IPTABLES vs Checkpoint

IPTABLES vs Checkpoint

[Wayne de Nobrega]

Hello,

I have a customer who is part of an international group which has a
policy of using the Nokia Checkpoint firewall.  Due to the signifcant
cost differences, and our preference, the local branch and ourselves
would like to install an IPTABLES based firewall.  I need some help in
motivating this to head office and am looking for information comparing
the two solutions.  I need to focus on the technical issues of the two
products and ultimately the inherent security realised from the two
products.

Can anyone offer some input or point me to a source of information.

Many thanks

Wayne

RE: IPTABLES vs Checkpoint

[Nigel Clarke]

Wayne,

How are the firewalls installed? In a cluster configuration or stand alone?

In a stand alone you can go with either. If you're looking for scalability
and use of
things like VPNs, I'd go with Checkpoint. If you're looking for a stable
stateful firewall, you'd be
better off with iptables/netfilter.

The Nokia IPSO is not that bad. It is a stripped down version of BSD. So,
you're going to end up
with a stateful / Unix firewall no matter how you look at it.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Wayne de
Nobrega
Sent: Tuesday, November 26, 2002 2:28 PM
To: netfilter@lists.netfilter.org
Subject: IPTABLES vs Checkpoint


Hello,

I have a customer who is part of an international group which has a
policy of using the Nokia Checkpoint firewall.  Due to the signifcant
cost differences, and our preference, the local branch and ourselves
would like to install an IPTABLES based firewall.  I need some help in
motivating this to head office and am looking for information comparing
the two solutions.  I need to focus on the technical issues of the two
products and ultimately the inherent security realised from the two
products.

Can anyone offer some input or point me to a source of information.

Many thanks

Wayne

Re: IPTABLES vs Checkpoint

[Nix N. Nix]

On Tue, 2002-11-26 at 14:28, Wayne de Nobrega wrote:
> Hello,
> 
> I have a customer who is part of an international group which has a
> policy of using the Nokia Checkpoint firewall.  Due to the signifcant
> cost differences, and our preference, the local branch and ourselves
> would like to install an IPTABLES based firewall.  I need some help in
> motivating this to head office and am looking for information comparing
> the two solutions.  I need to focus on the technical issues of the two
> products and ultimately the inherent security realised from the two
> products.
> 
> Can anyone offer some input or point me to a source of information.

AFAIK Checkpoint is not a firewall at all, but a proxy server.  This
clearly means that it acts like a Web/FTP/whatever server that connects
people in your company to the outside world by requesting Web pages over
HTTP and initiating FTP connections on their behalf.

OTOH iptables works below the application layer.  It allows manipulation
of individual TCP connections, UDP packets and ICMP traffic irrespective
of the application layer service they provide.

Nonetheless:  Checkpoint and iptables are not necessarily mutually
exclusive.  Consider the following setup:
    ________      __________      ________      ________________
   /        \    /          \    /        \    /                \
  | Internet +--+ Checkpoint +--+ iptables +--+ Internal Network |
   \________/    \__________/    \________/    \________________/

The Checkpoint box would basically allow all traffic through.  It
wouldn't be just an inert box though !  You could forward all outgoing
HTTP traffic from the iptables computer to the Checkpoint Web proxy to
do authentication, content filtering, etc.  The Checkpoint box would be
mostly closed off, and you would rely on iptables to selectively block
ports and do all the fancy things a Linux router can do for you.

This way, you can comply with corporate policy and use iptables as well.

> 
> Many thanks
> 
> Wayne

Good luck !

Re: IPTABLES vs Checkpoint

[Ben Russo]

For a company with many offices a Nokia CheckPoint solution is a good
choice *IF* the money spent on the management of the firewall is
reasonably proportional to the cost of the firewall software and
updates.

I used to run many Linux based iptables firewalls for data centers in 
many different cities and offices in many cities.  It was a management 
nightmare that led our company to decide to use Checkpoint.  Not because
it was technically superior to iptables when simply looking at
firewalls.  (although there are many viewpoints to that argument)
but because in terms of time and energy spent managing the firewalls
checkpoint's TCO was much lower.

I love Linux ( I am an RHCE and manage scores of Linux servers)
iptables makes a great SOHO firewall for the technically saavy
or a host based firewall with a distributions GUI tools for even 
newbies.  And if you are in a small organization with only a handfull
of firewalls you can even do *VERY* complex things with it.

However for an enterprise solution you need management tools and
you may need integration with VPN's, DNS, Authentication, IP-GRE
Accounting, performance management 
and other third party applications.  
CheckPoint has modules and tools that can do all of that.

You could probably glue together many great Open Source packages
to meet your needs, but it is a constant uphill battle to keep them
all updated with patches and integrated and scalability and management
becomes a big issue.  Also, when you start doing that then there is
the risk to the company of losing the employees who "know-how-it-works"

When sticking to a Commercial Off The Shelf system like CheckPoint
and using Commercial integration modules the costs may seem dramatic.
However you can hire Certified Consultants when your Sr. SysAdmin
quits who know CISCO, NOKIA, CheckPoint, MSCP, RHCE, etc. etc..
There is a value in that too.

What it comes down to (IMHO) is the variables in your TCO 
equation.  You need someone who both knows your business and what
its goals and growth are likely to be, and also has  experience
with enterprise WAN management to evaluate that TCO equation.


On Tue, 2002-11-26 at 14:28, Wayne de Nobrega wrote:
> Hello,
> 
> I have a customer who is part of an international group which has a
> policy of using the Nokia Checkpoint firewall.  Due to the signifcant
> cost differences, and our preference, the local branch and ourselves
> would like to install an IPTABLES based firewall.  I need some help in
> motivating this to head office and am looking for information comparing
> the two solutions.  I need to focus on the technical issues of the two
> products and ultimately the inherent security realised from the two
> products.
> 
> Can anyone offer some input or point me to a source of information.
> 
> Many thanks
> 
> Wayne

RE: IPTABLES vs Checkpoint

[Ivan E. Moore II]

>AFAIK Checkpoint is not a firewall at all, but a proxy server.  This
clearly means that it 
>acts like a Web/FTP/whatever server that connects people in your
company to the outside world >by requesting Web pages over HTTP and
initiating FTP connections on their behalf.

This is incorrect information.  Checkpoint offers proxy capabilities
however by default it is a stateful firewall.

Ivan

Re: IPTABLES vs Checkpoint

[Nick Drage]

On Tue, Nov 26, 2002 at 04:19:36PM -0700, Ivan E. Moore II wrote:
> >AFAIK Checkpoint is not a firewall at all, but a proxy server.  This
> >clearly means that it acts like a Web/FTP/whatever server that connects
> >people in your company to the outside world by requesting Web pages over
> >HTTP and initiating FTP connections on their behalf.
> 
> This is incorrect information.  Checkpoint offers proxy capabilities
> however by default it is a stateful firewall.

Seconded.  While Firewall-1 does have some proxy server like capabilities
its main function is as a stateful firewall.

-- 
FunkyJesus System Administration Team

Re: IPTABLES vs Checkpoint

[Nick Drage]

On Tue, Nov 26, 2002 at 05:32:34PM -0500, Nix N. Nix wrote:
> On Tue, 2002-11-26 at 14:28, Wayne de Nobrega wrote:

<snip>

> Nonetheless:  Checkpoint and iptables are not necessarily mutually
> exclusive.  Consider the following setup:
>     ________      __________      ________      ________________
>    /        \    /          \    /        \    /                \
>   | Internet +--+ Checkpoint +--+ iptables +--+ Internal Network |
>    \________/    \__________/    \________/    \________________/

As stated elsewhere, Checkpoint isn't just a proxy server.

But anyway, if it was a mere proxy, wouldn't you want it on the clean side
of the iptables box, rather than the dirty side?

-- 
FunkyJesus System Administration Team

RE: IPTABLES vs Checkpoint

[Nigel Clarke]

I guess redundancy is not important? 

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Nick Drage
Sent: Tuesday, November 26, 2002 8:14 PM
To: netfilter@lists.netfilter.org
Subject: Re: IPTABLES vs Checkpoint


On Tue, Nov 26, 2002 at 05:32:34PM -0500, Nix N. Nix wrote:
> On Tue, 2002-11-26 at 14:28, Wayne de Nobrega wrote:

<snip>

> Nonetheless:  Checkpoint and iptables are not necessarily mutually
> exclusive.  Consider the following setup:
>     ________      __________      ________      ________________
>    /        \    /          \    /        \    /                \
>   | Internet +--+ Checkpoint +--+ iptables +--+ Internal Network |
>    \________/    \__________/    \________/    \________________/

As stated elsewhere, Checkpoint isn't just a proxy server.

But anyway, if it was a mere proxy, wouldn't you want it on the clean side
of the iptables box, rather than the dirty side?

-- 
FunkyJesus System Administration Team

RE: IPTABLES vs Checkpoint

[Reckhard, Tobias]

Wayne,

basically, Ben's assessment pretty much hits the nail. Check Point
Firewall-1 and netftfilter/iptables are rather similar in their packet
filtering technology, both employ stateful filtering (CP has trademarked the
term 'stateful inspection'). AFAIK, neither perform advanced stuff like
packet normalization or sequence number validation. So, for plain TCP, UDP
and ICMP protocols, there should be no significant difference. There might
be differences in the implementations of the helper modules for not-so-plain
protocols, such as IRC, FTP and H.323. Both CP and iptables (and formerly
ipchains' masquerading modules) have had serious issues here, however, it's
just something that stateful filters can't do (as) well (as application
level gateways). CP FW-1 also comes with some ALGs, called resources, I
believe. These are nicely integrated, but typically don't offer the
flexibility of a separate ALG.

Ben is right when he says that CP is geared towards larger setups, their
separation of firewall nodes, management servers and user interface
demonstrates this. There's a large community for both systems, but the CP
crowd are more focussed on larger-scale enterprise deployment, while most
iptables people have a rather small LAN behind the box. That's not to say
one is technically better at either job, it just shows what sort of
community support you can expect.

Now personally, I'm all for open source and the good ole UNIX habit and
security paradigm of separating different tasks to individual tools, so by
gut feeling I'd prefer a properly built open-source solution over Check
Point. However, doing so would definitely require a bit of work and
expertise. I'm not sure maintenance of the result would actually be
considerably worse than that of the CP alternative, and OTOH I see a gain in
flexibility. The company definitely becomes more dependent on the person (or
people) who know the system. Untrained personnel would probably not be able
to cope with it or at least its details. You couldn't buy support contracts
for it.

The problem poses many different questions. Answer most, if not all of them,
and you should be able to decide pretty well what's best for you.

Cheers,
Tobias

RE: IPTABLES vs Checkpoint

[Wayne de Nobrega]

Many thanks for your input.

I agree with your point that if this is to be managed by corporate, then
the Nokia solution would be better from a standards and control point.  

In my specific case, this company is already running the Nokia solution.
For the office in my country, the local office does not want to incur
the cost of $7,000 (excluding ongoing licence costs) to install the
solution when they can install the IPTABLES version for the equivalent
of $1,000 (h/w, s/w and installation).

The local firewall will be managed locally and has very simply rules in
place as they are not running any services behind the firewall. They
will also not be running any VPN.  It is simply for connecting the local
office to the Internet, not to corporate.

Do you have any more info which explains the architecture of the Nokia
IP330 and Checkpoint solution so that I can do a more technical
comparison between the two products.  The information on the Nokia site
is typical marketing.  I believe the Nokia product runs a customised
version of FreeBSD.

Regards

Wayne

-----Original Message-----
From: Ben Russo [mailto:ben@umialumni.com] 
Sent: 27 November 2002 12:33 AM
To: Wayne de Nobrega
Cc: netfilter@lists.netfilter.org
Subject: Re: IPTABLES vs Checkpoint


For a company with many offices a Nokia CheckPoint solution is a good
choice *IF* the money spent on the management of the firewall is
reasonably proportional to the cost of the firewall software and
updates.

I used to run many Linux based iptables firewalls for data centers in 
many different cities and offices in many cities.  It was a management 
nightmare that led our company to decide to use Checkpoint.  Not because
it was technically superior to iptables when simply looking at
firewalls.  (although there are many viewpoints to that argument) but
because in terms of time and energy spent managing the firewalls
checkpoint's TCO was much lower.

I love Linux ( I am an RHCE and manage scores of Linux servers) iptables
makes a great SOHO firewall for the technically saavy or a host based
firewall with a distributions GUI tools for even 
newbies.  And if you are in a small organization with only a handfull of
firewalls you can even do *VERY* complex things with it.

However for an enterprise solution you need management tools and you may
need integration with VPN's, DNS, Authentication, IP-GRE Accounting,
performance management 
and other third party applications.  
CheckPoint has modules and tools that can do all of that.

You could probably glue together many great Open Source packages to meet
your needs, but it is a constant uphill battle to keep them all updated
with patches and integrated and scalability and management becomes a big
issue.  Also, when you start doing that then there is the risk to the
company of losing the employees who "know-how-it-works"

When sticking to a Commercial Off The Shelf system like CheckPoint and
using Commercial integration modules the costs may seem dramatic.
However you can hire Certified Consultants when your Sr. SysAdmin quits
who know CISCO, NOKIA, CheckPoint, MSCP, RHCE, etc. etc.. There is a
value in that too.

What it comes down to (IMHO) is the variables in your TCO 
equation.  You need someone who both knows your business and what its
goals and growth are likely to be, and also has  experience with
enterprise WAN management to evaluate that TCO equation.


On Tue, 2002-11-26 at 14:28, Wayne de Nobrega wrote:
> Hello,
> 
> I have a customer who is part of an international group which has a 
> policy of using the Nokia Checkpoint firewall.  Due to the signifcant 
> cost differences, and our preference, the local branch and ourselves 
> would like to install an IPTABLES based firewall.  I need some help in

> motivating this to head office and am looking for information 
> comparing the two solutions.  I need to focus on the technical issues 
> of the two products and ultimately the inherent security realised from

> the two products.
> 
> Can anyone offer some input or point me to a source of information.
> 
> Many thanks
> 
> Wayne

Re: IPTABLES vs Checkpoint

[Nick Drage]

On Wed, Nov 27, 2002 at 08:45:08AM +0200, Wayne de Nobrega wrote:

> In my specific case, this company is already running the Nokia solution.
> For the office in my country, the local office does not want to incur the
> cost of $7,000 (excluding ongoing licence costs) to install the solution
> when they can install the IPTABLES version for the equivalent of $1,000
> (h/w, s/w and installation).
> 
> The local firewall will be managed locally and has very simply rules in
> place as they are not running any services behind the firewall. They
> will also not be running any VPN.  It is simply for connecting the local
> office to the Internet, not to corporate.

As long as it's always the local office running the firewall I don't see a
problem with this.  Make sure you've got good hardware support contracts
though, or at least one spare box kicking around, as one of the benefits of
the Checkpoint / Nokia solution is the s/w and h/w support.

> Do you have any more info which explains the architecture of the Nokia
> IP330 and Checkpoint solution so that I can do a more technical comparison
> between the two products.  The information on the Nokia site is typical
> marketing.  I believe the Nokia product runs a customised version of
> FreeBSD.

Your best bet is to contact your local Checkpoint reseller, they will fall
over themselves to provide you with information.

<snip>

-- 
FunkyJesus System Administration Team

Re: IPTABLES vs Checkpoint

[Florent AIDE]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi tobias, hi all,

> in flexibility. The company definitely becomes more dependent on the person
> (or people) who know the system. Untrained personnel would probably not be
> able to cope with it or at least its details. You couldn't buy support
> contracts for it.

I wonder how many "untrained personnel" would be able to admin a Firewall 
whatever it is ;) (fw1 or iptables or else).
Yes for sure with the nice GUI provided by FW1 some "untrained personnel" 
could play with rules easily but is that a good solution ?

There also exist good GUIs for iptables: Firewall Builder
http://www.fwbuilder.org/
it support iptables ipchains ipf and pix based firewalls, it also is a 
management console which enables you to create the rules on an admin machine 
and then "compile" them to the target "language" and then place it on the 
target FW machine via a pubkey auth mechanism ...

So I think the real problem is not really with the GUI, maybe the integration 
with VPN can be a problem... because yes FreeSwan is not really user 
Friendly, though it works well for me and my clients (Linux and Win machines 
alike).

And I think in many countries you can also find Linux consulting companies 
which would be likely to offer services around iptables and FreeSwan 
management and the like. I am not sure it would be difficult to find one, and 
the price should not be much more than with a Firewall-1 consultant.

I say this because the company I work for offers just that kind of services in 
France.

> Cheers,
> Tobias

Cheers,
Florent
http://www.alphacent.com

- -- 
As we enjoy great advantages from inventions of others, we should be glad of 
an opportunity to serve others by any invention of ours; and this we should 
do freely and generously.
	--Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE95fyuQe8gCED8yYERAmnmAJ4rfJceWb3+82Csl6B/sfpPynotdgCgm/+U
2ewmUwcJ0C2S6dsEuR+hgqE=
=t7EB
-----END PGP SIGNATURE-----