-
February 21st, 2002 06:37 PM
#11
i tried ISA...it sucked big time
-
February 21st, 2002 07:01 PM
#12
Member
Well, Befor I start, I have completely no knowlege of ISA at all, but I think I'm ok when it comes to OPSEC related products.
Now, the change should be obvious after documenting your security policy <No not your rulebase, your needs>. What sort of content passes thru your Proxy to your FW? most <if not all> can be monitored by simple INSPECt scripts <Phoneboy's HTTP script for example> that could be coded in no time while in bed, just define a function <#deffunc foobar> that accepts packets and then SNATs them to 0.0.0.0 <this is a special configuration in CP that tells FW-1 to use the outgoing interface's IP address, similar to the concept of MASQ> So, you wouldn't actually need the proxy anymore.
On the other hand, asuming you really need the proxy and can't make without it. Then I suggest you'd go with inivctus' advice. Limit traffic to the FW from the Proxy alone and try to be as strict as possible. Just a small addition, you might want to use the proxy as your small network's FW and leave the heavyload on the FW for the DMZ and other sverers <that's what I do regularly>.
About M$ providing me with a securtiy solution, i think I would not accept it for a simple reason. CP means the OPSEC alliance. In other words, when I bought CPNG I didn't onyl get a FW, I also got support for CVP, PKI, IDS, HA, etc.. from big names that I can relay on, also a good point that CP offers is INSPECT code, wich isn't provided by any opponant. The power of knowing your FW's language means that you guarantee the best of all worlds <simple example is Anti-Spoofing, I used to do it by CP's AS in the GUI, but after doing it by INSPECT code using the nets {} and netsof commands I got really better performance than I ever did.> yet, unfortunantly other competitors have completly ignored providing a language to their FWs making them either inconvineit, corrupted or both :-)
Well, my own Advice,
If your just doing a small network that just needs raw power and not a huge e-commerce site, then go for StoneSoft's StoneGate it has proven to be ten-times better than CP's performance <in my crude tests  > but still, I'm a CP-wiz and I will die as a CP-wiz
I've attached StoneSoft's comparison of their StoneGate vs. NextGeneration <aka. CPFW-1 5.0> for anyone interested in it
Hope this helps,
etsh911
-
February 21st, 2002 07:14 PM
#13
Wow....Very impressive etsh....
I am amazed every time I read posts by you that are at all related to Checkpoint.
-
February 21st, 2002 07:22 PM
#14
Member
Ugh, forgot to say this, about your port-scan, this behaviour is a result of CP including fwui_trail.def wich has 'drop' and not 'vanish' drop mangles a packet befor it actually ignores it. This results in the 'closed' if you go thru your INSPECT code and s/drop/vanish, everything should be stealth :-).
CP rules my world,
etsh911
-
February 21st, 2002 07:24 PM
#15
Member
Originally posted here by iNViCTuS
Wow....Very impressive etsh....
I am amazed every time I read posts by you that are at all related to Checkpoint.
eow! thank you invictus 
-
February 21st, 2002 07:51 PM
#16
Senior Member
Errr...um....INSPECT code? I have no idea how get to that! Thanks for the explanation of why the ports are closed though. I will be using my ISA server as a 'glorified proxy', but I'm definately going to be keeping my FW-1! I just need to learn how to work the damn thing a bit better!
Thanks guys!
-
February 25th, 2002 06:51 PM
#17
Member
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
Forum Rules
|
|
Reply With Quote
Bookmarks