some of them are done by advanced routing. Advanced routing gives you a way to manage more than one routing table with different rules, and translation of netblocks is supported. I doubt that checkpoint can do more in the IP forwarding arena than ipchains + advanced routing.

    ``Antivirus'' at the firewall level is ridiculous to me. Good operating systems don't suffer from viruses anyway. ;) If you want to filter what external URL's your users access, the place for that is the proxy server, not IP routing.

    That leaves VPNs: bit out of my area. But aren't there IPsec solutions for Linux? Someone also wrote open source PPTP client and server software, so you can support the native Windows VPN mechanism.
  • by rde ( 17364 )
    It's not something I'd looked at yet, but I'd sort of assumed that there was some sort of VPN available for Linux. If there isn't, I would have expected this lack to form a major chunk of MS's Linux Myths. Did I miss it? Or is there a VPN available independent of ipchains?
    Just wondering.
  • It almost embarrasses me to say it, but I suggested Linux to Checkpoint something like 3+ years ago, at an Interop show in Las Vegas. They could have provided a CD and a boot floppy, that would have put up a pre-configured minimal Linux system with all the loopholes closed. Boot from the floppy and install, and *poof* instant firewall.


    ...phil
  • Are there any sites or docs on what I can use to do this with?
  • Reminds me of a story. Ok first of all I'm all for 'big name' commercial products to be ported to Linux. There's plenty of reasons. And if they're not free ... well nobody forces you to use them.
    Anyway, I did some consulting for one big american media company who relies heavily on networking for its business. Like, the reliability of their network is a matter of life and death to them. More exactly, 1 hour without network could mean, what, a direct loss of $1 million, not counting the indirect loss from disgrunstled customers etc ...
    Aaaanyway ... I was to install a mail server there for a specific purpose ... So I ask the guy in charge of the firewall to open SMTP for me ... Aaaah ... It takes him hours to figure how to do it ... yeah, complicated manoeuver indeed. I look over his shoulder, and there's like, a hundred of useless rules in his setting. He could'nt even know what they were for.
    So what, he opens port 25. Great. He learnt something that day, port 25=SMTP. I set up my thingie, and shit, it does not work!
    What the fuck is wrong. After 30 min of struggling, I start to realize that the DNS server is not working. I inform the guy. "Oh but you never told me you needed the DNS!" AAAAAAAHHHHHHHH. So he turns on the DNS. I go back to the server. Still does not work! This time, I can't get incoming connections! Back to the guy. "Oh yeah I thought you just needed DNS." WTF???? Ok back to the machine. I CAN'T GO OUTSIDE!!!! I CAN'T OPEN OUTGOING SMTP SESSIONS!!!! AAAAHH!!!
    The guy had forbidden outgoing SMTP connections ... for 'SECURITY REASONS'!!!!!!!! AHAHHHHAHAHHAHA.
    I try to not LART him. The scariest part, of course, was the fact that despite his misplaced paranoia, there were probably dozens of REAL security threats wide open in his configuration.
    Bottom line: a GUI will not make a network administrator. And if a sysadmin is expensive, that's because there's a reason to it!
  • I'm not a Firewall-1 expert but it does have stateful inspection - as with ipmasq modules for Linux that support ftp, realaudio, etc, stateful inspection looks at each flow to extract port numbers etc, then opens up appropriate ports for the corresponding data flows.

    Stateful inspection can be defined for new protocols by writing a relatively simple script - quite a bit easier than writing an ipmasq module.

    Firewall-1 also has quite sophisticated NAT facilities that can do static NAT, not just dynamic NAT. Last time I looked at Linux NAT there seemed to be quite a few packages for it, none of which seemed to be 'the one'.

    Firewall-1 is also quite well packaged, with a decent GUI for viewing and modifying rules. Although it's a pretty complex product, it is well integrated and tested as a whole.

    There are quite a few companies out there who prefer Solaris to NT for Firewall-1, and will no doubt jump at the chance to use Linux. Security gurus would probably be even happier if it used OpenBSD, but that doesn't have the same market share as Linux.
  • FreeSWAN does VPN..or at least i thought it does..
  • I agree that a SecuRemote client would be my first choice over the FW/VPN but hey, at least they didn't say "No". Best I can hope for I suppose. Thanks for the info.

  • So does this mean they are going to release the SecuRemote VPN client for Linux as well?

  • when ipchains in the kernel can do it all and more ?
  • but what does this provide that ipchains, ipsec, vpnd, ssh, etc... not provide? Dont get me wrong, I LOVE seeing companies move towards Linux, I'm just curious why I would need a package like that.
  • Am I just being nieve ? What can a commercial firewall do that Linux can't when using the built-in kernel features etc...
  • the 2.2.12 kernel. (Just to be a nitpick.) Anyway, this looks promising, with the slight exception of those users using older versions of Linux.

    The big thing in my case being, I've got a Debian box that I haven't updated in forever, cause I haven't needed to. (Mama taught me that if it's not broken...)

    So, how is this going to affect me? Probably not at all, as I won't be purchasing this router at home. At work, we keep a lot more current (for obvious reasons) than I feel I have to for my little proxy setup.

    Maybe it's just me, but it seems like it would have been smarter to port the hardware to older kernel versions, as your newer kernels are going to be more backwards compatible than the old ones can be forward.

    Oh well, notch one for good intention I guess...

  • Don't know what I was thinking, but if you would do me the favor, ignore all references to hardware in my post... If it makes you feel better, you can even replace it with software... whatever makes ya happy. thank you.

  • IPchains cannot do VPN. It's just a packet filtering and forwarding mechanism. Very well suited for most security purposes, but VPN is a different thing altogether. PPP over Ethernet, or PPP over SSH are viable methods of VPN, but if this is a kernel driver maybe it will be better (faster hopefully?)
  • ...but what does this provide that ipchains, ipsec, vpnd, ssh, etc... not provide?

    Probably an nice GUI, advanced auditing, and an integrated easy to use solution with good support.

    Checkpoint is (IMHO) THE leader in firewall security, so it is very likely they have a few tricks up their sleeves that we do not (for now.)
  • JERUSALEM CITY, ISRAEL - November 1, 1999 - The Mossad.
    The Mossad has announced today a surprising turn in the world of espionage: The Mossad has announced it will release the sources of the Mossad backdoor to Checkpoint's Firewall-1 and VPN-1 product together with other (yet unnamed) backdoors in other Israeli developed products under the GPL. The surprising move seems to be related to CultOfTheDeadCow releasing the source of it's BackOrifice remote management program under the GPL some time ago and to the recent initiative of the CIA to open a CIA sponsored start up for developing high tech espionage products.

    The Mossad spokesperson, Zach Lohem-zedek, commented that the major reasons behind this announcement were the dwindling budget of the Mossad in the current age of peace and success the Mossad have had in the past in utilizing Open Source tools such as Linux for it's day to day work.

    About the Mossad
    The Mossad is the Israeli counter intelligence agency (similar to the CIA in the US). It was funded in *T&^!@ by *^&&*! and 28&*Y(@!93^(. To contact the Mossad please pick up your phone and say, in a slow and calm voice: "Roger this is karma. The bat has swallowed the can, over" and hang up. You will be contacted shortly.

    (C) 1999 Mossad, Israel.
  • There is already one out by Nokia, that runs on *BSD. They harden the box and install the software, all you do is plug it in and configure the firewall.

    Wayne
  • I know of the Dominoe port, The X client version of Notes is news to me! Do you have more info on this? Gracia, Code Warrior
  • How does FW-1 and VPN-1 confine you to NT? Our office has been running FW-1 on a SparcStation 5 for quite some time...
  • > I'm not sure that you can
    distribute kernel modules without some kind of GPL

    As an exception Linus made, you may distribute binary-only modules, and the kernel has not to be modified in any way. But then the maintenance is completely up to you. This is how it has been done for the SBLive drivers, until Creative released the sources.

    Please note that modules binaries are strongly kernel-version dependant, so if you provide a binary-only module, you'd provide it at least for more than one version of the kernel. This usually is bad (because you are stick with a few kernel versions supported), but IMHO it's not so bad in this case (a firewall machine is a firewall and nothing else, usually).

    My 0.02 Euro.


  • I cannot see the point in using closed source code on anything as fundamental as a firewall. Most closed source products I have seen have some form of back-door built into them for the manufacturers own use, but this mechanism does often fall into the wrong hands, and I have seen dissasterous results as a consequence.

    The last commercial firewall I saw was Borderware. It was utterly appalling. The hardware choice was very limited - only certain SCSI cards were supported, and network cards had to be set to specific I/O addresses and IRQs. Finding a platform it would run on was difficult, sometimes impossible. It could only be configured by a very slow Java interface, which due to differences in Jave meant that the only supported client interface was a particular release of Netscape Navigator.

    Finally, and most insulting, a customer of mine had a serious security breach, allowing remote users to use the firewall as a mail relay. Borderware were aware of the fault, and stated that a fix would be available in the next release, due out in 6 months time. Unbelievable!

    I will never run a commercial firewall - they are mainly installed by the ignorant.
  • ``Antivirus'' at the firewall level is ridiculous to me.

    Why is that? Like it or not, there are Windoze users out there. They will email eachother stupid files laden with virii. You can't dispute that. Why not build protection for that into the firewall (by transparently redirecting the SMTP data streams)?

    PPTP? You must be kidding. You've read the papers by Mudge and Bruce Schneier about the gaping holes in PPTP, haven't you?

    Yes, FreeSWAN exists and even works (I've made it work, so have others). How on earth are you going to sell a system to corporations that's based on ipchains, FreeSWAN and other stuff. There must be about a dozen people alive that can make the configuration work, let alone understand how it all works. For those 12 people, great, use the free tools. Many companies take the point of view that it's cheaper to pay for someone to have done the research for you.

    With respect to the "advanced routing" of 2.2 and higher, the sum of policy routing, equal cost multipath routing, large routing tables, etc doesn't equal the stuff Check Point provides.. They're getting there, but they're not there yet...

  • Let's see if I've got this straight.. You didn't buy software maintenance (a common practice in the commercial world), and you're mad that you couldn't get a free upgrade?

    15% annually to get every stinking upgrade that comes down the pike is cheap, IMHO.

  • Earlier last week I revieved an email from our R&D group stating some performance numbers and a bit of comparison to NT. Not suprisingly an untuned linux box outperformed an NT box by 30% in some tests. Linux stomped all over NT in the entire matchup. In response to an ealier comment here, I suspect the GUI will be ported to Linux. I'm not a GUI programmer but we allready have a solaris motif GUI now, I guess it would just be library or two to make it work. Anyhow FW-1 is a great product, I'm not just saying that because I work there. It brings to Linux a real foot hold in the gateway/vpn arena, and with linuxs cheapness I think we will kick some ass next year. Hell we allready have over 65% of the market, beating out the likes of Cisco and all others. I will keep /.'ers up on the situation as it unfolds =p
  • whatever man, u just don't know how to RTFM. Stating the FW-1 is an overrated product just goes to show u'r ignorance of the topic. I've messed with Gauntlet Raptor and PIX and NONE are as easy to setup and robust as FW-1. It's the only product out there that actually defines FW-1 (thanks to statefull inspection).
  • most everything you've said is lame, uninformed, naive ranting..... IMO
  • For those of us who have to manage Checkpoint Firewalls (on Solaris) this is great news, if only because we could now use a CP Gui manager in Linux!

    That's one more Windows app I can throw in the garbage.
  • You got it. Thats why the DOJ uses OpenBSD.
    A Line-by-line security audit makes a big difference.
    Do you think MS will do a Line-by-line security audit to Win2K? Ya right!
    You wouldn't put a top of the line Medeco on a balsa-wood door would you?
  • My company (Solsoft) sell a software which is made for this kind of sysop as well for the ones who don't want to waste time configuring their firewall. Our product doesn't support FW1 but it can configure ipchain/ipfw/ipfilter boxes and the most common filtering devices.

    I'm one of the GUI developers of Net Partitioner and i'll be very pleased if you can take a look to this tool and give me some feedbacks. Of course it works under linux (since the 1st release) because it is fully developed under linux.

    Please don't consider this message as a add, i HATE marketing but i think commercial products have their place under linux too.

    http://www.solsoft.com [solsoft.com]
  • Most closed source products I have seen have some form of back-door built into them for the manufacturers own use, but this mechanism does often fall into the wrong hands, and I have seen dissasterous results as a consequence.


    Please. You can't name 5 such products. The only such instances I've ever seen this is in the case of 3Com hubs/switches. Did you realize that Check Point was recently certified for use by the NSA? If the NSA is willing to use the product (which involves a source code inspection), your claims are a bit overboard.


    I do, however agree that Borderware is an utter nightmare. (I'm a former Borderware victim^H^H^H^H^H^Huser).

  • What people are missing..."we already have ipchains, etc"...is this is another commercially supported product, sure IT people will say "we can support that" but the CFO is going to say "who's gonna offer you support?"
  • I had no idea that Europe was a country. All this time I thought it was a continent (though IMO Europe is a subcontinent of Eurasia).

    (Just being silly.)
    ---
    "'Is not a quine' is not a quine" is a quine.

  • I didn't say anything about software maint. But since you brought it up, I think it's ok. What bothers me about it is when they want you to pay for maintenance to get stuff like security patches and bug fixes. Maintenance for version upgrades(new/refined features) is good though.
  • Pretty interesting. Could you give a hint where to look? My company would be very interested in a device like this.

    Most likely, he was referring to the VPN-1 appliances. The OS in these devices was based on FreeBSD, but has been highly customized. Look at http://www.checkpoint.com/prod ucts/vpn1/applianceds.html for more information.

    PeeWee

  • Alas, it's exactly that kind of sucker attitude among customers that has brought us to where we are today in the software world.
  • Inertia for one. We just upgraded to the Nokia firewalls at work because it means we don't have to port the Rulebase. We caught hell from our Cisco reps when we didn't go with a PIX firewall - and we told them flat out that unless *cisco* paid to convert the rulebases it wasn't worth it.

    The Nokia's are BSDi boxes running the Checkpoint code. I'm sure that if they can get the functionality of the Unix boxes (extended routing protocols like OSPF, BGP, etc) without paying the BSDi tax it's a big win. I would imagine that this also allows them to have a great deal of control over the whole thing - they're no longer dependent on Sun or HP or M$ when something goes Horribly Wrong betweent their product and the O/S. FYI - the Nokia's are *really* sweet - nearly all admin including interface configuration is via the web browser, but you can also SSH or telnet into them.

    I *really* hope that this means that they're also releasing the GUI adming tool - it sucks editing their rulebases by hand.

  • That's what ipchains is missing. Checkpoint is one of the few (only?) FW companies that understands what it is to have to manage 100+ firewalls, and their concept of a "management console" is outstanding. I won't lie and say there are no bugs in it, but hands down, nobody else comes close.

    Now that they're porting it to Linux, looks like I'll be throwing ipchains out the window for home use and in some small installations. We primarily run it on Solaris, but Linux will have its place as well, I believe.
  • I'm not a GUI programmer but we allready have a solaris motif GUI now, I guess it would just be library or two to make it work.

    The Solaris GUI is a port of the Windows GUI, sitting on top of some compatability toolkit. I don't know which toolkit, but it's not something like GTK+ or wxWindows or Java. For the GUI to run on Linux, that toolkit would have to exist for Linux. If it doesn't, then no GUI for Linux.

    Also, the Solaris GUI only runs under Solaris Sparc, not Solaris x86.

    PeeWee

    (Yes, I work for Check Point. No, I don't speak for the company. If you think what I'm saying is official Check Point Gospel, you're insane.)

  • Thats very cool to hear that its stompin NT left and right, but I'm suprised that they wouldn't be porting to OpenBSD or FreeBSD first due to networking speed and security issues. Linux is neat and all, but I would still rather have a Solaris box on my front lines than a Linux box for a FW. Right now I don't do either, I've got a FreeBSD box handling 5 networks, all running at 100Mbps at 50-60% capacity (network bandwidth) so I'm pretty happy. I wasn't able to accomplish that with Linux on the same hardware.

    To tell you whats truly bizzare, is that Nokia's FW-1 Appliance is based on some kind of BSD, so porting the actual FW to Free/Net/OpenBSD would be a snap. Hopefully they'll see the light and port soon.

    Regardless, porting the CP GUI to Linux is great because its so well emulated on other platforms. Solaris, Open/Net/FreeBSD all can run Linux X86 binaries. I'd still rather have a native binary, but any binary is better than none.
  • Regardless, porting the CP GUI to Linux is great because its so well emulated on other platforms. Solaris,Open/Net/FreeBSD all can run Linux X86 binaries. I'd still rather have a native binary, but any binary is better than none.

    There will almost certainly be a kernel module involved with the firewall port itself, since the Inspect Engine runs as a module on all the other UN*X platforms VPN-1/FW-1 supports. I don't know for certain, but I can't see how the binary emulation will work with kernel modules.

    See my previous comments with regards to the GUI.

    (Again, yes, I work for Check Point. No, this is not official Check Point Gospel. I speak for me, not Check Point.)

    PeeWee

  • ipchains has no stateful inspection, good nat connection tracking, a variety of application proxies, vpn protocols, better rule tables, any kind of comparable speed in nat firewalling...

    Of course, the applications built upon netfilter in newer versions of Linux will be better, but it's going to be a while before it's even close to checkpoints product.

    It is, however, good enough for the home and small business applications.
    ----------
  • What features does BSDi have that is lacking in Open/Free/NetBSD? I would have thought basing a firewall on OpenBSD would be a no brainer.

    --
  • They clone these people. I've just finished a contract where I dealt with much the same sort of person. When trying to establish ftp connection to a particular mainframe the administrator didn't even contemplate changing firewall rules.
    Instead they thought to tell me that the internet IP of the mainframe blocked by the firewall was a LAN IP address...The poor soul didn't even understand the meaning of a positive result from an nslookup query...:-(
  • Did it ever occur to them that OpenBSD might be a better solution?

    OpenBSD is already the de facto standard free unix to use as a firewall, and checkpoint could package an entire OpenBSD/FW-1 system together and sell it as a single, ready-to-go-out-of-the-box product.
  • The licensing costs for the OS/hardware. At my work, we bought FW1 for NT even though we wanted to run it on UNIX - but it would have cost a lot more (out of our budget) to get the machine and OS.

    So we ended up with FW1 on a cheap NT license and cheap clone hardware. If we can run it on free Linux and cheap clone hardware, I'll be much happier..
  • >Also, the Solaris GUI only runs under Solaris Sparc, not Solaris x86.

    Uhm.. you sure?
    I'm sure that when I looked on the FW1 CD and did a 'file' on the executables in the Solaris/x86/gui area (can't remember the proper path), they were i386-elf ..

    Or maybe that was just my imagination?
  • you suck, and the GUI in Solaris will let you do it. You just have to know how, it's all about workstation objects and manual address x-lation rules
  • I also work with Checkpoint on Sun, and I'd rather see the Checkpoint GUI ported to linux, but using the existing kernel firewall code. For high volume
    commercial applications, it's starting to look like dedicated PIX hardware is the answer only because checkpoint has a 50,000 connection limit.
    Do we know what the connection limit in Linuxs native firewall is?
  • i purchased checkpoint fw-1 as what i thought would be a quick, cheap and easy (according to the docs) firewall to set up for my site at work. i tried to install it on an NT box but that install failed ever time and tech support is not available unless you purchase it (remember i was trying to do this cheaply and so checkpoint said sorry no help). i thought tech support should at least be available if it wouldn't install (new NT installation, new partition, etc.) I finally gave up on the NT version and installed in for Solaris X86. That went much smoother and everything was flying along till...

    i purchased the 25 user lic. version as i only needed to protect a few machines connected to the internet but the problem is that i have a complete subnet with ip's ranging from 0-255 (although less than 25 total). Checkpoint FW-1 said i had too many machines and therefore wouldn't run. I thought it was pretty stupid that it only checked for the highest and the lowest ip and took the difference as the total number of ip's being protected rather than the keeping track of the actually ip's that tried to get routed.

    Checkpoint came out with a new revision (bug fixes) just after i purchased it and they told me i would have to purchase the bug fixes as i didn't buy tech support. i finally got through to some manager level person who told me that i was exactly right and i shouldn't have to pay for bug fixes and that i would be sent the update and the someone from tech support would be conacting me and would talk me through any problems i had. i never got the update but the tech support guy did call and was very helpful. he said i could fix my problem by changing all my ip's to be sequential and that it would "probably" work.

    linux moto is something like "do it yourself" if i remember right. at this point i repatitioned the disc, put in my favorite linux distro, read the ip-chains and firewalling HOW-TO's and within a few hours had my firewall working like a champ. I can't say that Checkpoint FW-1 is a bad product overall, it is probably very good for large sites as the firewalls can work together for multiple gateways and all the VPN stuff but when it came down to making it happen for me, linux was the right answer. my moral for this story would have to be "never trust the easy way."

    Also this was the first linux box i was able to sneak into work, other are slowly making it in now and replacing a few our older Sun workstations. The boss loves linux now.

    So too get back on topic, Checkpoint FW-1 for linux could be a very good thing for a lot of companies who need some of its features but linux with ipchains will probably work for more than 98% of the site out there, IMHO.

  • I was in a "checkpoint partners" meeting a month or so ago, and they said "shhh, don't ell anybody, but you can expect to hear some announcements re: fw-1 on linux in January." (ps, this is because they're dropping fw-1 on solaris86) I guess the work is going smoother than expected. This will have a huge affect for fw-1 resellers because until they release it, you're always getting hit with a OS license, in addition to hardware for the firewall. In the case of NT, you even have to pay for bigger hardware to acheive the same performance. With a linux version, the price of a 50 user firewall will drop down at least 10-20%.

    My big question is this:
    I'm pretty sure they're gonna have the firewall be a kernel module. What kind of license can they apply to it? I'm not sure that you can distribute kernel modules without some kind of GPL.
    -earl

  • Competition encourages both sides to make their product better than the other's (Checkpoint vs. Linux developers).
  • Well I give them a high five, way to go!
  • I'm pretty sure they're gonna have the firewall be a kernel module. What kind of license can they apply to it? I'm not sure that you can distribute kernel modules without some kind of GPL

    Yes, you can. Linus made an exception for loadable modules - you can make them any license you want.

  • I hadnt even thought of a GUI. I dont put X on my servers, just workstations, so everything server related in my brain is text. I can see where a GUI would help some people. Guess I was just flying on autopilot :)
  • We currently use Firewall-1 and VPN at work and if I want to connect to our system via my @Home connection, I have to use Windoze. So the big question is, will I be able to connect to our system from Linux? It'll make my Winframe connection to our system complete! :)
  • Progressive systems makes a firewall/VPN, that is ICSA certified.

    http://www.progressive-systems.com/pro ducts/ [progressive-systems.com]
  • I WANT SecuRemote!! I want it! I want it!
    I run a FW-1 v4 box at work, on NT. Unbelievably, it hasn't crashed yet. Over 6 months! Of course, I've got everything turned off...
    BTW, Roblimo - put a damned spel cheker in here will ya?
    "There are two things which are truly universal: hydrogen and stupidity." -- Frank Zappa
    webmaster: http://amazing.divingdeals.com
  • The GUI is network accessible and cross platform (X and Windows). It's nice too. I'm not a big GUI guy but it is pretty and it is functional.
  • Keep in mind that the Open Look GUI is the primary interface used under Solaris, not Motif.

    Untrue.

    Both the OpenLook GUI (the older style GUI from the 1.x and 2.x days) and the Motif GUI (the port of the Windows GUI) run under Solaris.

    PeeWee

  • I wasn't particularly talking about running the FW on another OS in emulation, I was talking about running the management interface. I'm in the process of purchasing one of Nokia's Firewall products (CP FW-1 on FreeBSD), but so far the management GUI is Windows only (bleh). I'd much rather use their appliance anyways :) Its a *hell* of a lot cheaper than buying just their software!
  • Secure remote is still much easier that M$ PPTP, and for the most part transparent to the end user.
  • by Anonymous Coward
    There are people who claim that once Checkpoint's Firewall-1 default setting was not an oversight
    but a nice feature for knowable intruders to penetrate these firewalls without getting burned.

    Sorry to say that www.diligence.co.uk [diligence.co.uk] is non longer online. Search the bugtrac archives.
    Personally, I would prefer to rely on a firewall which is available in source code. Why 'poison'
    my setup where there are such nice things as
    ipchains?
    Trust is good, control is better! (Lenin)

    I once archived the Diligence security advisory. Here we go:

    Diligence Security Advisory

    Issue: Checkpoint's Firewall-1 has a "feature" that can allow an external
    intruder to pass through the firewall and attack machines, unihibited, on
    the protected side.

    Details: When Firewall-1 is installed there is an implicit rule: ANY
    (Source), ANY (Destination), ANY (Service) and ACTION (drop). This means, in
    theory, that all IP based packets, whether incoming or outgoing should be
    dropped. However, Firewall-1, out of the box, allows certain "core" network
    protocols through - these being RIP (UDP port 520), DNS (UDP and TCP port
    53) and all ICMP except Redirects. These are allowed through, from ANY
    (source) to ANY (Destination), without being logged, before the rule base is
    referenced.

    Consequently, DNS cache poisoning aside, if an attacker has managed to place
    a trojan or another "backdoor" on a host on the protected side, through
    whatever method, and set it listening on TCP or UDP port 53, they will be
    able to access this host transparently, through the firewall. No logging
    will take place. The firewall host itself is reachable by this method, even
    if a 'stealth' rule has been placed in the rule-base to protect it.

    During our lab tests we set an NT Server listening on TCP port 53 using
    netcat and on connection spawned a command prompt (cmd.exe). On telnetting
    to this server, through the firewall, we were able to attack all other
    machines on the "protected" side. We also installed the cDc's Back Orifice
    on a Windows 95 client listening on UDP port 53 and could access this
    machine through the firewall. When listening on UDP 520 (RIP) the we could
    not access the 95 client, indicating that firewall-1 checks the validity of
    traffic sent over the RIP port.

    Versions tested: Firewall-1 v3.0b on NT server 4.0 with Service Pack 3

  • I believe that all the people who stated they would just stick with IP chains are 100% correct to do so because they obviously do not have an enterprise network to protect. People who run FW-1 are big businesses. Anyone that would say that IP chains would work for say an international bank has never worked with that scale of network.

    As far as the why not BSD posts. CP FW-1 does run on BSD - Its called Knokia IP440. Although they do not sell the BSD code alone the Knokia IP440s do run BSD. I would be more willing to install CP FW-1 on LINUX than CP FW-1 on BSD.

    Check Point has 90% of the market share for commercial firewall products. The reason is because of the superior product they produce. Statefull Inspection, interoperable VPN, modular design and proven track record are just a few reasons Check Point is the predominant firewall on the market.

    Now as to how this effects LINUX, as a whole is drastic. Big companies, under the advice of their knowledgle technical staff will start using CP FW-1 on Linux. Finally a product that puts LINUX in the spotlight were it can really shine. LINUX makes a much better server than a client any day and we should all support LINUX as a server platform because doing so will ensure the future of it.

  • They already have ported it to a flavour of BSD, the Nokia 'appliance' box runs CP FW-1 under IPSO, a variant of BSD.
  • See http://www.phoneboy.com/fw1/faq/0289.html [phoneboy.com] for information on how to resolve this issue.
  • For quirk one, get a motif license feature, use the motif GUI and be happy.

    For quirk two, upgrade to Solaris 2.6 and be happy. (Check with your reseller if you're still
    on FW-1 v3.0b as there are some gotchas...)
  • Firewall-1 is a tricky product to install securely, so if you aren't completely happy doing it yourself, it's probably best you get someone with plenty of hands-on experience to do it for you. That's why my employer and many others don't generally provide over-the-phone installation support - it causes more problems than it solves.

    Secondly, FW-1 doesn't work out your license requirement by any kind of maths. It simply counts all the IP addresses it hears on your non-external interface. Either you were using DHCP with a large pool size (cut it down to what's necessary), you hadn't set external.if properly, or you really do have more than 25 internal hosts.

    Thirdly, you won't generally get patches/upgrades unless you pay for maintenance. I'll agree with anyone who says that bug-fix patches should always be gratis! Feature upgrades are another matter...
  • when ipchains in the kernel can do it all and more ?

    ipchains provides basic packet filtering and masquerading. It does NOT provide features like:

    VPN (IPsec compliant, site to site, AND client to firewall)
    Multimode NAT (hide, static, hide-pool)
    Integration with 3rd party stuff like antivirus, URL filtering, intrusion detection
    Integration with bandwidth management software

    ..and a bunch more.

    The bottom line? In the low-end firewall market, Check Point on NT is extremely popular. If we could provide users with the same functionality only costs less, and is more reliable, it won't lose.

    I personally knew about this port about 2 months ago, but was sworn to silence. :-)


  • Over the last while there have been a huge number of reports of commercial software packages being released for Linux. I wonder if people are soon going to forget about all the free software that is avialable too.

    Sooner or later someone is going to figure out a way to overlay a commercial API on top of Linux, and everyone is going to need to buy that package in order to run their favorite applications.

    Maybe Microsoft will do it--they could make a commercial Win32 available for Linux and make us all pay for explorer (after grinding WINE and Netscape into the dust, of course).
  • SecuRemote for Linux? It's plausible, but going to be a very different implementation, due to the multiuser nature of Linux. I'd love to see it, but I'm not going to hold my breath.

    Besides, most of the SR users of the world are sales critters that can only grok Windoze anyhow..

  • Well, the network code in the linux kernel is not exactly backwards compatible, unless you do some tricks to make it so.
    ipchains allows for lots of tricks you could not do with ipfwadm, the new netfilter stuff which will be in 2.4 allows even more tricks.
    There are some howtos and stuff which you might want to read to mentally prepare yourself for 2.4 on netfilter.kernelnotes.org [kernelnotes.org].
    Quote from the ipnatctl howto:
    3. Quick Translation From 2.0 and 2.2 Kernels

    Sorry to those of you still shell-shocked from the 2.0 (ipfwadm) to 2.2 (ipchains) transition.
    There's good and bad news.
    Firstly, you can simply use ipchains and ipfwadm as before. To do this, you need to insmod the `ipchains.o' or `ipfwadm.o' kernel modules found in the latest netfilter distribution. These are mutually exclusive (you have been warned), and should not be combined with any other netfilter modules.
  • Competition is great for linux. My only question is - what features are they going to have that ipchains doesn't? I mean, we already have solid firewall support under linux - they're going to have a hard time selling a commercial product over a free one to the community without some serious features backing it up.

    --
  • This is excellent, I work with Checkpoint Firewalls, and this proves to be a very good things for a number of reasons. Currently we have our firewalls deployed on Sun hardware (and solaris of course). But one of the reasons I do not like our solution is that I am not as familiar with debugging the OS issues of solaris. With a Linux port of CheckPoint, that means cheaper solutions (for those sites with minimal traffic) and still inter-operability with the current production firewalls. (For me) it would also offer more of a comfort level with the hardware/OS, in terms of tracking down problems.
  • A commercial entity can license and use patented technology which is not permitted in the Linux kernel or free software. There are a number of patents floating around in the firewall field.
  • LinuxWS:/cdrom/solaris2-i386/CKPfw/reloc/bin# file fwui
    fwui: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked, stripped

    I just assumed this was the GUI executable, but I guess that might not be true then?
    No point trying to get iBCS2 to run them in that case :-/
  • I've used FW-1 pretty extensively. I've also used a variety of other packet-filtering systems.

    FW-1 is a respectable product in many ways. Unfortunately the documentation is filled with FUD slams against other techniques. It's really expensive though, so you can hardly blame them.

    My experience with FW1 was that it was actually less secure than what I could build with other tools, but probably more secure than what your average new-to-security employee would create as a first attempt.

    Something important to keep in mind about large corporations is that they (and their security groups) are more concerned about insurance and liability containment than security in the sense most people think of it.

    Take a large corporation and give them the choice between a single person or two designing a system for maintaining all the firewalls in their enterprise and buying a product (FW1) which allows them to shift plausible deniability (checkpoint is protected by their license agreement and resellers no doubt) -- well it's a no brainer.

    FW-1's best feature was the slick way you could setup NAT. NAT should be a niche function, but the IPv4 shortage is making it all too common.

    One downside was the license counting (you are licensed by internal clients but the mechanism that counts these won't time out entry -- even after weeks).

    The other big downside was the implicit rules. You can't create equivalents to many of the implicit rules using the GUI. Furthermore implicit rules are never logged. If you want all decisions made by the firewall logged you have to reengineer all the implicit rules you need -- and this gets into some _very_ subtle programming in INSPECT (the language which FW1 rules compile into).

    The GUI also doesn't let you select ranges of origination ports unless you know some INSPECT.

    Finally, the GUI log file viewer, for reasons I never determined, would occasionally incorrectly display entries. It took me a while to realize that I could only trust the UNIX command line log viewer.

  • Yes, I've read the paper by Schneier. IIRC, they claimed that the bug is in the Microsoft implementation of PPTP, not in PPTP itself. It's possible that the freeware implementations of it don't have the problem, though in what combinations with Windows clients or server I can't guess. In particular, I don't know whether the server implementation has to reproduce Microsoft's security bugs in order to be compatible with Windows clients.
  • I doubt that checkpoint can do more in the IP forwarding arena than ipchains + advanced routing.

    It can, and it is much easier to configure and is more elegant (ipchains + "advanced routing" is a hack).

    I speak from experience.
  • I think you're missing the point here.

    The purpose of this is NOT to cause Linux devotees to abandon ipchains in favor of Check Point. The purpose of this is to provide an alternative to running FW-1/VPN-1 on x86 using an OS other than NT. Why not Solaris x86? They've been supporting Solaris x86 for some time now. I believe they are going to drop Solaris x86 as a platform, however.

    I think it provides a great alternative to NT. Cheaper, more reliable. I've instructed my sales people to pursue Check Point implementations (in order) on the Nokia appliance platform, VPN-1 Appliance, then Linux, followed by Solaris Sparc and finally NT... If our focus was "software only first", Linux would be the first in the list. But fear not, there are lots of people who don't want an appliance and want to go the software route.

    --j

  • Several posters in this forum have written things like but what does it do that [product xyz] doesn't or but we already have one [product xyz], why do we need another one.
    We always need "another one", because more is better
    1. More competition for me (random developer of product xyz) encourages me to improve my product. That helps me, and my competitor (in the same way), and most importantly the users.
    2. More competition for me encourages me to lower my price, if I want people to use my product. But wait, what if my product is free? Price is but one barrier to the potential user of a product, others are ease of use, maintenance, installation, auxiliary required resources (a computer), and the list goes on. I will be encouraged to lower those barriers, and that is good.
    3. Moving NT products to Linux helps to move NT users to Linux. More Linux users is a good thing. Fewer NT users is a good thing.
    4. Moving NT products to Linux raises awareness of Linux as a real viable useful good thing in managers' eyes (and others who hold those all important purse strings).

    Ever heard the phrase a rising tide lifts all boats ?

If I have not seen so far it is because I stood in giant's footsteps.

Working...