Isa

I am running an NT Domain with only one route out ot the internet. Right now we're running Firewall-1 and MS proxy 2.0 behind it. We need to upgrade the proxy, and MS's new toy is ISA server. I'm thinking about getting rid of FW-1 all together, and putting in ISA server both as proxy and firewall. Any comments in regards to ISA server?

Thanks

Haven't used this product. But, um, getting rid of ckpw for a m$ product. Hopefully this is a testing site and not your real ecommerce one.

If you do put this in - post the results.

Whats the big deal with using a MS product rather than Checkpoints? Just because its MS? How would you know its worse than checkpoint if you never tried it? Its not actually an ecommerce site though. Its just the only opening to the internet for our network.
I've been playing with ISA for a while, and found it much nicer to work with than FW-1. Ran some basic port scan stuff, and every port on the ISA was 'stealthed' (is that the right word for it?), but the FW-1 scan came back with some closed ports...better than open I guess.
Either way I'll let you know how ISA stacks up to FW-1.

umm, don't know much about ISA server, but keep the CP-FW1. Set up ISA as a secondary firewall if you want to, but trusting your security to a microsoft product is like trusting your keys to a car jacker.

At ease Sgt B. You can use whatever you like. When you post question, expect some input.

I haven't used ISA in a production environment myself, but have seen it running.

I am in no way an expert on the subject, since I haven't used either product, but I think you should bare in mind that Microsoft products tend to be more of a target for hackers and crackers than most other products - so, even if they are of the same quality, vulnabilities for Microsoft products tend to surface quicker. If this is a good or a bad thing, I leave to your judgement - it could be both positive and negative.

Thanks for all the input!
Gold Eagle: I think you got the wrong tone in my 'voice'. I was just asking you why you would say to ditch the MS product, not trying to flame you. After re-reading my post though, I could see how you could come to that conclusion. I didnt mean to sound angry.

Microsoft's ISA server is nothing more than a glorified proxy. Not that there is anything wrong with it, but it is different from Checkpoint FW-1.

If I were you, I would keep the design the same and just upgrade the proxy 2.0 to MS ISA. This will give you a very secure setup. Just make sure on the FW that you only accept traffic from the proxy so that someone cannot circumvent the system by setting their default gateway to that of the FW and removing proxy settings. There might also be cases where something might not be able to be proxied. Deal with these on an individual basis and create necessary exceptions on the firewall.

I would not even make it a consideration to eliminate the CP FW alltogether. By doing this, you will eliminate alot of the flexibility that a stateful inspection FW gives you in the first place.

You're right Invictus...we already paid for FW-1 anyway right? Sounds like thats the best route to go.
Thanks for the help and advice everyone!

no offense taken.

We are glad to help. iNViCTuS is quite right, he has a lot of security experience so I put much in what he says. Let us know how it goes and if you need more help.

;)

i tried ISA...it sucked big time

Well, Befor I start, I have completely no knowlege of ISA at all, but I think I'm ok when it comes to OPSEC related products.

Now, the change should be obvious after documenting your security policy <No not your rulebase, your needs>. What sort of content passes thru your Proxy to your FW? most <if not all> can be monitored by simple INSPECt scripts <Phoneboy's HTTP script for example> that could be coded in no time while in bed, just define a function <#deffunc foobar> that accepts packets and then SNATs them to 0.0.0.0 <this is a special configuration in CP that tells FW-1 to use the outgoing interface's IP address, similar to the concept of MASQ> So, you wouldn't actually need the proxy anymore.

On the other hand, asuming you really need the proxy and can't make without it. Then I suggest you'd go with inivctus' advice. Limit traffic to the FW from the Proxy alone and try to be as strict as possible. Just a small addition, you might want to use the proxy as your small network's FW and leave the heavyload on the FW for the DMZ and other sverers <that's what I do regularly>.

About M$ providing me with a securtiy solution, i think I would not accept it for a simple reason. CP means the OPSEC alliance. In other words, when I bought CPNG I didn't onyl get a FW, I also got support for CVP, PKI, IDS, HA, etc.. from big names that I can relay on, also a good point that CP offers is INSPECT code, wich isn't provided by any opponant. The power of knowing your FW's language means that you guarantee the best of all worlds <simple example is Anti-Spoofing, I used to do it by CP's AS in the GUI, but after doing it by INSPECT code using the nets {} and netsof commands I got really better performance than I ever did.> yet, unfortunantly other competitors have completly ignored providing a language to their FWs making them either inconvineit, corrupted or both :-)

Well, my own Advice,

If your just doing a small network that just needs raw power and not a huge e-commerce site, then go for StoneSoft's StoneGate it has proven to be ten-times better than CP's performance <in my crude tests :)> but still, I'm a CP-wiz and I will die as a CP-wiz :)


I've attached StoneSoft's comparison of their StoneGate vs. NextGeneration <aka. CPFW-1 5.0> for anyone interested in it :)

Hope this helps,
etsh911

Wow....Very impressive etsh....

I am amazed every time I read posts by you that are at all related to Checkpoint.

Ugh, forgot to say this, about your port-scan, this behaviour is a result of CP including fwui_trail.def wich has 'drop' and not 'vanish' drop mangles a packet befor it actually ignores it. This results in the 'closed' if you go thru your INSPECT code and s/drop/vanish, everything should be stealth :-).


CP rules my world,
etsh911

Quote:

---

Originally posted here by iNViCTuS
Wow....Very impressive etsh....

I am amazed every time I read posts by you that are at all related to Checkpoint.

---

eow! thank you invictus ;)

Errr...um....INSPECT code? I have no idea how get to that! Thanks for the explanation of why the ports are closed though. I will be using my ISA server as a 'glorified proxy', but I'm definately going to be keeping my FW-1! I just need to learn how to work the damn thing a bit better!
Thanks guys!

INSPECT is CP's core logic. Your rulebase is converted to INSPECT befor it is applied to your fwmodule. Look for *.pf files and in $FWDIR/lib/ those are written in INSPECT.

I'd recommened learning INSPECT ASAP as it is the best way to get raw power outta your box <altough I tend to use the GUI sometimes for creating users and groups, but most of the rest is done using emacs :)>. You'd really feel a great diffrence....


Note : to add 'vanish' to the GUI, just open $FWDIR/lib/setup.C and add

: (vanish
:type (vanish)
:color ("Black")
:icon-name ("icon-vanish")
:text-rid ("61466")
:windows-color (green)
)

To your
:unix_actobj (
section just below the other actions, and you'll be fine...

There you go, this isn't documented anywhere else even on Phoneboy's site ;) < http://www.phoneboy.com/faq/0134.html > :)

If your system encounters any troubles with this addition then it is probably because of the installed SPs <I have encountered troubles myself :)> So, just open user.def and add

deffunc my_vanish_macro {vanish;}

And add
:macro(my_vanish_macro)
To the code :)

Happy vanishing :)
etsh911