HTTP Caching with Checkpoint ?

[derspot]

Is there any HTTP Content caching solution for Checkpoint similar to ISA's built in caching capabilities ?. Anybody have experience in high-end CP installations? Do they use somesort of caching. ?

Or is this an example of a CP and ISA complementing scenario ?

[chillyjim]

No the gateways do not provide a caching-proxy function.

ISA is a low-end proxying firewall that started out as a web cache, FW1 is a high-end packet filtering firewall. Where FW1 traditionally played, dedicated caching proxies are used.

[RayPesek]

It's a complementing scenario. We use ISA behind FW-1 for a number of purposes, one of which is end user browsing monitoring and control. We have a number of domain groups set up and we stick people in whatever group most closely meets their needs. It also performs HTTP virus scanning for us. If you're not doing HTTP scanning, there is a lot of rubbish out there that you're letting in the door.

After we added ISA, its caching ability caused our Internet line utilization to drop by a full third, enabling us to defer increasing our capacity for three years. The entire ISA system was paid for in less than a year because of this. We were in the high 90% and up utilization, pre-ISA, and things were getting bad.

Because all web browsing is NAT'ed behind ISA, the number of concurrent connections shown in FW-1 drops through the floor because they all appear to originate from just ISA's external interface IP address. My audit log in FW-1 rarely has more than 500 active connections for a 1,700 employee company with a lot of 100% remote employees.

We also use it for Outlook Web Access publishing because ISA has SSL termination, something that I think is a major omission in FW-1.

HTH,

Ray

[chillyjim]

Quote:

Originally Posted by RayPesek

We also use it for Outlook Web Access publishing because ISA has SSL termination, something that I think is a major omission in FW-1.

I'll second that one. There is a third party PCI card that will allow SSL termination & inspection on the gateway. Of course Check Point will tell you to buy a Connectra for this :)

There are deffinet pro and cons to proxy servers. I personally like them, epically when MS patches come out and during snow storms when everyone is hitting the same site. On the bad side, I don't have any logging or control at the firewall.

Now if someone was to write an OPSEC module for Squid that let me push policy to it and send log back to the SmartCenter it would make me happy.

[derspot]

ChillyJim , I am tired of guys who blame ISA - A proxy . I respect your knowledge in CP but Proxy 2. was a proxy Server in 1996 . ISA is different product.

From 2000 , but a major upgrade in 2004 ,ISA is a product that has the major feature set u find in FW1. Read the books. Stop calling ISA proxy. Yes it can function as a proxy if u wanna use user auth/and rely on ISA for DNS. U can disable this proxy and use the exact same way as CP. Using or not using the proxy , either way ISA users its 7 Layer inspection ( yes the same as CP ) to examine the traffic. ISA is now in hardware. As the fellow guy pointed out ISA has many advantages over CP.

The main disadvantages of ISA 2004 have been :
1. Windows is percived as non-secure operating system. A bad linux thought that was implanted around 1995 - 1999 .For reason. Today it is 2006. This is an era in It.
If u say Windows is not secure today i hear - i dont know how to do it. . An operatting system can be hardned.. Also Windows. It is not hardened by default because it is the most widely Operating system and this is what the market needs. I agree Windows by default cannot be used as an edge device. Needs to be hardened. Common Cretiria 4. Linux recently had only 2. However , it takes knowledge to secure windows. Yes u need to read the books. The very same way u learn how to secure linux or whatever. This is now history. HP sells ISA applince that uses hardned version of Windows. Even a linux guy can secure it now.

ISA will be a major firewall very soon. You will see. With so much money no one can stop u.

Here is a hint that they dont sleep. http://biz.yahoo.com/prnews/061213/sfw052.html?.v=86

[chillyjim]

There are two basic types of firewalls, packet filtering (Check Point, PIX, Netscreen) and proxying (ISA, Sidewinder). Web Caching is not an enterprise firewall feature, in the same manor anti-virus is not viable in an enterprise size firewall.

At no point did I say windows was not secuereable, that would be a different thread. I agree that it is, if you truly know what you are doing.

As for ISA taking over the security world it has an uphill battle for several reasons, some valid some not so valid

1. perception of MS being anti-security

2. Scalability, it doesn't scale to large enterprise very well

3. Interoperability -- The main reason to use ISA over anything else right now (not including HP's appliance) is the proxying features that tie into AD and NTLM Auth. If you have to support anything but Windows systems this functionality is a loss.

4. Manageability -- Ok I don't like the management interface even for one ISA server, I find it very confusing. Too many steps to do anything, much like Juniper's. That said it currently doesn't scale to managing multi-site ISA deployments.

For the record, I don't maintain my MCSE anymore but I do maintain my MS Security cert. I have also been a MS beta tester sense 1988. Vista is their first OS I haven't been involved with a major Beta of due to time restraints.

You will find I am an equal-opportunity OS complainer. Right now I mostly like my Mac Book Pro and OSX, but it still frustrates me. I really like the security model in NT, though the implementation isn't great. I am a big fan of the flexibility and scalability of LINUX and I really like the OS/HW tools available in Solaris. Most of all I think VMS was the best designed OS and would have been much happier with NT had they not went for a glitzy port of it and keep the VMS developers around post 4.0.

If you would like to discus pros and cons of asst'd non-CP firewalls and OS's there is an off-topic section of this forum available for such threads.