CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 12 of 12

Thread: Check point Security Server vs real proxy like Bluecoat

  1. #1
    Join Date
    2011-04-29
    Posts
    2
    Rep Power
    0

    Default Check point Security Server vs real proxy like Bluecoat

    Hi everyone,

    I'm pretty new with check point and I would like to know what's the difference betwwen Check Point Security Server and a real proxy like bluecoat.

    I know that security server can perform users Authentication.


    Thanks for your answers.

    Alex

  2. #2
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    16

    Default Re: Check point Security Server vs real proxy like Bluecoat

    In the past, this feature was only able to handle around 500 connections.

    I don't know if it has been improved in R70 and above code. I haven't used it in years.

    If you need something cost effective than use Squid on CentOS, or your favorite flavor of Linux.
    You can even get commercial URL filtering for squid.

  3. #3
    Join Date
    2011-04-29
    Posts
    2
    Rep Power
    0

    Default Re: Check point Security Server vs real proxy like Bluecoat

    Thank you alienbaby,

    Your reply is clear.


    Alex.

  4. #4
    Join Date
    2014-02-28
    Posts
    27
    Rep Power
    0

    Default Re: Check point Security Server vs real proxy like Bluecoat

    Recently I was digging into a BlueCoat ProxySG / ProxyAV setup for ICAP and noticed some things that had room for improvement. Not a major overhaul, but some things that were missed from the best practices guide that just so happened to be causing a bit of an issue. Below is part of the small case study I completed to explain the options and differences between them, as well as my recommendations to management on how to proceed. - See more at: http://www.curiousecurity.com/blog/b....8FluIt7u.dpuf

  5. #5
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Re: Check point Security Server vs real proxy like Bluecoat

    If you need to do a good job on content security, a dedicated proxy will always beat the stuff-everything-in-one-box products like Check Point. By good job I mean things like:

    • Fast MITM SSL decrypyion and other SSL certificate validation mechanisms
    • Integration with various authentication systems like AD
    • Solid, detailed reporting and alerting
    • Extremely rapid dynamic URL classification
    • Continuous real-time category updates


    Websense's Web Content Gateway/Web Security [i]appliance[/i[] does all of the above. NOTE: If someone says they use "Websense", the devil really is in the details. That's like saying you drive a GM product without specifying whether it's a subcompact, a semi truck or a train engine.

    Websense has a ton of products and "integrations" where they tie to ASA firewalls, Windows servers, Linux servers, Citrix Xen, TMG systems, etc. Only their appliance provides all of the above capabilities. Interestingly, in their most current version v7.8.2 they totally dropped integration with Check Point. Recent previous versions only worked with something like R65 and earlier anyway so you can see there was no great clamoring from Check Point customers.

    They have special categories for things like Malicious Websites, Bot Networks, Embedded iFrames, Malicious Links, Newly Registered Websites and Dynamic DNS websites as well as all of the usual content classifications. When you submit a site to them for classification or reclassification, it's in effect within one day for all of their customers.

    When you tie in the Websense DLP system you can write one DLP rule and tie it to email, web browsing and the optional endpoint agents. For instance, companies have lost data via encrypted file uploads. Their DLP system has a rich selection of Content Classifiers that not only look inside a file but can tell what its format is. There's about a dozen different file types for encrypted files. You can set a Block rule to stop all uploads of encrypted files and allow exceptions as needed to business purposes.

    It all depends on your needs. If you just want to keep people off game and whatever sites, a cheap one requiring a ton of manual work might work. If your company handles sensitive customer or intellectual property data, you need a product where content security is their business, not a bolt-on.

    Ray

  6. #6
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,499
    Rep Power
    18

    Default Re: Check point Security Server vs real proxy like Bluecoat

    I would argue you also get all of what you described in the current version of Check Point for a much lower pricepoint.
    It comes down to the specific use case, of course.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  7. #7
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Re: Check point Security Server vs real proxy like Bluecoat

    Quote Originally Posted by PhoneBoy View Post
    I would argue you also get all of what you described in the current version of Check Point for a much lower pricepoint.
    It comes down to the specific use case, of course.
    And I would be very disappointed if you didn't. :-)

    Unfortunately your use of the word "current" best describes our use case. It came down to a number of things:

    • Check Point was five years late to the SSL decryption game. Actually you were first over a decade ago via that add-in card (later bought by nCipher?) but when it got discontinued by the vendor, Check Point just let it drop. That probably speaks more to the sales of the card at that time. But it still took too many years for the capability to be added back in. By the time it came back we had moved on.
    • When we were looking at Endpoint/DLP, we discussed the Check Point offering with our sales guy in depth. Almost everything we were looking for, except for the PointSec capabilities, was still on a roadmap somewhere. Or the feature would be in the next release, and we all know how the vaporware game is played. Late to the game again.
    • When we were looking for a web app firewall, we saw the manual for ASG-1, the new Application Security Gateway product. But it never materialized as a separate product and it took several years before its capabilities started to show up in the product. Late to the game again.
    • All one has to do is read the official Check Point forums to see the complaints on the performance hits on the URL and filtering products. It's enough to give pause to anyone considering using them. Let's not even mention the recent IPS issue for how performance is severely degraded if you use any IPS profile other than "Default."
    • The new, improved R77.10 Gaia was supposed to dramatically reduce the number of reboots needed when a patch is applied. So the first one that comes out is for nested LDAP folders not working. The release notes say a reboot is required. The second one to come out is for debug in CoreXL not working correctly. When you apply that one, it forces a reboot and you can't stop it.
    • And then there is the total cost of ownership issue. Again. "Congratulations on buying our new firewall! Oh, you want us to provide support in the first year? That's not included. Oh, you want software updates including security updates in the first year? That's not included." The two year cost of maintenance for a new open server license we had quoted this week came to just about 100% of the initial license cost. And the only optional add-in we requested was IPS.

    And the latest? "Oh. You want people to actually be able to use your new optional URL-filtering proxy that's built into the firewall when using a VPN? Oops. That kind of doesn't work. Sorry."

    Seriously? And ever since R75.40? See sk93929. What's the resolution? This: This feature (passing traffic over an IPSec VPN tunnel with Security Gateway that is defined as Proxy) is not included in the product. If you need it, submit a Request for Enhancement. OMG, this would have broken every branch office we have if we had chosen Check Point as our proxy/URL filtering product.

    Rebooting a perimeter firewall is a big deal to me. Having to perform needless reboots because a product unrelated to the firewall's primary mission needs patching causes me more than a little philosophical heartburn.

    We usually look at Check Point first because we already have a long-term relationship and integration is good. But we need optimum performance and capability with a minimum of service disruption and not at too high a premium price. We're usually able to accomplish that when we need to do it but sadly not with Check Point products. Check Point used to be the leader. They're not even a fast follower anymore.

    Check Point is/was using their existing customer base as a cash cow and the cow is getting thinner and thinner. I haven't read your SEC filings in a few years but the percentage of revenue garnered at that time from support contracts confirmed the cash cow statement. When you see competitors bragging that their founders were "former Check Point employees" it begs the question of what is so bad about the corporate culture that employees can no longer be successful but can excel by striking out on their own in the same field and competing with the company where they learned their trade.

    And yes, I'll say this again for the ten-hundredth time: We're the customer, not our CSP. Why do we have to open a support case with them just to read SK articles? NO OTHER VENDOR DOES THIS. Not even Cisco. We're the one paying the bills, not the CSP. This is another example of Check Point treating the paying customers as second-class citizens. This causes us delays and raises our CSP's cost of doing business. To add insult to injury, the SK article says I need to log in to read an article. And when I do, it says "Sorry for wasting more of your time. You're paying us tens of thousands of dollars each year but you're not allowed to read this."

    I've purchased and managed Check Point products since last century but it gets harder and harder each year to justify to myself why I don't move on. And that is very sad.

    Time to go take a blood pressure pill. :-)

    Ray

  8. #8
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    1,010
    Rep Power
    16

    Default Re: Check point Security Server vs real proxy like Bluecoat

    Not that helpful and detailed response but....
    Difference is astronomical. As a proxy device CP has nothing on Bluecoat, not by a light year.

    So if you are thinking of moving from BC to CP:

    Short answer: No
    Long answer: Just no

  9. #9
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Re: Check point Security Server vs real proxy like Bluecoat

    And to further expand on my displeasure, today there is a security alert sitting in my Inbox for some HTTP protections not working. It 'is a "high" rating, meaning we must apply it. Guess what step 6 is?

    "Reboot the machine."

    Check Point is now 3 for 3.

  10. #10
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,499
    Rep Power
    18

    Default Re: Check point Security Server vs real proxy like Bluecoat

    Well then, I guess it doesn't fit your use case, Ray :)
    I know there are improvements planned to the proxy functionality in the near future but I can't say if it will provide exactly what you need.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  11. #11
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Re: Check point Security Server vs real proxy like Bluecoat

    Whew, good, you understood. I thought maybe I was being too subtle again. :-)

    Ray

  12. #12
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,499
    Rep Power
    18

    Default Re: Check point Security Server vs real proxy like Bluecoat

    You, being too subtle? Nah :)
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. URI Security Server as a Reverse Proxy?
    By Spacetrucker in forum Content Security/Security Servers/CVP/UFP
    Replies: 3
    Last Post: 2014-03-05, 07:32
  2. Check Point Mobile - Iphone - Proxy
    By ocelotl. in forum SNX - SSL Network Extender
    Replies: 0
    Last Post: 2011-05-02, 13:51
  3. Logging proxy connections from bluecoat
    By harumscarum in forum SmartView Tracker
    Replies: 5
    Last Post: 2010-06-10, 23:23
  4. who has Check Point NGX Security Administration Nokia IP Security Platforms" for sale
    By redbear in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 0
    Last Post: 2007-09-19, 16:13
  5. Check Point Security Position
    By DKCheckPoint in forum Employment/Consulting Opportunities For Check Point Administrators
    Replies: 1
    Last Post: 2006-12-05, 14:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •