Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

checkpoint and DNS CDN like akamai

Posted on 2011-09-07
6
1,387 Views
Last Modified: 2013-11-16

New MS Windows servers in the DMZ

Issue Symantec and Microsoft updates both depend on akamai and other types of services where the update programs recommend that dns based firewall rules be put into place.

From the Firewall team I understand that URI checking is a weak spot in checkpoint.
Wondering if anyone has good solutions for this? or can give me a list of options.

Thanks,
Mark
0
Comment
Question by:markpalinux
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:donmanrobb
ID: 36504816
What version of Checkpoint are you running?
0
 
LVL 15

Author Comment

by:markpalinux
ID: 36505040


I cannot confirm nor deny.  Are there different methods for different versions ? I am sure it is at least a year or two out.
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 36505260
Generally anything above R70 has pretty good URI and IPS functionality.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 11

Expert Comment

by:donmanrobb
ID: 36505297
So you would be fine using the checkpoint for it
0
 
LVL 15

Author Comment

by:markpalinux
ID: 36795278
No seems like they are at the 70 version.

Thanks,
Mark
0
 
LVL 2

Accepted Solution

by:
cmoormann earned 500 total points
ID: 36813077
There are a few options. Domain based objects and dynamic objects.
In general these options both bring with them a performance impact and are prone to fail with these web based services, like you said WSUS servers or i.e. virus scanner pattern updates.
If you implement domain based objects in the firewall like .akamai. or dynamic objects, that run a script you write to do the resolving, every time the rule is hit, the dns query or your script is executed.
As a rule of thumb, you move these rules as far back in your policy as possible, so they do not get parsed by legitimate traffic, still every illegitimate traffic will trigger the rule, and execute the query or your script. The performance impact can be severe under certain circumstances.
Othen than that, if your web server gets redirected/loadbalanced somewhere else by the destination servers, your updates will still fail.

My personal recommendation would be to use some kind of proxy solution like squid or bluecoat, if you do not trust your WSUS server or place them in a different DMZ and allow https to the internet.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question