i tried ISA...it sucked big time
Printable View
i tried ISA...it sucked big time
Well, Befor I start, I have completely no knowlege of ISA at all, but I think I'm ok when it comes to OPSEC related products.
Now, the change should be obvious after documenting your security policy <No not your rulebase, your needs>. What sort of content passes thru your Proxy to your FW? most <if not all> can be monitored by simple INSPECt scripts <Phoneboy's HTTP script for example> that could be coded in no time while in bed, just define a function <#deffunc foobar> that accepts packets and then SNATs them to 0.0.0.0 <this is a special configuration in CP that tells FW-1 to use the outgoing interface's IP address, similar to the concept of MASQ> So, you wouldn't actually need the proxy anymore.
On the other hand, asuming you really need the proxy and can't make without it. Then I suggest you'd go with inivctus' advice. Limit traffic to the FW from the Proxy alone and try to be as strict as possible. Just a small addition, you might want to use the proxy as your small network's FW and leave the heavyload on the FW for the DMZ and other sverers <that's what I do regularly>.
About M$ providing me with a securtiy solution, i think I would not accept it for a simple reason. CP means the OPSEC alliance. In other words, when I bought CPNG I didn't onyl get a FW, I also got support for CVP, PKI, IDS, HA, etc.. from big names that I can relay on, also a good point that CP offers is INSPECT code, wich isn't provided by any opponant. The power of knowing your FW's language means that you guarantee the best of all worlds <simple example is Anti-Spoofing, I used to do it by CP's AS in the GUI, but after doing it by INSPECT code using the nets {} and netsof commands I got really better performance than I ever did.> yet, unfortunantly other competitors have completly ignored providing a language to their FWs making them either inconvineit, corrupted or both :-)
Well, my own Advice,
If your just doing a small network that just needs raw power and not a huge e-commerce site, then go for StoneSoft's StoneGate it has proven to be ten-times better than CP's performance <in my crude tests :)> but still, I'm a CP-wiz and I will die as a CP-wiz :)
I've attached StoneSoft's comparison of their StoneGate vs. NextGeneration <aka. CPFW-1 5.0> for anyone interested in it :)
Hope this helps,
etsh911
Wow....Very impressive etsh....
I am amazed every time I read posts by you that are at all related to Checkpoint.
Ugh, forgot to say this, about your port-scan, this behaviour is a result of CP including fwui_trail.def wich has 'drop' and not 'vanish' drop mangles a packet befor it actually ignores it. This results in the 'closed' if you go thru your INSPECT code and s/drop/vanish, everything should be stealth :-).
CP rules my world,
etsh911
eow! thank you invictus ;)Quote:
Originally posted here by iNViCTuS
Wow....Very impressive etsh....
I am amazed every time I read posts by you that are at all related to Checkpoint.
Errr...um....INSPECT code? I have no idea how get to that! Thanks for the explanation of why the ports are closed though. I will be using my ISA server as a 'glorified proxy', but I'm definately going to be keeping my FW-1! I just need to learn how to work the damn thing a bit better!
Thanks guys!
INSPECT is CP's core logic. Your rulebase is converted to INSPECT befor it is applied to your fwmodule. Look for *.pf files and in $FWDIR/lib/ those are written in INSPECT.
I'd recommened learning INSPECT ASAP as it is the best way to get raw power outta your box <altough I tend to use the GUI sometimes for creating users and groups, but most of the rest is done using emacs :)>. You'd really feel a great diffrence....
Note : to add 'vanish' to the GUI, just open $FWDIR/lib/setup.C and add
: (vanish
:type (vanish)
:color ("Black")
:icon-name ("icon-vanish")
:text-rid ("61466")
:windows-color (green)
)
To your
:unix_actobj (
section just below the other actions, and you'll be fine...
There you go, this isn't documented anywhere else even on Phoneboy's site ;) < http://www.phoneboy.com/faq/0134.html > :)
If your system encounters any troubles with this addition then it is probably because of the installed SPs <I have encountered troubles myself :)> So, just open user.def and add
deffunc my_vanish_macro {vanish;}
And add
:macro(my_vanish_macro)
To the code :)
Happy vanishing :)
etsh911