CheckPoint Installation

[tedkilroy]

Our accountant bought this product and I am looking for opinions from other Checkpoint users on installation. I have small domain (20 users) with 1 DC 2003 sbs and 1 member server 03 standard. There is 1 soho netgear fr114p that does nat/dhcp. Looking to determine if this product should be installed on a seperate system rather than the in-house servers? What would be cons if installed on a domain controller? Please advise.

PS
Installation and Upgrade FAQ tab was locked so I posted here.

[czech12]

First of all, there are two different core modules to a Check Point VPN-1 Pro/Express installation. There is a Management Module (SmartCenter Server) and the Enforcement Module. You can install both modules on the same server or different servers. For a small network like you described, it is fine to put both modules on the same box, known as a "Stand Alone Installation."

Now to answer your question, it is not advisable to install Check Point on an existing server, especially on a Domain Controller. I wouldn't use the DC as an Enforcement Module because you will need to route traffic through it, and one of those interfaces will most likely be internet facing. I wouldn't want my DC directly connected to the internet.

I wouldn't install a management module on a DC either, more so because of the sensitive data that the management module holds. Having the server as a DC and a management module exposes it to more security vulnerabilities.

My recommendation would be to buy a new server and install Check Point as a Stand Alone Installation. SecurePlatform or SPLAT would probably fit your needs. If you really don't have the money for another server, I guess you could put the Management Module on the DC, but I do not advise this.

[tedkilroy]

Thought about installing both modules on a dell dimension P4 and placing it like this:

ISP router>netgear fr114p>dell/checkpoint>switch

Is there any known problems with these types of setups? Perhaps lack of communication between soho router that does nat/dhcp and checkpoint system? if this setup works I will implement VPN for a few people.

[czech12]

Quote:

Originally Posted by tedkilroy

Thought about installing both modules on a dell dimension P4 and placing it like this:

ISP router>netgear fr114p>dell/checkpoint>switch

Is there any known problems with these types of setups? Perhaps lack of communication between soho router that does nat/dhcp and checkpoint system? if this setup works I will implement VPN for a few people.

I don't think you will have any issues with the configuration. Remember that you will have to add a static route(s) for your internal network(s) on your NetGear.

I'm pretty sure that you can setup Check Point to get a DHCP address from your ISP. I've never done it, so I would have to research it, but I'm pretty sure it is possible. If that is the case, you really don't even need the NetGear. The Check Point Firewall could get the DHCP address from your ISP and also control the NAT.

[Youngy]

I agree, you really do not want to install CP on your DC at all.

You might even want to try and convince your budget pilots for two more boxes. One for the CP stand alone setup and another DC for your forest........:)

[Youngy]

Oh yeah,

As far as I know (not very far) you can set an enforcement point to use DHCP not sure if you can have the whole stand alone using DHCP though. I would of thought not.

In Solution ID: #sk27067 they discuss using DHCP for enforcement points.

[tedkilroy]

I was thinking more along the line of putting it behind the netgear router and issuing 2 static IP's to the dell/checkpoint system. One for the connection from router and the other for the LAN. If I am using XP Pro on it I don’t think I can use it as a DHCP server/NAT. I guess I thinking it would be more of a filter for the LAN, filtering and stopping whatever goes out. I had no choice on the product, if so I would of just had another license for server 03 and used its firewall.

[czech12]

First, I wouldn't install it on a machine running Windows XP Pro (I'm not even sure if you can install it on XP Pro). For the type of installation you are describing, I believe SecurePlatform would be your best option. SecurePlatform is free and it is pre hardened, so you don't have to worry about locking down the box. You could use Windows 2K3 Server for the Management Module if you want to do a distributed installation, but I wouldn't install the Enforcement Module on a Windows platform. Windows isn't really known for routing traffic.

You are losing me with the DHCP thing. I originally thought you wanted the NetGear to be able to RECEIVE a DHCP address, and Youngy and myself suggested that you just use the CP Firewall to RECEIVE the DHCP address and take the NetGear out of the picture. In your last post though, you said DHCP server. Do you want the NetGear or the Firewall to GIVE OUT DHCP addresses? If that's the case, the NetGear wouldn't be able to do that anyway because it will sit in front of your firewall, not behind it where your DHCP clients would sit. SecurePlatform does have the ability to hand out DHCP addresses though, so that would be an option if that is what you are talking about.

If you are serious about security, somebody made the right choice in choosing Check Point. The firewall that comes with Windows is a joke, unless you are talking about an ISA Proxy server. Check Point is still much better than ISA too, though. Check Point is the leader in Firewall Technology.

If you aren't sure how to best design this implementation or how it is all going to work, I would talk to your Check Point VAR (The ones you purchased the license from). They should be able to sit down with you and talk design and implementation. That is what the "Value Add" of a "VAR" is...

[tedkilroy]

So I decided to go with the SecurePlatform that we have on a CD. It will be installed on a dell using Win 03 Server Standard w/2 nics. I will still place a netgear router in front of this machine to issue dhcp addresses. In the event the used system goes down for whatever reason I can remove patch cable nic and go directly to the switch while repairing checkpoint system.