Solved

checkpoint firewall as router

Posted on 2001-09-01
23
744 Views
Last Modified: 2008-02-01
I will be shortly deploying a checkpoint firewall and need to consider network topolgy.

It has been suggested to me to abandon our edge routers, and connect our firewall directly to our upstream provider, and connect the other interface directly to a switching hub which in turn connects to our workstations.

Does this seem like a bad idea? And if so, why ?
0
Comment
Question by:missy041598
  • 5
  • 4
  • 4
  • +7
23 Comments
 
LVL 1

Expert Comment

by:ajvel
ID: 6448007
I think it is not a bad idea, but it is possible only when you got an DSL(Ethernet)connectivity to your upstream provider

The typical network topolgy will be like,
Three card will be in the firewall in which,
One to the router where your uplink service provider goes,
One to the Server Zone with higher sercurity level
One to the Demilitarized Zone

by this we can have better control on the policy, same will varies depending on the network complexity.

Thanks & Regards
Jayavel
0
 

Author Comment

by:missy041598
ID: 6448457
Lets leave this open for others to comment, in case they find problems.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6449355
missy, what type of connection do you have to the upstream ISP? If it is anything other than Ethernet, you may be out of luck, but even so, I would have some issues with that.

My 2 cents for what its worth:

An edge router can provide a good first line of defense against denial of service attacks and other spoofing attempts to get access to your network. Putting your firewall directly on the line violates the "defense in depth" ideology of security.

A (properly configured) perimeter router adds a first line of defense at the network layer, where your firewall works at the application layer. Since a firewall is, by definition, NOT a router, let it do what it does best, and let the router in front of it do what it does best.

http://www.sans.org/infosecFAQ/firewall/router.htm
0
 

Author Comment

by:missy041598
ID: 6449408
Assuming our router does no form of filtering, has no prevention against DOS, and no protection against spoofing, is anything sacrificed?

We are using ethernet to connect to upstream.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6449411
Is anything sacraficed by taking it out of the picture, considering that it is doing virtually nothing as it is configured today?
Not really.
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6451192
Missy what type of firewall do you have?  I understand you are using checkpoint firewall-1 software but was wondering what type of hardward.  lrmoore, Nokia as well as a few others make "routers" with hssi, atm, dsl, etc... interfaces and loaded with Checkpoint FW-1.  They will suggest you buy there higher end firewall/router that takes these interfaces, and not bother with the edge router from Cisco or whoever.  The only thing I would suggest to you missy is that I would rather have a router at outside my firewall to help protect my firewall.  
0
 
LVL 2

Expert Comment

by:bsadlick
ID: 6452979
You can add depth of defense either in front of, or behind the firewall. If you have no control of the router upstream of your FW-1 box, then maybe you can add some defense behind it. What type of switch will the FW-1 box attach to? If you can implement ACLs on it, then you can deny inbound traffic, but still allow reflexive outbound traffic. Ideally, you would have multiple layers of defense, including the ISP router, the FW-1 box, and assorted measures inside your LAN.
Personally, I think you will be ok, as long as you are not a prime hacker target, like mickeysoft or the white house.
0
 

Author Comment

by:missy041598
ID: 6453113
Assuming we are a high target for hackers, what would we need to watch out for, that our firewall cannot tackle?
0
 
LVL 2

Expert Comment

by:bsadlick
ID: 6453156
It's not that your firewall can't handle it. What if the firewall becomes compromised? Then where do you go? How do you know what else has been compromised?

If you are a significant target, you need multiple layers of defense.

BTW, it seems as if you are giving this some thought, and as long as you keep evaluating your security position, you are in a much better position than many other companies.
0
 
LVL 17

Accepted Solution

by:
mikecr earned 100 total points
ID: 6454026
Well, I'm a CCSE and I've set up quite a few of Check Points firewalls. If done correctly, you have very, very little to worry about. I do have to agree that using a router with Access Lists would be a good first line of defense, but this becomes a monetary issue. If you set up your firewall properly, you will be able to manage your network easily. You need to make sure that you only allow what is absolutely necessary and make sure that you find a way to do everything else that may come up without compromising the firewall. Do not burden your firewall by allowing people to vpn to it, just thru it. The most common hack attacks are web server based and mail based. It isn't uncommon though for people to use your ftp server to hold files for them either. I have only seen one FW1 firewall get hacked in my career and that was because the person administering it got a little carried away punching holes in his firewall for everything management wanted him to do, he became vulnerable. I would have to agree with most of the observations above, but I find nothing wrong with just putting your firewall in front of the rest of your network without anything else. Just remember, anyone can get hacked. It just depends on the determination of that hacker and what he is after so if you set your firewall up and put a sound policy in place, you'll be able to sleep well at night.
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6454152
I agree with mikecr with everthing except the VPN part.  That is checkpoint's best selling feature.  It is hands down the easiest VPN solution to setup and manage and the most flexible that I have seen.  It is the most widely used VPN product used on the ANX which is definitely the biggest VPN based network in the world and they are looking to go with just one vendor and more then likely it will either be checkpoint or cisco.  I am not trying to argue with mikecr, but there is definitely nothing wrong with using the VPN features and it doesn't really increase the overhead that much.  It intruduces latency but it doesn't necessarily add stress on the firewall.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 17

Expert Comment

by:mikecr
ID: 6454196
The only thing that I didn't like about it Jwalsh88 was the fact the you need to set up an account database, and either hook it via LDAP and radius or the database resided no the firewall. I like to set up a Windows 2K vpn network behind the FW1 and just come thru to it. I just wasn't a big fan of vpn directly to the firewall or setting up third party stuff to hold the accounts. But, I do agree that it is a good product, it's just personal opinion.
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6454580
And I agree with some of what you said, I assumed you were talking about extranet, or intranet based VPN between offices, not mobile or soho using securemote/secureclient.  Now that I see what you are saying, I agree with you much more.
0
 
LVL 1

Expert Comment

by:3408
ID: 6457617

Missy: Assuming our router does no form of filtering, has no prevention against DOS, and no protection against
spoofing, is anything sacrificed?

Yes, something is sacrificed. If you don't use a router, the external interface of the firewall becomes known on the Internet. However, if you were using router, you could hide the net between the router and the firewall. This way the firewall could become invisible for the outside network. And it's quite difficult for a hacker to scan a device if he doesn't even know which network to scan.

If you use a router with filtering, it will increase the performance of the IDS as more packets can be matched to one another. (This, however, is very far fetched)
0
 
LVL 17

Expert Comment

by:mikecr
ID: 6457671
I have to disagree with that statement. If you create a rule on the firewall to not allow any communication between itself and incoming traffic, even traceroute will not show you what the ip of the firewall would be and would move to the next hop. This rule would drop all traffic destined for the firewall itself so you would never actually know what the ip of the firewall external interface would be. Only if you were using NAT on a router in front of the firewall would this become evident.
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6457816
I agree , 3408 statement is not a good one nor is it accurate.
0
 

Author Comment

by:missy041598
ID: 6479017
Thank you all for your contributions.. How can I split points among everyone here?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 6483136
'I agree with mikecr with everthing except the VPN part.  That is checkpoint's best selling feature. '

Best selling maybe, but often customers buy Check Point VPN-1/FW-1 and never bother with the VPN-1 side of things, or buy it in case they might need it in the future and it's not really that much more expensive than the FW-1 bit on its own !
On a large scale, VPN's only work well with VPN accelerator cards.  Those that are available for platforms that Check Point supports are overpriced and relatively slow, compared to what you can get from Cisco, Nokia or Nortel.
Leave Check Point to do the firewalling, and something else to do the VPN'ing.


Anyway.  I think border routers are great, not so much for depth of defense, but to filter out all the crap you don't want coming into your network.  Use them to let through relevant traffic, so that Check Point doesn't have to intercept and drop / reject / log irrelevant packets.

0
 
LVL 17

Expert Comment

by:mikecr
ID: 6483158
I've been working with Checkpoint Firewall 1 for a long time and I just never cared for the VPN functionality since there was quite a bit involved in making it work. However, it is a good selling point and it does work very well, it's just the upkeep that can get annoying.
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6483190
Actually it is by far the easiest VPN product to use I think, I have used Cisco, Nokia VPN CryptoClusters and also probably over 200 Checkpoint installations of different kinds.  I will tell you this for performance nothing I have used comes close to the High End Nokia IP series running CP.  The 3DES throughput is near 2GBytes/sec.  Cisco, nor Nortel has nothing near that.  Only Nokia's latest CC VPN devices beat that but they have alot of problems.  Believe me I have 8 of them.

Why alot of people think that the 3DES performance isn't very good on checkpoint is because the majority of their installs have been on Sun or Win NT.  NT just rots and the RISC based processors in even the very high end Sun boxes can't do encrption very well.  Now get the powerful Intel processors on a good OS like Linux or BSD then you have something.  When we moved from Sun e250's with dual 400MHz processors and 1GB ram to even low end Nokia firewalls the 3DES performance more then doubled.  I really think only Netscreen, and Stone Soft's Stone Gate, compares in 3DES performance on firewalls.
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6900942
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if still open in seven days.  Please post closing recommendations before that time.

Question(s) below appears to have been abandoned. Your options are:
 
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> You cannot delete a question with comments, special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click the Help Desk link on the left for Member Guidelines, Member Agreement and the Question/Answer process for further information, if needed.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and keep them all current with updates as the collaboration effort continues, to track all your open and locked questions at this site.  If you are an EE Pro user, use the Power Search option to find them.  Anytime you have questions which are LOCKED with a Proposed Answer but does not serve your needs, please reject it and add comments as to why.  In addition, when you do grade the question, if the grade is less than an A, please add a comment as to why.  This helps all involved, as well as future persons who may access this item in the future to seek help.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.11687758.html
http://www.experts-exchange.com/questions/Q.11763038.html
http://www.experts-exchange.com/questions/Q.20141128.html
http://www.experts-exchange.com/questions/Q.20144583.html
http://www.experts-exchange.com/questions/Q.20150860.html
http://www.experts-exchange.com/questions/Q.20177275.html
http://www.experts-exchange.com/questions/Q.20177263.html
http://www.experts-exchange.com/questions/Q.20182331.html
http://www.experts-exchange.com/questions/Q.20261897.html
http://www.experts-exchange.com/questions/Q.20261896.html


To view your locked questions, please click the following link(s) and evaluate the proposed answer.
http://www.experts-exchange.com/questions/Q.20015868.html
http://www.experts-exchange.com/questions/Q.20187693.html

PLEASE DO NOT AWARD THE POINTS TO ME.  
 
------------>  EXPERTS:  Please leave any comments regarding your closing recommendations if this item remains inactive another seven (7) days.  Also, if you are interested in the cleanup effort, please click this link http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643

Moderators will finalize this question if still open in 7 days, by either moving this to the PAQ (Previously Asked Questions) at zero points, deleting it or awarding expert(s) when recommendations are made, or an independent determination can be made.  Expert input is always appreciated to determine the fair outcome.
 
Thank you everyone.
 
Moondancer
Moderator @ Experts Exchange

P.S.  For any year 2000 questions, special attention is needed to ensure the first correct response is awarded, since they are not in the comment date order, but rather in Member ID order.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7877648
No comment has been added lately. It appears this question has been abandonded so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

I recommend: points to mickecr for the detailed Checkpoint information

if there is any objection or other expert commentary to this recommendation then please post in here within 7 days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

thanks,
lrmoore
EE Cleanup Volunteer
---------------------
0
 

Expert Comment

by:modulo
ID: 7958168
Finalized as proposed

modulo

Community Support Moderator
Experts Exchange
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now