• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Study Check Point

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Misc.] >> ISA Server 2004 Wish List >> Study Check Point Page: [1]
Login
Message << Older Topic   Newer Topic >>
Study Check Point - 15.Mar.2006 4:43:54 AM   
RAJP

 

Posts: 53
Joined: 11.Mar.2006
Status: offline
Double-clicking on a log entry pops up a dialog box containing all of the log entry. I don't need a 25" wide-screen monitor to see the entire log entry.

Right-clicking on a rule gives me a context menu that allows "Add rule above" or "Add rule below" capabilities.

Give me a REAL firewall client. One that I can push rules to and provide real software firewall capabilities to my laptops, not just provide application protocol compatibility. One that reports back to the ISA logging system.

AES encryption for lower client and server workloads.

Automatically switch the logging to file-based if the SQL server goes down, not shut down my company's connectivity! It's not as if we never have to patch the server running SQL 2000.

Stop those silly "all port scan detected from <ISA external interface IP>" alerts.

Give me drag-n-drop on firewall rule placement. Not a half-dozen "right click - move up", "right click - move up", "right click - move up". Or give me a "cut" on a rule so I can then use the context menu to "paste above" or "paste below".

When an event is generated that says "alert action failed", please tell me WHICH ONE so I can figure out why. This was a particular pain point on a 2000 -> 2004 migration.

Log anti-spoof drops in the firewall log, not the event log.

Let me right-click on a log column header and set filters on the fly.

Ray
Post #: 1
RE: Study Check Point - 15.Mar.2006 5:21:13 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
I agree whole-heartedly on all of those points. The only thing I'll add is in relation to this one...

quote:

Give me drag-n-drop on firewall rule placement. Not a half-dozen "right click - move up", "right click - move up", "right click - move up". Or give me a "cut" on a rule so I can then use the context menu to "paste above" or "paste below".


Say you have 6 rules and you want to move the bottom rule to the top. You could CTRL click the top 5 rules and from the context menu select 'Move Down'.

But I agree, the drag and drop rule placement would be nice.

(in reply to RAJP)
Post #: 2
RE: Study Check Point - 18.Mar.2006 5:51:03 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ray,

Double-clicking on a log entry pops up a dialog box containing all of the log entry. I don't need a 25" wide-screen monitor to see the entire log entry.
TOM: Agree!

Right-clicking on a rule gives me a context menu that allows "Add rule above" or "Add rule below" capabilities.
TOM: Agree!

Give me a REAL firewall client. One that I can push rules to and provide real software firewall capabilities to my laptops, not just provide application protocol compatibility. One that reports back to the ISA logging system.
TOM: Agree!

AES encryption for lower client and server workloads.
TOM: Agree!

Automatically switch the logging to file-based if the SQL server goes down, not shut down my company's connectivity! It's not as if we never have to patch the server running SQL 2000.
TOM: Agree!

Stop those silly "all port scan detected from <ISA external interface IP>" alerts.
TOM: You can turn these off youself. I never enable port scan detection -- there no value in knowing about port scans.

Give me drag-n-drop on firewall rule placement. Not a half-dozen "right click - move up", "right click - move up", "right click - move up". Or give me a "cut" on a rule so I can then use the context menu to "paste above" or "paste below".
TOM: I'd go one more -- allow you to choose the position number you want to place the rule, and then all the other rules below it automatically move down. You can multiselect to move multiple rules if you like.

When an event is generated that says "alert action failed", please tell me WHICH ONE so I can figure out why. This was a particular pain point on a 2000 -> 2004 migration.
TOM: AGREE!!!!

Log anti-spoof drops in the firewall log, not the event log.
TOM: Why? 

Let me right-click on a log column header and set filters on the fly
TOM: Agree!

_____________________________

Thomas W Shinder, M.D.

(in reply to ClintD)
Post #: 3
RE: Study Check Point - 18.Mar.2006 7:33:28 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Checkpoint has the ability to tie authentication to a rule that has ports/protocols that otherwise do not support authentication.  This can be done either with the installed client or clientless simply my opening a telnet session with the firewall.  When the telnet session is closed, so to is the rule.

See the topic Denied by an Allow rule http://forums.isaserver.org/m_250093800/mpage_1/key_/tm.htm#250093810 for an example of where authentication is attempted but not supported.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to tshinder)
Post #: 4
RE: Study Check Point - 22.Mar.2006 3:37:39 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Les,

That doesn't sound real secure -- allowing users to establish telnet connections to the firewall.

You mention a Check Point client. Is this like a transparent Winsock client like the Firewall client?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to LLigetfa)
Post #: 5
RE: Study Check Point - 25.Mar.2006 10:45:37 PM   
RAJP

 

Posts: 53
Joined: 11.Mar.2006
Status: offline
" Log anti-spoof drops in the firewall log, not the event log.
TOM: Why?"

'Cause it's a firewall event, not an OS event. I have a pre-defined Check Point log filter set that only brings up anti-spoof log entries that's reviewed every day.

TOM: Why?

(beating you to the punch here) We've got about two dozen locations (a.k.a subnets) behind the firewall connected by a WAN. The default route on all of the routers sends all unknown traffic to the firewall. When the WAN hiccups, all internal-to-internal traffic suddenly goes internal-to-DefaultRoute and hits the firewall internal interface, where it's promptly logged as an anti-spoof.

Our WAN provider doesn't meet their SLA when this happens, but it's usually brief enough that our employees don't complain about it and we lose the opportunity to recover a penalty from the WAN provider. And the WAN provider, of course, doesn't mention it. :-)

Additionally it's a real eye-opener about misconfigured ystems. I cannot believe how many IT people add printers to print servers, for example, and typo the address of the printer. If the trafic goes off-subnet, it's routed to the firewall where it's logged as an anti-spoof. We catch a lot of misconfigured or malfunctioning systems this way.

Ray

(in reply to tshinder)
Post #: 6
RE: Study Check Point - 25.Mar.2006 11:27:12 PM   
RAJP

 

Posts: 53
Joined: 11.Mar.2006
Status: offline
"That doesn't sound real secure -- allowing users to establish telnet connections to the firewall."

Check Point has these things they call Security Servers that are actually mini-proxy server applications running on the firewall. For example, if you need to heavily inspect SMTP traffic, you can fire up the SMTP Security Server and all SMTP traffic flows through it where special rules can be applied. They have one for Telnet (which can be protected by SSL), which seems to be a leftover from the good old days. You're not connecting by telnet port 23 to the firewall OS, but rather to a non-standard port to a  Security Server proxy that brokers the traffic through the internal and external interfaces.

The only one I use is for FTP. We allow any user to download stuff by FTP (like AV defs) but only certain people can use FTP to upload stuff outside the company. The FTP Security Server inspects the FTP traffic to see what commands are being used and whether the sender belongs to the appropriate group for FTP uploads.

I've never used their client piece myself. I had to study it for the cert exams, but I don't remember too much about it. :-)

Ray

(in reply to RAJP)
Post #: 7
RE: Study Check Point - 26.Mar.2006 6:30:40 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ray,

Thanks for the good info.

Do you remember what they'r client piece is called? I can then look it up and figure out what it is and does.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to RAJP)
Post #: 8
RE: Study Check Point - 3.Apr.2006 2:27:19 PM   
rparham

 

Posts: 1
Joined: 3.Apr.2006
Status: offline

Hi Ray!
 
Thanks for the input.
We are currently looking into ways to improve the logging experience in future versions of ISA Server, and we will seriously consider your suggestions.
 
Robert Parham,
ISA Server product team.

 
 
---
This posting is provided "AS IS" with no warranties, and confers no rights.
 

(in reply to RAJP)
Post #: 9
RE: Study Check Point - 4.Apr.2006 2:24:50 AM   
RAJP

 

Posts: 53
Joined: 11.Mar.2006
Status: offline
Hi Robert,

Thanks for the note! Yes, it drives me crazy when I try to do "Check Point stuff" while in ISA 2004. :-)

Ray

(in reply to rparham)
Post #: 10
RE: Study Check Point - 29.May2006 5:16:51 PM   
RAJP

 

Posts: 53
Joined: 11.Mar.2006
Status: offline
Here's one my one of my favorites in Check Point.

When looking in SmartView Tracker (the log viewer), I can right-click on the Source IP address and the context menu has a WhoIs selection. If I left click on it, it launches a WhoIs search to the correct registrar and tells me who the IP address is registered to. It displays in a text dialog window so I can copy and paste the results to another file.

The same thing happens if I hover over the Destination IP address.

With ISA, I have to write down the IP address, go to www.arin.net and play "follow the bouncing registrar" to find the correct one if it's not a US address.

BTW, there is also a context menu selection for Ping. Some people mught have a use for it; I've never needed it myself.

Ray

(in reply to RAJP)
Post #: 11
RE: Study Check Point - 29.May2006 8:26:41 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ray,

That's a pretty handy feature!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to RAJP)
Post #: 12
RE: Study Check Point - 8.Jun.2006 3:34:53 AM   
RAJP

 

Posts: 53
Joined: 11.Mar.2006
Status: offline
Here's one of my favorites:

Check Point has a "verify" feature that you can run by itself or is automatically run when you push a policy. It analyzes the entire rule base and if you have two rules in conflict, it alerts you.

For example, if you have a rule that denies a particular source-destination-service but later in the rule base you have a rule that would allow it, the warning says that "rule 10 hides rule 17". Example:

Rule 10
Source: Internal
Destination: anywhere
Users: domain users
Service: http

Rule 17
Source: some-internal-IP
Destination: some-external-IP
Users: all users
Service: http

In ISA 2004, the traffic allowed in rule 17 will get denied on rule 10 because of the authentication requirement, but it happens without warning. With Check Point, you would get the "hide" warning.

Ray

(in reply to tshinder)
Post #: 13
RE: Study Check Point - 9.Jun.2006 2:50:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ray,

Nice feature, esp. with larger rule bases.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to RAJP)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Misc.] >> ISA Server 2004 Wish List >> Study Check Point Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts