Solved

checkpoint and DNS CDN like akamai

Posted on 2011-09-07
6
1,352 Views
Last Modified: 2013-11-16

New MS Windows servers in the DMZ

Issue Symantec and Microsoft updates both depend on akamai and other types of services where the update programs recommend that dns based firewall rules be put into place.

From the Firewall team I understand that URI checking is a weak spot in checkpoint.
Wondering if anyone has good solutions for this? or can give me a list of options.

Thanks,
Mark
0
Comment
Question by:markpalinux
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:donmanrobb
ID: 36504816
What version of Checkpoint are you running?
0
 
LVL 15

Author Comment

by:markpalinux
ID: 36505040


I cannot confirm nor deny.  Are there different methods for different versions ? I am sure it is at least a year or two out.
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 36505260
Generally anything above R70 has pretty good URI and IPS functionality.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 11

Expert Comment

by:donmanrobb
ID: 36505297
So you would be fine using the checkpoint for it
0
 
LVL 15

Author Comment

by:markpalinux
ID: 36795278
No seems like they are at the 70 version.

Thanks,
Mark
0
 
LVL 2

Accepted Solution

by:
cmoormann earned 500 total points
ID: 36813077
There are a few options. Domain based objects and dynamic objects.
In general these options both bring with them a performance impact and are prone to fail with these web based services, like you said WSUS servers or i.e. virus scanner pattern updates.
If you implement domain based objects in the firewall like .akamai. or dynamic objects, that run a script you write to do the resolving, every time the rule is hit, the dns query or your script is executed.
As a rule of thumb, you move these rules as far back in your policy as possible, so they do not get parsed by legitimate traffic, still every illegitimate traffic will trigger the rule, and execute the query or your script. The performance impact can be severe under certain circumstances.
Othen than that, if your web server gets redirected/loadbalanced somewhere else by the destination servers, your updates will still fail.

My personal recommendation would be to use some kind of proxy solution like squid or bluecoat, if you do not trust your WSUS server or place them in a different DMZ and allow https to the internet.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now