Solved

checkpoint and DNS CDN like akamai

Posted on 2011-09-07
6
1,372 Views
Last Modified: 2013-11-16

New MS Windows servers in the DMZ

Issue Symantec and Microsoft updates both depend on akamai and other types of services where the update programs recommend that dns based firewall rules be put into place.

From the Firewall team I understand that URI checking is a weak spot in checkpoint.
Wondering if anyone has good solutions for this? or can give me a list of options.

Thanks,
Mark
0
Comment
Question by:markpalinux
  • 3
  • 2
6 Comments
 
LVL 11

Expert Comment

by:donmanrobb
ID: 36504816
What version of Checkpoint are you running?
0
 
LVL 15

Author Comment

by:markpalinux
ID: 36505040


I cannot confirm nor deny.  Are there different methods for different versions ? I am sure it is at least a year or two out.
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 36505260
Generally anything above R70 has pretty good URI and IPS functionality.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 11

Expert Comment

by:donmanrobb
ID: 36505297
So you would be fine using the checkpoint for it
0
 
LVL 15

Author Comment

by:markpalinux
ID: 36795278
No seems like they are at the 70 version.

Thanks,
Mark
0
 
LVL 2

Accepted Solution

by:
cmoormann earned 500 total points
ID: 36813077
There are a few options. Domain based objects and dynamic objects.
In general these options both bring with them a performance impact and are prone to fail with these web based services, like you said WSUS servers or i.e. virus scanner pattern updates.
If you implement domain based objects in the firewall like .akamai. or dynamic objects, that run a script you write to do the resolving, every time the rule is hit, the dns query or your script is executed.
As a rule of thumb, you move these rules as far back in your policy as possible, so they do not get parsed by legitimate traffic, still every illegitimate traffic will trigger the rule, and execute the query or your script. The performance impact can be severe under certain circumstances.
Othen than that, if your web server gets redirected/loadbalanced somewhere else by the destination servers, your updates will still fail.

My personal recommendation would be to use some kind of proxy solution like squid or bluecoat, if you do not trust your WSUS server or place them in a different DMZ and allow https to the internet.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Radius setup on a Cisco Switch with Server 2012 23 79
Cisco AP to get ip from DHCP 10 73
CISCO Smartnet agreement 5 34
Install SSL certificate on Cisco ASA 5506 6 24
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question