Isa - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: Isa

  1. #11
    Senior Member
    Join Date
    Dec 2001
    Posts
    319
    i tried ISA...it sucked big time

  2. #12
    Member
    Join Date
    Feb 2002
    Posts
    42
    Well, Befor I start, I have completely no knowlege of ISA at all, but I think I'm ok when it comes to OPSEC related products.

    Now, the change should be obvious after documenting your security policy <No not your rulebase, your needs>. What sort of content passes thru your Proxy to your FW? most <if not all> can be monitored by simple INSPECt scripts <Phoneboy's HTTP script for example> that could be coded in no time while in bed, just define a function <#deffunc foobar> that accepts packets and then SNATs them to 0.0.0.0 <this is a special configuration in CP that tells FW-1 to use the outgoing interface's IP address, similar to the concept of MASQ> So, you wouldn't actually need the proxy anymore.

    On the other hand, asuming you really need the proxy and can't make without it. Then I suggest you'd go with inivctus' advice. Limit traffic to the FW from the Proxy alone and try to be as strict as possible. Just a small addition, you might want to use the proxy as your small network's FW and leave the heavyload on the FW for the DMZ and other sverers <that's what I do regularly>.

    About M$ providing me with a securtiy solution, i think I would not accept it for a simple reason. CP means the OPSEC alliance. In other words, when I bought CPNG I didn't onyl get a FW, I also got support for CVP, PKI, IDS, HA, etc.. from big names that I can relay on, also a good point that CP offers is INSPECT code, wich isn't provided by any opponant. The power of knowing your FW's language means that you guarantee the best of all worlds <simple example is Anti-Spoofing, I used to do it by CP's AS in the GUI, but after doing it by INSPECT code using the nets {} and netsof commands I got really better performance than I ever did.> yet, unfortunantly other competitors have completly ignored providing a language to their FWs making them either inconvineit, corrupted or both :-)

    Well, my own Advice,

    If your just doing a small network that just needs raw power and not a huge e-commerce site, then go for StoneSoft's StoneGate it has proven to be ten-times better than CP's performance <in my crude tests > but still, I'm a CP-wiz and I will die as a CP-wiz


    I've attached StoneSoft's comparison of their StoneGate vs. NextGeneration <aka. CPFW-1 5.0> for anyone interested in it

    Hope this helps,
    etsh911

  3. #13
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    Wow....Very impressive etsh....

    I am amazed every time I read posts by you that are at all related to Checkpoint.

  4. #14
    Member
    Join Date
    Feb 2002
    Posts
    42
    Ugh, forgot to say this, about your port-scan, this behaviour is a result of CP including fwui_trail.def wich has 'drop' and not 'vanish' drop mangles a packet befor it actually ignores it. This results in the 'closed' if you go thru your INSPECT code and s/drop/vanish, everything should be stealth :-).


    CP rules my world,
    etsh911

  5. #15
    Member
    Join Date
    Feb 2002
    Posts
    42
    Originally posted here by iNViCTuS
    Wow....Very impressive etsh....

    I am amazed every time I read posts by you that are at all related to Checkpoint.
    eow! thank you invictus

  6. #16
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    Errr...um....INSPECT code? I have no idea how get to that! Thanks for the explanation of why the ports are closed though. I will be using my ISA server as a 'glorified proxy', but I'm definately going to be keeping my FW-1! I just need to learn how to work the damn thing a bit better!
    Thanks guys!

  7. #17
    Member
    Join Date
    Feb 2002
    Posts
    42
    INSPECT is CP's core logic. Your rulebase is converted to INSPECT befor it is applied to your fwmodule. Look for *.pf files and in $FWDIR/lib/ those are written in INSPECT.

    I'd recommened learning INSPECT ASAP as it is the best way to get raw power outta your box <altough I tend to use the GUI sometimes for creating users and groups, but most of the rest is done using emacs >. You'd really feel a great diffrence....


    Note : to add 'vanish' to the GUI, just open $FWDIR/lib/setup.C and add

    : (vanish
    :type (vanish)
    :color ("Black")
    :icon-name ("icon-vanish")
    :text-rid ("61466")
    :windows-color (green)
    )

    To your
    :unix_actobj (
    section just below the other actions, and you'll be fine...

    There you go, this isn't documented anywhere else even on Phoneboy's site < http://www.phoneboy.com/faq/0134.html >

    If your system encounters any troubles with this addition then it is probably because of the installed SPs <I have encountered troubles myself > So, just open user.def and add

    deffunc my_vanish_macro {vanish;}

    And add
    :macro(my_vanish_macro)
    To the code

    Happy vanishing
    etsh911

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides