RE: Netfilter vs commercial

RE: Netfilter vs commercial

[Jason Opperisano]

> Sure, although it may reflect more of my ignorance than my sagacity :-)
>
> >From what I understand, the out of the box netfilter connection tracking
> sets timers for the dataflow and matches source and destination
> information and, for TCP, session states.  It does not match the
> acknowledgment and sequence numbers for TCP packets unless one adds the
> window tracking patch.  Someone please correct me if I am wrong.
>
> I cannot say so authoritatively but I believe out of the box Checkpoint
> does match ACK and SEQ - John

"out-of-the-box" check point fw-1 does not track seq/ack numbers.  the
"sequence verifier" can be enabled if one chooses to; however, it is
mutually exclusive with some other features (such as their connection
acceleration feature).  i meant to mention the tcp-window-tracking patch for
netfilter in my original reply.

just to reiterate--as far as responses to, "oh yeah?  well can your firewall
do this?" questions go--netfilter can hold up to check point extremely well.
maybe if the OP has some specific issues the higher-ups need addressed--we
can answer those in a new "can netfilter do X" thread.

and as an aside--i find it hard to believe that there are people out there
saying something along the lines of "we use commercial software becuase we
can sue the manufacturer if it breaks."  i know no one actual reads those
EULA's that are presented at install time--but they say "if this software
breaks, you can't sue us."  where was that big lawsuit against microsoft for
damages resulting from <insert favorite ms exploit here>?

-j

ps - IANAL

Re: Netfilter vs commercial

[Antony Stone]

On Monday 09 August 2004 7:24 pm, Jason Opperisano wrote:

> and as an aside--i find it hard to believe that there are people out there
> saying something along the lines of "we use commercial software becuase we
> can sue the manufacturer if it breaks."

I don't find that hard to believe :(

I think there are plenty of "business" people who live with the comforting 
thought that they bought a big brand name, so that:

a) nobody can say "you bought a what?" when it does something strange
b) they can say "we want $1m damages" when it does something strange.

The fact that the former is almost as likely with a brand name as without, and 
that the latter is totally laughable, does not enter into their thought 
processes about what to buy and what to ignore.

> I know no one actual reads those EULA's that are presented at install
> time--but they say "if this software breaks, you can't sue us."  where was
> that big lawsuit against microsoft for damages resulting from <insert
> favorite ms exploit here>?

Indeed.   I have read several M$ licence agreements for precisely this reason, 
and the basis of several is that "if your jurisdiction lets us get away with 
it, we disclaim all responsibility for anything this software might do, and 
if it doesn't do what you think we claimed it would (in a written contract, 
but not in any advertising materials), then your only recompense will be the 
replacement of the media it came on, provided you claim within 90 days of 
buying it".

The Open Source community would benefit significantly if more people read 
commercial software licences.

Regards,

Antony.

-- 
What makes you think I know what I'm talking about?
I just have more O'Reilly books than most people.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Netfilter vs commercial

[Aleksandar Milivojevic]

Jason Opperisano wrote:
> and as an aside--i find it hard to believe that there are people out there
> saying something along the lines of "we use commercial software becuase we
> can sue the manufacturer if it breaks."  i know no one actual reads those
> EULA's that are presented at install time--but they say "if this software
> breaks, you can't sue us."  where was that big lawsuit against microsoft for
> damages resulting from <insert favorite ms exploit here>?

It is more along the lines "we can blame them".  In (some of the) 
manager's heads, if you donwload something from the network for free and 
it breaks, it's your fault (and manager's for allowing you to do so). 
If you pay for it, it is vendor's fault.  And if you blame somebody, 
there's always somewhere at the back of the head that you can sue them 
too (althogh it is not true).  Stupid and ignorant, I know.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Netfilter vs commercial

[Mike O]

John,

Would you mind elaborating on your comment about Netfilter's stateful engine 
being weaker than Checkpoint's? and how would the window tracking patch make 
it more secure. We have checkpoint here and have ran into problems, where 
checkpoint has limited us in the way we do things here and I have always 
wanted to implement netfilter but couldn't because it's open source.

Thanks,

Mike


>From: "John A. Sullivan III" <jsullivan@opensourcedevelopmentcorp.com>
>To: Michael Gale <michael.gale@utilitran.com>
>CC: netfilter@lists.netfilter.org
>Subject: Re: Netfilter vs commercial
>Date: Mon, 09 Aug 2004 12:02:52 -0400
>
>On Mon, 2004-08-09 at 11:30, Michael Gale wrote:
> > Hello,
> >
> > 	I know this question has most likely come up a few times and most 
>people ask about performance and through put. But my
> > question seems to me a little different.
> >
> > I would like to know how people on this list ... which I know might be a 
>biased opinion feel how a Netfilter firewall
> > box .. properly configured would compare in security to a commercial 
>firewall.
> >
> > I do not want to compare performance or stats on through put but the 
>strength of the firewall. The reason I am asking is
> > to at the moment we are using Netfilter based firewalls which I have 
>setup Squid and Frox and many other application
> > level filters.
> >
> > Now some people in the company want to replace them with CheckPoints or 
>WatchGuard firewalls. Which is fine ... security
> > should be done in layers ... but the way I see it I will still need the 
>linux boxes to run squid and frox unless the
> > appliance allows you to install software from other sources (most likely 
>not) or use custom config files (like my own
> > squid.conf -- most likely not).
>
>It's a difficult question to answer without access to the internals of
>the proprietary products.  I would assume the basic stateful inspection
>engine of netfilter is weaker than that of Checkpoint.  However, this
>may very well be remedied when one adds the window tracking patch.
>
>Other internals remain a bit of a mystery.  For example, if I remember
>correctly, one can specify MSRPC as a protocol with Checkpoint and it
>will properly handle the port shift.  One the other hand, one cannot do
>this in netfilter.  One must open 135/tcp and then all high ports.  Yes,
>I know that one should never do this on the Internet but what about
>internal firewalling and VPN firewalls.  Now it could very well be that
>is all Checkpoint does but they've simplified it in the user interface.
>I do know that we have had to do that with other commercially available
>firewalls.
>
>There are two other important issues of security that do not necessarily
>relate to the actual internals.  One is how well the management
>interface shields one from human error.  For example, this is one of the
>chief advantages of the ISCS interface for netfilter
>(http://iscs.sourceforge.net).  Not only does it reduce the time to
>configure security by over 90% but it dramatically reduces the exposure
>to human error.  Unfortunately, it has not yet been released.  On the
>other hand, from what I recall, the WatchGuard and Checkpoint interfaces
>are really just GUI rule configurators and do little to insulate the
>administrator against human error (such as putting a rule in the wrong
>order or making it conflict with another subsystem like NAT or VPN).  I
>believe all of the other user interfaces for netfilter also fall into
>this rule configurator category.
>
>Finally, there is the degree of control.  This is where netfilter has a
>distinct advantage.  The degree of flexibility that one has to configure
>netfilter to do exactly what one wants it to do by command line or
>script or even editing the source code is outstanding.  One can also
>tinker with the related subsystems such as iproute2 or *swan to
>coordinate various security and network activities to an extraordinary
>level.  I do not recall such flexibility in other products.
>
>I do hope this is the type of answer you were looking for - John
>--
>John A. Sullivan III
>Open Source Development Corporation
>Financially sustainable open source development
>http://www.opensourcedevelopmentcorp.com
>
>

Re: Netfilter vs commercial

[Antony Stone]

On Monday 09 August 2004 5:48 pm, Mike O wrote:

> John,
>
> Would you mind elaborating on your comment about Netfilter's stateful
> engine being weaker than Checkpoint's? and how would the window tracking
> patch make it more secure. We have checkpoint here and have ran into
> problems, where checkpoint has limited us in the way we do things here and
> I have always wanted to implement netfilter but couldn't because it's open
> source.

Why couldn't you implement netfilter "because it's open source"?

Do you know someone who has a plausible argument saying that open source 
software is lower quality or less secure than commercial closed-source 
software (or is someone simply living under the illusion that if something 
goes wrong with their FW-1 firewall, they can sue Check Point, haha) ?

I'm very interested in any meaningful rationale for saying "we won't use it 
because it's open source".   I could understand if the argument was "we won't 
use it because it doesn't meet our needs", but that's a different argument.

Regards,

Antony.

-- 
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Netfilter vs commercial

[John A. Sullivan III]

On Mon, 2004-08-09 at 13:03, Antony Stone wrote:
> On Monday 09 August 2004 5:48 pm, Mike O wrote:
> 
> > John,
> >
> > Would you mind elaborating on your comment about Netfilter's stateful
> > engine being weaker than Checkpoint's? and how would the window tracking
> > patch make it more secure. We have checkpoint here and have ran into
> > problems, where checkpoint has limited us in the way we do things here and
> > I have always wanted to implement netfilter but couldn't because it's open
> > source.
> 
> Why couldn't you implement netfilter "because it's open source"?
> 
> Do you know someone who has a plausible argument saying that open source 
> software is lower quality or less secure than commercial closed-source 
> software (or is someone simply living under the illusion that if something 
> goes wrong with their FW-1 firewall, they can sue Check Point, haha) ?
> 
> I'm very interested in any meaningful rationale for saying "we won't use it 
> because it's open source".   I could understand if the argument was "we won't 
> use it because it doesn't meet our needs", but that's a different argument.
> 
> Regards,
> 
> Antony.
The "sue" argument is, sadly, very powerful among those who do corporate
risk assessment :-(  (financial risk - not security risk)
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: Netfilter vs commercial

[Antony Stone]

On Monday 09 August 2004 6:35 pm, John A. Sullivan III wrote:

> On Mon, 2004-08-09 at 13:03, Antony Stone wrote:
> >
> > Do you know someone who has a plausible argument saying that open source
> > software is lower quality or less secure than commercial closed-source
> > software (or is someone simply living under the illusion that if
> > something goes wrong with their FW-1 firewall, they can sue Check Point,
> > haha) ?

> The "sue" argument is, sadly, very powerful among those who do corporate
> risk assessment :-(  (financial risk - not security risk)

The irony of which, of course, is that if you try, it turns out that you can't 
sue them because the licence doesn't give them any liability.

I'm quite convinced that much Open Source software could be supplied under an 
identical licence as comes with most commercial software (in terms of 
liability and guarantees, not ownership or copyright), because most 
commercial licences simply don't give any guarantee or warranty except for 
replacement of the CD you get the software on.

Ho Hum.

Well off-topic for this list, now :)

Regards,

Antony.

-- 
I think Big Brother is a very good and useful programme:
Socially dysfunctional people take part in it,
Creatively dysfunctional people produce it, and
Intellectually dysfunctional people derive entertainment from it.

If it wasn't for Big Brother, they'd probably all be creating the rules of 
cricket or something.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Netfilter vs commercial

[Aleksandar Milivojevic]

Antony Stone wrote:
> (or is someone simply living under the illusion that if something 
> goes wrong with their FW-1 firewall, they can sue Check Point, haha) ?

You'd be suprised how many managers live under that illusion.  Many of 
them being quite intelligent otherwise ;-)

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Netfilter vs commercial

[John A. Sullivan III]

On Mon, 2004-08-09 at 12:48, Mike O wrote:
> John,
> 
> Would you mind elaborating on your comment about Netfilter's stateful engine 
> being weaker than Checkpoint's? and how would the window tracking patch make 
> it more secure. We have checkpoint here and have ran into problems, where 
> checkpoint has limited us in the way we do things here and I have always 
> wanted to implement netfilter but couldn't because it's open source.
<snip>
Sure, although it may reflect more of my ignorance than my sagacity :-)

From what I understand, the out of the box netfilter connection tracking
sets timers for the dataflow and matches source and destination
information and, for TCP, session states.  It does not match the
acknowledgment and sequence numbers for TCP packets unless one adds the
window tracking patch.  Someone please correct me if I am wrong.

I cannot say so authoritatively but I believe out of the box Checkpoint
does match ACK and SEQ - John
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevelopmentcorp.com

Re: Netfilter vs commercial

[John A. Sullivan III]

On Mon, 2004-08-09 at 12:48, Mike O wrote:
> John,
> 
> Would you mind elaborating on your comment about Netfilter's stateful engine 
> being weaker than Checkpoint's? and how would the window tracking patch make 
> it more secure. We have checkpoint here and have ran into problems, where 
> checkpoint has limited us in the way we do things here and I have always 
> wanted to implement netfilter but couldn't because it's open source.
<snip>
I would imagine that you could find "commercial" products that are using
iptables and thus get around the open source problem.  Astaro, SnapGear
and iKloak come to mind.  I believe some WatchGuard models are based
upon iptables.  There are also some other smaller players such as
SmoothWall (in the UK), Kyzo, NetMAX and NetMaster.
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

RE: Netfilter vs commercial

[Jason Opperisano]

>
> I would like to know how people on this list ... which I know might be a biased opinion feel how a Netfilter firewall
> box .. properly configured would compare in security to a commercial firewall.

it would be equivalent--given that both firewalls are configured by "experts."  the majority of my day job involves check point fw-1/vpn-1 consulting.  as far as "firewall filtering capabilities" (for lack of a a better term), you can build a firewall using netfilter that has at least the same; if not more, functionality as fw-1/vpn-1.  the path of a packet through the fw-1 kernel (from memory--don't quote me on this):

- drop all packets with IP Options set
  netfilter:  "-m ipv4options --any-opt -j DROP" -OR- "-j IPV4OPTSSTRIP"

- drop spoofed packets (anti-spoofing)
  netfilter:  easy enough to setup with iterations on "-s $INTERNAL_NET -i ! $INTERNAL_IF -j DROP" etc...

- if packet is not "new" compare to state table
  netfilter:  use "-m state --state ESTABLISHED,RELATED" to allow replies to established connections 

- if packet is "new" compare to security policy rule base
  netfilter:  use "-p tcp --syn -m state --state NEW -j ACCEPT" to accept new connections (for TCP at least)
>
> I do not want to compare performance or stats on through put but the strength of the firewall. The reason I am asking is
> to at the moment we are using Netfilter based firewalls which I have setup Squid and Frox and many other application
> level filters.

beyond basic stateful filtering--you can enable higher-level security checks using application-level gateways as you are currently doing.  check point refers to this as "application intelligence" which allows you to do things like blocking user-agent strings in HTTP communications.  there's is absolutely *nothing* that check point can do here that you can't do with squid.  conversely--there's plenty you can do with squid that you cannot do with application intelligence.  check point point to the fact that the application intelligence checks run in-kernel as opposed to user space, which i'm sure is much faster.  not sure if the speed difference is actually relevant though.  my experience with this has been that application intelligence gives people just enough capability to make them really want a true, full-blown application level gateway--which is precisely what check point has argued against since its inception.

check point's real selling point is in their management architecture--the ability for a security admin that either lacks the time or expertise to manage rulebases on many firewalls (100's) with a suite of pretty GUI management applications (rule editor, log viewer, status viewer).  if you have just a few firewalls, and are competant with shell/perl scripting--you could be much happier managing your firewalls through an SSH connection.

if you really know what you're doing and have very specific filtering goals in mind--you'll probably be happier with netfilter in the long run, as it will allow amazingly granular control of how/when/why packets get filtered.

dunno if this helps, but i'm also not sure that the question isn't just a wee bit too high in flame-bait content (i understand you didn't intend it as such).

-j

Netfilter vs commercial

[Michael Gale]

Hello,

	I know this question has most likely come up a few times and most people ask about performance and through put. But my
question seems to me a little different.

I would like to know how people on this list ... which I know might be a biased opinion feel how a Netfilter firewall
box .. properly configured would compare in security to a commercial firewall. 

I do not want to compare performance or stats on through put but the strength of the firewall. The reason I am asking is
to at the moment we are using Netfilter based firewalls which I have setup Squid and Frox and many other application
level filters.

Now some people in the company want to replace them with CheckPoints or WatchGuard firewalls. Which is fine ... security
should be done in layers ... but the way I see it I will still need the linux boxes to run squid and frox unless the
appliance allows you to install software from other sources (most likely not) or use custom config files (like my own
squid.conf -- most likely not).


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: Netfilter vs commercial

[Antony Stone]

On Monday 09 August 2004 4:30 pm, Michael Gale wrote:

> Hello,
>
> 	I know this question has most likely come up a few times and most people
> ask about performance and through put. But my question seems to me a little
> different.
>
> I would like to know how people on this list ... which I know might be a
> biased opinion feel how a Netfilter firewall box .. properly configured
> would compare in security to a commercial firewall.

My response to this is that netfilter has a better security record than most 
commercial firewalls, based on the number of patches, alerts or security 
updates announced for each.

> I do not want to compare performance or stats on through put but the
> strength of the firewall. The reason I am asking is to at the moment we are
> using Netfilter based firewalls which I have setup Squid and Frox and many
> other application level filters.

The other half of my response is that as soon as you start running any 
applications on the same machine as netfilter (and a proxy server definitely 
counts as an application), then you are immediately reducing the security of 
the entire system to that of the weakest component.   I would be willing to 
bet that netfilter is not going to be the weakest component.

If someone has the choice of breaking into your house through a steel front 
door with 5-lever locks and deadbolts, or else walking around the back and 
breaking the single-thickness glass on your kitchen door, the security of 
your front door is fairly irrelevant to the security of your house.

> Now some people in the company want to replace them with CheckPoints or
> WatchGuard firewalls. Which is fine ... security should be done in layers
> ... but the way I see it I will still need the linux boxes to run squid and
> frox

I believe those proxies should be running on separate machines from the main 
firewall anyway - because that does give you defence in depth, and multiple 
layers - whereas running several things on one machine gives you a very 
shallow depth, if you follow my meaning :)

Besides, if you are happy running netfilter on your Squid / Frox proxy, then 
by all means continue to do so, even with a dedicated Firewall in front of it 
as well (no matter whether that machine is running netfilter or Firewall-1).

> unless the appliance allows you to install software from other sources
> (most likely not) or use custom config files (like my own squid.conf --
> most likely not).

Often for the reasons given above - the vendors don't want you running unknown 
applications on their security servers, and possibly giving their machines a 
bad name when some software they don't know about has an exploit used against 
it.

Regards,

Antony.

-- 
Anything that improbable is effectively impossible.

 - Murray Gell-Mann, Nobel Prizewinner in Physics

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Netfilter vs commercial

[John A. Sullivan III]

On Mon, 2004-08-09 at 11:30, Michael Gale wrote:
> Hello,
> 
> 	I know this question has most likely come up a few times and most people ask about performance and through put. But my
> question seems to me a little different.
> 
> I would like to know how people on this list ... which I know might be a biased opinion feel how a Netfilter firewall
> box .. properly configured would compare in security to a commercial firewall. 
> 
> I do not want to compare performance or stats on through put but the strength of the firewall. The reason I am asking is
> to at the moment we are using Netfilter based firewalls which I have setup Squid and Frox and many other application
> level filters.
> 
> Now some people in the company want to replace them with CheckPoints or WatchGuard firewalls. Which is fine ... security
> should be done in layers ... but the way I see it I will still need the linux boxes to run squid and frox unless the
> appliance allows you to install software from other sources (most likely not) or use custom config files (like my own
> squid.conf -- most likely not).

It's a difficult question to answer without access to the internals of
the proprietary products.  I would assume the basic stateful inspection
engine of netfilter is weaker than that of Checkpoint.  However, this
may very well be remedied when one adds the window tracking patch.

Other internals remain a bit of a mystery.  For example, if I remember
correctly, one can specify MSRPC as a protocol with Checkpoint and it
will properly handle the port shift.  One the other hand, one cannot do
this in netfilter.  One must open 135/tcp and then all high ports.  Yes,
I know that one should never do this on the Internet but what about
internal firewalling and VPN firewalls.  Now it could very well be that
is all Checkpoint does but they've simplified it in the user interface. 
I do know that we have had to do that with other commercially available
firewalls.

There are two other important issues of security that do not necessarily
relate to the actual internals.  One is how well the management
interface shields one from human error.  For example, this is one of the
chief advantages of the ISCS interface for netfilter
(http://iscs.sourceforge.net).  Not only does it reduce the time to
configure security by over 90% but it dramatically reduces the exposure
to human error.  Unfortunately, it has not yet been released.  On the
other hand, from what I recall, the WatchGuard and Checkpoint interfaces
are really just GUI rule configurators and do little to insulate the
administrator against human error (such as putting a rule in the wrong
order or making it conflict with another subsystem like NAT or VPN).  I
believe all of the other user interfaces for netfilter also fall into
this rule configurator category.

Finally, there is the degree of control.  This is where netfilter has a
distinct advantage.  The degree of flexibility that one has to configure
netfilter to do exactly what one wants it to do by command line or
script or even editing the source code is outstanding.  One can also
tinker with the related subsystems such as iproute2 or *swan to
coordinate various security and network activities to an extraordinary
level.  I do not recall such flexibility in other products.

I do hope this is the type of answer you were looking for - John
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevelopmentcorp.com

Re: Netfilter vs commercial

[Aleksandar Milivojevic]

John A. Sullivan III wrote:
> For example, this is one of the
> chief advantages of the ISCS interface for netfilter
> (http://iscs.sourceforge.net).

BTW, any dates when to expect first public release?

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Netfilter vs commercial

[John A. Sullivan III]

On Wed, 2004-08-11 at 17:46, Aleksandar Milivojevic wrote:
> John A. Sullivan III wrote:
> > For example, this is one of the
> > chief advantages of the ISCS interface for netfilter
> > (http://iscs.sourceforge.net).
> 
> BTW, any dates when to expect first public release?
There have been so many requests for access to the code other than CVS
that I will go ahead and release a pre-alpha version in a matter of
days.  Most of the bugs are worked out except for two that do not appear
to be my code but rather somewhere between Qt and MySQL.  As soon as I
have that nailed, I release the code.

I am hoping to release a real version in late October.  For all kinds of
good reasons, that date may move forward or back.  I'm doing an
increasing number of demos.  These take time but are beginning to bring
in some corporate sponsorship.  Astaro has been the first to commit
funding (besides Nexus and myself).  We're also working on some major
grant applications to fund the project and that continues to take a lot
of time.  On the other hand, we have just had an outstanding database
expert volunteer 20-25 hours per week to the project.  We'll see where
it all comes out.  If anyone else is interesting in helping, please let
me know.  We need experts in iptables, iproute2, *swan, Qt, user
authentication, layer 2 Linux configuration and embedded Linux.  Thanks
for asking - John
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevelopmentcorp.com

Re: Netfilter vs commercial

[Aleksandar Milivojevic]

Michael Gale wrote:
> Hello,
> 
> 	I know this question has most likely come up a few times and most people ask about performance and through put. But my
> question seems to me a little different.
> 
> I would like to know how people on this list ... which I know might be a biased opinion feel how a Netfilter firewall
> box .. properly configured would compare in security to a commercial firewall. 

I'd say that security is at about same level, if you keep the products 
updated to the latest release, and if you do not have applications 
running on the firewall itself (like you do, squid is appliaction).

Use product that you feel comfortable with, and that has features you 
need.  No point in using Netfilter if it lacks a feature from CheckPoint 
that you need.  Or using CheckPoint if it lacks a feature from Netfilter 
that you need.

Sadly, at some places that I used to work in the past (luckily not 
working there anymore), the two main arguments (usually used by higher 
management) for going commercial was that "if we pay, we will have 
someboy to blame when things are not working".  And "commercial looks 
more professional".  Totally stupid and neither of those has anything 
with common sense.  Hope it will not be the case at your place.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7