Solved

checkpoint and DNS CDN like akamai

Posted on 2011-09-07
6
1,431 Views
Last Modified: 2013-11-16

New MS Windows servers in the DMZ

Issue Symantec and Microsoft updates both depend on akamai and other types of services where the update programs recommend that dns based firewall rules be put into place.

From the Firewall team I understand that URI checking is a weak spot in checkpoint.
Wondering if anyone has good solutions for this? or can give me a list of options.

Thanks,
Mark
0
Comment
Question by:markpalinux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:donmanrobb
ID: 36504816
What version of Checkpoint are you running?
0
 
LVL 15

Author Comment

by:markpalinux
ID: 36505040


I cannot confirm nor deny.  Are there different methods for different versions ? I am sure it is at least a year or two out.
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 36505260
Generally anything above R70 has pretty good URI and IPS functionality.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 11

Expert Comment

by:donmanrobb
ID: 36505297
So you would be fine using the checkpoint for it
0
 
LVL 15

Author Comment

by:markpalinux
ID: 36795278
No seems like they are at the 70 version.

Thanks,
Mark
0
 
LVL 2

Accepted Solution

by:
cmoormann earned 500 total points
ID: 36813077
There are a few options. Domain based objects and dynamic objects.
In general these options both bring with them a performance impact and are prone to fail with these web based services, like you said WSUS servers or i.e. virus scanner pattern updates.
If you implement domain based objects in the firewall like .akamai. or dynamic objects, that run a script you write to do the resolving, every time the rule is hit, the dns query or your script is executed.
As a rule of thumb, you move these rules as far back in your policy as possible, so they do not get parsed by legitimate traffic, still every illegitimate traffic will trigger the rule, and execute the query or your script. The performance impact can be severe under certain circumstances.
Othen than that, if your web server gets redirected/loadbalanced somewhere else by the destination servers, your updates will still fail.

My personal recommendation would be to use some kind of proxy solution like squid or bluecoat, if you do not trust your WSUS server or place them in a different DMZ and allow https to the internet.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question