Checkpoint Firewall-1 Experience
In response to a client's questions, here is some supplemental data regarding my
Checkpoint Firewall-1 experience. I will admit up-front that Firewall-1
has not heretofore been the highlight of my professional security
work; I'm far more experienced with open-source proxies and firewalls.
The basic rules of perimeter security, however, do not change
depending on firewall vendor.
- SingleTrac(GT Interactive):
- Number of devices protected: ~150
- Number of Checkpoint firewalls: 1
- Checkpoint operating system: Windows NT 4.0
- Total number of firewalls: 2
- Administered from: 1997-1999
I installed our Checkpoint firewall in the fall of 1997, and I
occasionally was a consultant for SingleTrac regarding
firewall configuration through 2000. In addition to the eighty
nodes Firewall-1 protected directly, it indirectly protected an
additional ~70 nodes for GT Interactive's Quality Assurance lab
through a secondary, GNU/Linux-based firewall on the DMZ to create a
"sandboxed" environment where potential security failures out of my
direct control would be minimized.
Configuration was a straightforward 3-interface affair common with
Firewall-1, including Internet, DMZ, and Internal interfaces.
Policy was default-deny on Internal and DMZ ports, with policies
slightly more liberal in the DMZ due to the unusual needs of
computer game servers frequently run there for testing. Setup
included egress filtering combined with multiple NAT pools (once
again, due to unusual gaming studio requirements) and a few stateful
packet inspection and munging scripts
- Excite@Home(iMall, Inc.)
- Number of devices protected: ~300
- Number of Checkpoint firewalls: 1
- Checkpoint operating system: Solaris
- Administered for a few months in 2000.
We briefly evaluated Checkpoint Firewall-1 on Solaris, alongside
Gauntlet, BSDI Firewall Toolkit (FWTK), and GNU/Linux ipchains. I
re-implemented our existing FWTK rules in Firewall-1, ipchains, and
Gauntlet; eventually we settled upon Gauntlet as it most closely
resembled FWTK (which was its parent project) and offered the
quickest upgrade path in man-hours.
- American Investment Bank:
- Number of devices protected: ~400
- Number of Checkpoint firewalls: 1
- Checkpoint operating system: UNIX
- Total number of firewalls: 3
- Administered from: August 2002 - September 2003
I stepped in as Firewall-1 administrator as AIB began downsizing
operations in preparation for gradual closure. The existing
configuration was full of holes, and not up to the requirements of
the upcoming OCC (Office of the Comptroller of the Currency) audit.
In addition to an outstanding security hole in the VPN server (which
we were unable to patch, due to a lapsed support contract), our
existing ruleset lacked appropriate egress filtering.
My initial steps were to disable the vulnerable VPN server, and
create an alternative VPN server using PopTop and IPSEC (FreeSwan)
on a GNU/Linux dedicated VPN host. We then updated the Firewall-1
rules to enable adequate egress filtering and logging of
necessary outbound FTP, SSH, VPN, and miscellaneous service
connections. The bank's simple Internet needs did not require any
custom packet inspection. At this point, management requested a new
solution that would not obligate them to an expensive support
contract, and we began a migration to GNU/Linux firewalls.
After roughly ten months running dual firewalls we were finally able
to alter or terminate all third-party vendor relationships to
support our new configuration (including, particularly, several
custom Jack Henry AS/400 packages), and turned off our Firewall-1
unit entirely in September of 2003.
During this interval, I created numerous security policy documents,
outlining border security, disaster recovery, workstation integrity,
and internal security posture. We passed the security
infrastructure portion of our OCC audit with flying colors.
