?
Solved

checkpoint and DNS CDN like akamai

Posted on 2011-09-07
6
Medium Priority
?
1,514 Views
Last Modified: 2013-11-16

New MS Windows servers in the DMZ

Issue Symantec and Microsoft updates both depend on akamai and other types of services where the update programs recommend that dns based firewall rules be put into place.

From the Firewall team I understand that URI checking is a weak spot in checkpoint.
Wondering if anyone has good solutions for this? or can give me a list of options.

Thanks,
Mark
0
Comment
Question by:markpalinux
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:donmanrobb
ID: 36504816
What version of Checkpoint are you running?
0
 
LVL 15

Author Comment

by:markpalinux
ID: 36505040


I cannot confirm nor deny.  Are there different methods for different versions ? I am sure it is at least a year or two out.
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 36505260
Generally anything above R70 has pretty good URI and IPS functionality.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 11

Expert Comment

by:donmanrobb
ID: 36505297
So you would be fine using the checkpoint for it
0
 
LVL 15

Author Comment

by:markpalinux
ID: 36795278
No seems like they are at the 70 version.

Thanks,
Mark
0
 
LVL 2

Accepted Solution

by:
cmoormann earned 2000 total points
ID: 36813077
There are a few options. Domain based objects and dynamic objects.
In general these options both bring with them a performance impact and are prone to fail with these web based services, like you said WSUS servers or i.e. virus scanner pattern updates.
If you implement domain based objects in the firewall like .akamai. or dynamic objects, that run a script you write to do the resolving, every time the rule is hit, the dns query or your script is executed.
As a rule of thumb, you move these rules as far back in your policy as possible, so they do not get parsed by legitimate traffic, still every illegitimate traffic will trigger the rule, and execute the query or your script. The performance impact can be severe under certain circumstances.
Othen than that, if your web server gets redirected/loadbalanced somewhere else by the destination servers, your updates will still fail.

My personal recommendation would be to use some kind of proxy solution like squid or bluecoat, if you do not trust your WSUS server or place them in a different DMZ and allow https to the internet.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 18 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question