Checkpoint firewalls

heypresto · 24th January 2008

Hi,

Has anyone had any experience with Checkpoint, specifically their IPSec/SSL VPN solutions?

If so, what are your opinions? And what hardware did you run this on?

Cheers,

wise · 24th January 2008

the only one we worked on - a cisco engineer came in and migrated the rules to replace it with a pix. The nokia looks good but in real life the setup isnt flexible (rules base I mean)

Karl · 24th January 2008

Got a good friend who works @ Nokia Security, what you after knowing?

freethought · 25th January 2008

I am VERY familiar with Check Point and their IPSec VPNs. Have managed a few hundred firewalls from 4.0 to NGX R62 on Windows, Red Hat Linux and SecurePlatform (Check Point's hardened version of Red Hat stripped right down to the bare minimum).
Not worked much with the SSL VPNs (Basically had a play around with Connectra in a lab) so I can't really comment on that, other than it looks very shiny.

With regards to hardware, Most of my experience is with SecurePlatform on HP/Comaq servers with a few RedHat machines where SecurePlatform wouldn't work on that hardware (SecurePlatform NG R55 just wouldn't load on the old Netserver LC2000s). SecurePlatform is a fantastic system that just keeps getting better.
I have used several versions on Nokias and would generally advise against it (depending on exactly how they're being deployed, I have used Nokias perfectly fine in some situations such as VPN terminators in a data centre, but quite often they're unreliable crap). VPNs are one area where Nokias excel due to their onboard encryption. I have used IP330s/IP350s with hundreds of tunnels in a data centre. Bear in mind that the IP330 has a 330MHz AMD K6 CPU and 256MB RAM IIRC.
SecureXL is the Check Point API to allow hardware acceleration of most of the firewal/VPN features and is responsible for the masive performance of Nokias on relatively modest hardware. Crossbeam are supposed to be good for hardware acceleration with Check Point but I've not used them. You used to be able to get a PCI "turbocard" that made use of SecureXL, not sure if it's available any more though as I can't find it on their web site.

I love Check Point for their management tools and logging. In my opinion, the GUI and centralised management abilities (SMart Centre and Provider-1) are the best there is (although I haven't used the latest PDM/SDM with the Cisco PIX or ASAs so YMMV). I love Fortinet FortiGates for the all in one, hardware accelerated solution (even Nokia/Crossbeam can't match this with two separate companies doing the hardware/software) and the lack of per host licensing but there are still some situations where I would go Check Point for their management tools (as well as integration with their other products).

You looking for any help in particular?

heypresto · 25th January 2008

Thanks guys. We're looking at a secure RAS solution for up to 5000 users and basically comparing the Cisco and Check Point solutions. Just interested in any "gotchas" with Check Point as they're looking like a leader after a meeting one of their distributors yesterday. We would look to be running it on Dell hardware as there is a pre-existing global agreement with Dell. Anyone tried this?
Any thoughts on the Integrity Secure Client (which is a re-badged, centrally controlled, version of ZoneAlarm)? Given that personal firewall and AV is taken care of by Kaspersky on clients already, we're thinking we may only need the more basic VPN client (SecureClient Mobile). This is with VPN-1 Power as the firewall I think.

Karl · 25th January 2008

ZoneAlarm - Junk, IMHO these days. Severely broke my PC, slowed it to a crawl (I'm not on a slow machine, 4 Cores @ 2.2Ghz, 4GB RAM), had to remove it, and this was the Pro Security Suite version. So unless they've changed a lot in it other than re-naming it and adding central management, I'd stay away.

freethought · 25th January 2008

Quote:

Originally Posted by heypresto

Thanks guys. We're looking at a secure RAS solution for up to 5000 users and basically comparing the Cisco and Check Point solutions. Just interested in any "gotchas" with Check Point as they're looking like a leader after a meeting one of their distributors yesterday. We would look to be running it on Dell hardware as there is a pre-existing global agreement with Dell. Anyone tried this?
Any thoughts on the Integrity Secure Client (which is a re-badged, centrally controlled, version of ZoneAlarm)? Given that personal firewall and AV is taken care of by Kaspersky on clients already, we're thinking we may only need the more basic VPN client (SecureClient Mobile). This is with VPN-1 Power as the firewall I think.

Check out http://checkpoint.com/services/techsupport/hcl/all.html, there are several Dells certified by Check Point to run SecurePlatform. Most of Check Point's own appliances are also re-badged Dell PowerEdges.
SecureClient is a really nice app with the built in firewall that lets you download a security policy from the management server to the user's machine when they connect. If you don't need that (it costs extra from what I recall, I try to avoid Check Point licensing at all costs and just focus on managing it) then you can just use SecuRemote that is the same thing but with the firewall bit stripped out so you're just left with the VPN.
You've got plenty of authentication options with Check Point. You can do it locally on the management server (if you like headaches) or you can fob it off to another box via RADIUS, LDAP (and thus ActiveDirectory), TACACS or SecurID. One thing I dislike about Fortinet is that you need to install one of their programs on the AD controllers in order to authenticate against it!

The only advantage you really get from Integrity is that it won't let users connect to the VPN unless their AV and OS patches etc. are up to date. It's good for enforcing security policies but it's bloody expensive (as are most of Check Point's products).

freethought · 25th January 2008

Quote:

Originally Posted by Karl

ZoneAlarm - Junk, IMHO these days. Severely broke my PC, slowed it to a crawl (I'm not on a slow machine, 4 Cores @ 2.2Ghz, 4GB RAM), had to remove it, and this was the Pro Security Suite version. So unless they've changed a lot in it other than re-naming it and adding central management, I'd stay away.

Integrity is one of the things that I would really like to play around with just to see how well it works. I've got the eval discs for it somewhere, I think. It's a great idea, it just depends how well it's been implemented.
There are a couple of versions of Integrity, one is the NAC version (or Total Access Protection as Check Point call it) that can work with the client security programs, 802.1x switches etc. (as well as the FW-1/VPN-1 firewall and InterSpect IPS/IDS systems that Check Point would love you to buy) in order to control your access to the network (Like Cisco are pushing at the moment, and FortiNet are looking towards with their FortiGate 224B. The other versions of Integrity are the clienteless version for the SSL VPNs that basically uses Active X to scan your computer to make sure that it is secure, up to date AV and OS patches etc. before letting you in and a similar one that is integrated with the SecureClient VPN client.
I've not really had any speed issues with Zone Alarm, but then again I've not used it on my PC for a while as I run OS X most of the time and when I'm in Windows I'm sat behind a FortiGate firewall anyway so I don't bother with local security (bad I know, but I only use Windows for games so I'd spend half of the time with it turned off anyway). I did notice on my Dad's computer that it "helpfully" installed a toolbar into IE and Firefox. Got rid of that useless bloat pretty quickly though.