Necessity of installing Standalone due to license?

[Yasushi Kono]

Hi eXXperts,

im former times (CP 4.x), there were licenses which permitted only one gateway and a standalone installation was mandatory (single gateway license). Since NG, I never heard about this type of license. But I am far away of being a CCLE (Check Point Certified Licensing Expert). So, can one of you tell us, if there is the necessity of installing Standalone due to license restrictions?

Thank you in advance!

Yasushi

[chillyjim]

Not any more. All current licenses allow a distributed install. Also it is now strongly recomened that you do do a distributed install.

[Yasushi Kono]

Hi chilliyjim,

thank you for your response. Are you sure that all licenses (esp. the limited ones) permit you to install a distributed deployment?
In Germany, there is an author about NG AI and he writes in his book that all limited IP licenses force you to install standalone (which I do not believe, anyway).
I am simply the engineer who installs the firewalls for the customers or who migrates clusters from NG to NGX. I have nothing to do with licensing stuff. But, if one of the customers ask me about licensing, is your statement universally valid for sure?

Thanks again!
Kind regards,
Yasushi

[chillyjim]

Yes I'm sure. All versions now support HA of the gateways, and that requires a distributed install.

This statement only applies to NGX. I'm 85% sure it applies to NGAI in general and 95% sure for NGAI R55

[derspot]

I am around 97 Percent confused with CP Licensing. So you are saying that if i Buy , say , VPN-1 Power Gateway CPPWR-VPG , it means that i can install , say , a gatway and SC on separate machines. If so , under this same license , can I also install a scondary SC ?

Why they sell SmartCenters separately under the "Check Point Security Management " section then ? And why they cost over 10K ?

In this case If i buy a VPN-1 Power Gateway CPPWR-VPG for 3 000 $ , do I also have to buy a SmartCenter License for 10K ?

[chillyjim]

Wow only 97% confused, you're doing good :)

With Power license bundles you get a SmartCenter Power and a VPN-1 Power Gateway.

The gateway supports HA (Active/Stand-by). Additional gateway licenses are required for the Stand-by unit(s).

For SmartCenter, you may also purchase an additional SmartCenter license(s) for stand-by SmartCenters.

Now lets say you want 2 (unlimited) gateways in HA and 2 SmartCenter management systems in HA, a very common configuration. You have two options, you may buy

2 CPPWR-CKP-5-U List price $24,000 each

Or you could buy 1 CPPWR-CKP-5-U and
1 CPPWR-VPG-HA-U $10,000
1 CPPWR-SC-5 $15,000 (You can usually get 20% off the SmartCenter if you talk to the Check Point rep, it's just not on the price list)


Note the $10,000 price you have listed is for a CPUTM-SC-5 and not a CPPWR-SC-5. The UTM version does not include management high availablity.

The CPPWR-VPG you have listed is not a bundled license, it is only the gateway.

If you post your requirements, I'll give you some part numbers to start with, but you really need to talk to your reseller about what you need and costs. Take anything I give or anyone else here as just budgetary.

[derspot]

Thanks ;) ! I am now only 80% confused . These numbers are insane to me. Another ISA advantage - cheaper. U have 2 prices: 1500 for Standard Edition , 6000 USD for Enterprise edition.

I also notice that the Secure Clients / SSL Network Extender clients are licensed as well. How does the Firewall distribute licenses to users - is it per users created or a license is given to each open VPN connection ?

[chillyjim]

Quote:

Originally Posted by derspot

Thanks ;) ! I am now only 80% confused . These numbers are insane to me. Another ISA advantage - cheaper. U have 2 prices: 1500 for Standard Edition , 6000 USD for Enterprise edition.

Note that what I quoted is the price for an unlimited enterprise edition. You can get a single-site, 50 user license (CPUTM-CKP-1-50) for $3,500 list. ISA vs Check Point is another discussion, but you get what you pay for :)

Think about what you need, Check Point has a lot of options.

Quote:

I also notice that the Secure Clients / SSL Network Extender clients are licensed as well. How does the Firewall distribute licenses to users - is it per users created or a license is given to each open VPN connection ?

Now you really want to be confused!!

What is enforced, for SecureClient, is a count of users that logged into the policy server (SecureClient includes a firewall that receives policy from a "policy server"). I think the EULA says every client that installs SecureClient.

[RayPesek]

Don't forget the cost of the ISA Windows license.

ISA is not as trouble-free a setup as some people think. For one, to make everything work, you need to install their "firewall client" software on each client. That's another piece of client software you have to maintain and the user can screw with.

But it's not really a client-side firewall, it just makes ISA work right with the more complex protocols. For remote access users, you then need to throw in the costs for a real software firewall to protect your laptops (purchase/install/another vendor, etc.)

ISA does NOT support AES encryption, it only has 3DES. This is very processor intensive for both the server and the client. It does not support data compression on remote access connections, as does SecureClient. When people see slow remote connections, nobody is going to think that it was a great deal to go with a cheaper product.

I don't know why anyone needs a secondary SmartCenter unless they have a really large operation with lots of firewalls. In a distributed environment, the firewalls keep right on working for awhile (hours if not days) when the SmartCenter is down.

FWIW,

Ray

[chillyjim]

Quote:

Originally Posted by RayPesek

I don't know why anyone needs a secondary SmartCenter unless they have a really large operation with lots of firewalls. In a distributed environment, the firewalls keep right on working for awhile (hours if not days) when the SmartCenter is down.

A lot of folks install them in DR sites. I also see people installing them if they have a lot of VPN users. I'm not sure how many of these are really needed, I can rebuild a SmartCenter from scratch if I have a backup, in less then an hour (record time 32 minutes w/o log files), but I do sell a lot of them!

[RayPesek]

The SmartCenter is the one box I am terrified of losing. One of my precautions is to do a full image with Ghost each month prior to Patch Tuesday, burn them to a DVD and ship a copy off site. I also do regular upgrade_exports to a different physical drive.

The cost of HA is just too high for our budget and since the design lets it just run with the SmartCenter down, it's good enough for us.

Ray

[derspot]

Don't forget the cost of the ISA Windows license.

Sure, with CP we forgot the Nokia IPSO/Devide license aswell.

ISA is not as trouble-free a setup as some people think. For one, to make everything work, you need to install their "firewall client" software on each client. That's another piece of client software you have to maintain and the user can screw with.

So the SecureClient is. However the Firewall Client is GP Deployable - so no problems. You dont need it if you dont want User auth. That is its main feature - User Auth for any traffic. How exactly this is done in CP ?

But it's not really a client-side firewall, it just makes ISA work right with the more complex protocols. For remote access users, you then need to throw in the costs for a real software firewall to protect your laptops (purchase/install/another vendor, etc.) ISA can proxy FTP - if that is what u have in mind - even without the client. It is easier with it. The Win Built-in Firewall pretty much does the work for controlling traffic as it relates to the client. ISA will control all VPN access aswell so WTF ? .

ISA does NOT support AES encryption, it only has 3DES. This is very processor intensive for both the server and the client. It does not support data compression on remote access connections, as does SecureClient. When people see slow remote connections, nobody is going to think that it was a great deal to go with a cheaper product.

Data compression ?!?! Users noticing the difference ??!! I would take a look at my bandwidth before relying on software compression. Hummm Encrypting and Compressing at the client - that can pretty much compensate for saved bandwidth ?!?!

I don't know why anyone needs a secondary SmartCenter unless they have a really large operation with lots of firewalls. In a distributed environment, the firewalls keep right on working for awhile (hours if not days) when the SmartCenter is down.

Well if you wanna spend 10K for fun.





Oh My

[chillyjim]

Quote:

Originally Posted by derspot

Sure, with CP we forgot the Nokia IPSO/Devide license aswell.

Why use Nokia/IPSO when you can use a standard server and SPLAT? No OS license and the hardware is a wash, or even less as you are not running a general purpose OS with a heavy GUI like you need for ISA

Quote:

So the SecureClient is. However the Firewall Client is GP Deployable - so no problems. You dont need it if you dont want User auth. That is its main feature - User Auth for any traffic. How exactly this is done in CP ?

SecureClient's MSI is GPO deployable as well. IIRC the ISA agent is for internal to external traffic and not VPN right? ISA just uses PPTP for VPN.

As for user auth on CHKP you may use an agent or a telent/web page.

[quote]The Win Built-in Firewall pretty much does the work for controlling traffic as it relates to the client.[/color]

The windows firewall only controls inbound traffic. It does not control application or outbound traffic. Now its very good for what you pay for it, but its by no means Integrity/Sygate/etc.

Quote:

Data compression ?!?!...

I'm mostly with you here. Given the right traffic mix it can make a big difference, bit I don't see much my self. Now AES support is much more of a problem. For now most people can get away with just 3DES but it is slower. Also more and more companies are requiring AES as part of SOX & GLB compliance. If a company has to have a VPN to any US Gov office, they and all the VPN's to them must be AES.

Quote:

Well if you wanna spend 10K for fun.

Every should!! At least if you're buying it from me :)

Seriously, ISA does have it place and it may work for your situation, if so you should use it. Check Point's FW-1/VPN-1 is a more robust and feature rich security platform, but if you don't need the features then you don't need them. Though at that point I think you should look at the Safe@/Edge boxes and their ilk. I think you will get a lot better performance and control for your money than you will with ISA.

JMNSHO

[RayPesek]

Hi derspot,

It sort of sounds like you've made up your mind to go ISA and are looking for reasons to justify your discussion. Go for it. It's a pretty decent product if it does what you want it to.

Data compression is very useful on low bandwidth links. Think non-US locations where dial-up is still the primary method or think WindowsMobile devices (yes, SecureClient Mobile is available for them). Or think cellular modems in the US. We have many tablets deployed to field personnel with cell modems and the data compression makes a big difference as they replicate lots of Notes data with digital photos each day.

ISA's firewall client can be used for user auth, but the key point is that it MUST be used to handle complex protocols, whether you want to use it or not and whether you're using user auth or not. I've been using ISA for web proxying and OWA publishing since ISA 2000 SP0 and am about to go from 2004 to 2006.

The Windows Firewall is a luser but it's better than nothing. We use the desktop policy on SC to do things like prevent end users from using SMTP outbound (think virus with its own SMTP engine). We use it to craft customized rules for different groups of users. Despite what the SSL VPN vendors say, IPSec doesn't have to be a wide open path into your internal network unless you have chosen to use a system that doesn't give you any option or you configure it that way.

Don't forget about SecureClient's Visitor Mode, which tunnels IPSec over SSL for environments that only allow web browsing. There's lots of them around the world. We regularly encounter them and watch the Cisco users talking to their Help Desk while we just work with Visitor Mode.

If you're in a SarBox environment, try to figure out how you're going to prove change control with ISA. It's impossible. It doesn't log anything related to policy changes or object changes. It doesn't log anything about log reviews. You will resort to documenting everything you do in a notebook instead of relying on automated processes and then you have to convince the auditors that you really did manually log everything and you did it contemporaneously.

Good luck,

Ray

[derspot]

Hi, I haven't made my mind to go ISA I am just trying to compare both products to benefit of all. I do appreciate quite much all input. We do not live in 80s 90s where things were invented. Today everybody copies the others and what you have read today might not be true tomorrow.


As a guy who worked only with ISA , learning CheckPoint is quite challenging to me - new terminology, new concepts and many things don't make much sense. I am not amused by the available documentation and especially the wording. It is just not consistent. Of couse MS is leader in that, but after 3 - 4 yeras u get used to it and actually see it is positive.

The Outbound controlling firewall in the client is coming with Vista plus what CP calls SCV.

[RayPesek]

Please accept my apologies for my incorrect assumption. I started with CP and added ISA 2000 for user control. If you've never used ISA 2000, you're lucky. ISA 2004 is much, much more logical. So I've felt your pain, but in reverse.

One of the big issues I have with MS and ISA is they position their security products as a "no security knowledge needed" implementation and operation. If you follow the ISA MS newsgroups, you'll know what I mean. There are lots of "I installed ISA and how do I do ..." or "I need to open these ports. I got 135 open but it still doesn't work." And we wonder why companies still get hacked. Since it's from MS, people seem to think it's job is as easy as a file server and wizards are all that is needed to do something.

One of the problems I have with MS is that they eventually get there, but our needs are now. For example, we needed NAT Traversal six years ago. Until Server 2003, MS couldn't handle it, which is frankly inconceivable to me that it took that long. Yeah, the outbound firewall is coming, but once again, we implemented it six years ago as we moved to broadband access. How hard would it have been to put it into that thing they already call the "firewall client"? MS also doesn't have SSL access like Visitor Mode unless you want to buy their Whale product.

The lack of detailed logging in the 21st century is mind-boggling as well.

Ask away on the forums here. You'll find several people that can take a lot of time off your learning curve.

Ray

[derspot]

Quote:

Originally Posted by RayPesek

Hi derspot,



If you're in a SarBox environment, try to figure out how you're going to prove change control with ISA. It's impossible. It doesn't log anything related to policy changes or object changes. It doesn't log anything about log reviews. You will resort to documenting everything you do in a notebook instead of relying on automated processes and then you have to convince the auditors that you really did manually log everything and you did it contemporaneously.

Good luck,

Ray

ECC Enterprise Compliance Auditing Reporting (ECAR) is the security accounting MOM 2005 based solution that automates measurable, sustainable and repeatable assessment of over 200 Microsoft ISA Server events for demonstrable compliance to Sarbanes-Oxley, FISMA, HIPAA and GLBA governance. Versions are available for each of the regulation, plus a cross regulation version covering 17 event categories. ISA Server security events are associated with specific regulation requirements and then mapped to NIST 800 series and other best practices. Over 50 customizable management reports are included. The ECAR extensible framework leverages the power of MOM and SQL Server with SQL Reporting Services.


This is not only for ISA.

http://enterprisecertified.com/ECARsox.htm

[RayPesek]

Thanks, I never knew about that product.

Whew, you have to buy MOM and a third-party product. I gotta wonder how Microsoft handles these concerns.

Ray

[derspot]

I didn't know either that MOM can do it.

I knew you would comment on the "additional MOM cost" thing. But please don't get me started on CP prices :))

cheers

[RayPesek]

:-)

Still, it's nice to know the capability is available. We had to buy SmartView Reporter to create the historical long-period reports needed by our external auditor

Ray