CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 13 of 13

Thread: Replacing Bluecoat with Check Point

  1. #1
    Join Date
    2006-04-19
    Location
    London
    Posts
    14
    Rep Power
    0

    Default Replacing Bluecoat with Check Point

    Hi all

    I have a customer who is looking to replace his Bluecoat Proxies with Check Point appliances running the App Control and URLF blades. Does anyone have any experience or advice they could share on achieving this? Is there anything we should watch out for, and is this even a good idea?

    Many thanks!

  2. #2
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    191
    Rep Power
    5

    Default Re: Replacing Bluecoat with Check Point

    Check Points URL Filtering and Application Control Functions are not that powerful as those of specialized manufacturers such as Bluecot or McAfee Webgateway (amongst others).
    The Check Point Solution should be considered for small and medium environments, where budget is low.
    For Enterprise Environments, i strongly recommend that you distribute tasks to individual components, meaning firewalling, VPN, QoS, IPS and ANtibot to the Check Point Firewall, Webtraffic, including URL Filtering and Application control to dedicated Proxy Solutions, and traffic distribution to dedicated Load-balancers.
    Appliacation Control on the firewall might be an option for all non-Web-based traffic
    HTH

  3. #3
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    903
    Rep Power
    12

    Default Re: Replacing Bluecoat with Check Point

    I have to disagree with the previous comment.

    We do have enterprise customers who have successfully replaced BlueCoat with CheckPoint Application Control. It is not about being "powerful", but more about Check Point categories are not 1 to 1 replaceable with BlueCoat, and some creative work is required to make the new policy.

    However, one this work is done and validated in accordance with security requirements, it works just fine. We have migrated more than 10 customers this way during the last 5 years.

    One of my customers is a huge multinational, quite happy with Application Control replacement. Others are smaller, but do not qualify as "small and medium business", being banks and government organisations.

    I do agree that distributed environment is must for an enterprise, but that does not mean one needs to invest into multiple niche vendors while integrated and consolidated solutions are available.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  4. #4
    Join Date
    2007-06-04
    Posts
    3,216
    Rep Power
    15

    Default Re: Replacing Bluecoat with Check Point

    Quote Originally Posted by varera View Post
    I have to disagree with the previous comment.

    We do have enterprise customers who have successfully replaced BlueCoat with CheckPoint Application Control. It is not about being "powerful", but more about Check Point categories are not 1 to 1 replaceable with BlueCoat, and some creative work is required to make the new policy.

    However, one this work is done and validated in accordance with security requirements, it works just fine. We have migrated more than 10 customers this way during the last 5 years.

    One of my customers is a huge multinational, quite happy with Application Control replacement. Others are smaller, but do not qualify as "small and medium business", being banks and government organisations.

    I do agree that distributed environment is must for an enterprise, but that does not mean one needs to invest into multiple niche vendors while integrated and consolidated solutions are available.
    This is very true. Biggest issue I see when coming from a Proxy Solution such as Bluecoat or Websense is that the Customer tries to replicate "as is" into the Check Point.

    1.) Check Point AppCtrl/URL is NOT a Proxy - I really hate that decision to include that HTTP/HTTPS Proxy option.
    2.) AppCtrl is not just HTTP/HTTPS traffic but ALL traffic goes through the Blade
    3.) Check Point doesn't work in the same way as more traditional vendors in that instead of blocking by default then permits by default so what you need to do is different approach.
    4.) Identity Awareness is not the same as how Proxy's tend to gather User Identity.

    Are the main things that have to get across to Customers when they look to implement this.

  5. #5
    Join Date
    2006-09-26
    Posts
    2,933
    Rep Power
    13

    Default Re: Replacing Bluecoat with Check Point

    Quote Originally Posted by varera View Post
    I have to disagree with the previous comment.

    We do have enterprise customers who have successfully replaced BlueCoat with CheckPoint Application Control. It is not about being "powerful", but more about Check Point categories are not 1 to 1 replaceable with BlueCoat, and some creative work is required to make the new policy.

    However, one this work is done and validated in accordance with security requirements, it works just fine. We have migrated more than 10 customers this way during the last 5 years.

    One of my customers is a huge multinational, quite happy with Application Control replacement. Others are smaller, but do not qualify as "small and medium business", being banks and government organisations.

    I do agree that distributed environment is must for an enterprise, but that does not mean one needs to invest into multiple niche vendors while integrated and consolidated solutions are available.
    I have to respectfully disagree here

    1- Having everything in Checkpoint is like shopping at Walmart. Walmart has just about everything you are looking for but not every product is not very good. The one thing that checkpoint is good at is Firewall piece. Let say if you need VPN and you need to tunnel multicast traffics over the VPN tunnel, can you do that with Checkpoint, probably yes, but can checkpoint do it well, definitely not. Can checkpoint does IGP and BGP routing, it can but can it do a better job than Cisco, definitely not. When it comes to support, you have to go through layers of support at checkpoint to find the right support whereas because other vendors only specialize in that space, you get faster support that way

    2- Application firewalls. Again, can checkpoint do this, probably, can it do a better job than Imperva, I don't think so.

    3- IPS checkpoint can probably do a decent job but it definitely can not beat others specialize vendors out there.

    It is like bring a Toyota Camry to a race where everyone drives Porsche.

    My 2c

  6. #6
    Join Date
    2006-04-19
    Location
    London
    Posts
    14
    Rep Power
    0

    Default Re: Replacing Bluecoat with Check Point

    Quote Originally Posted by mcnallym View Post
    4.) Identity Awareness is not the same as how Proxy's tend to gather User Identity.

    Are the main things that have to get across to Customers when they look to implement this.
    This is indeed where my main concern sits. How well suited is IA to this? Bluecoat can transparently force authentication where needed but I'm not sure IA can without using the UserCheck agent or Captive Portal, neither of which the customer is interested in using.

    Another question is how does Check Point handle situations where multiple APPCtrl/URLF rules apply to the same traffic? Does it apply the most/least restrictive, the first one hit, or does it aggregate them somehow?

  7. #7
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    903
    Rep Power
    12

    Default Re: Replacing Bluecoat with Check Point

    Quote Originally Posted by hodgsonk View Post
    This is indeed where my main concern sits. How well suited is IA to this? Bluecoat can transparently force authentication where needed but I'm not sure IA can without using the UserCheck agent or Captive Portal, neither of which the customer is interested in using.

    Another question is how does Check Point handle situations where multiple APPCtrl/URLF rules apply to the same traffic? Does it apply the most/least restrictive, the first one hit, or does it aggregate them somehow?
    Transparent Kerberos browser based auth is part of IA. The limitation is about HTTPS though. If the first connection is HTTPS and HTTP, redirection to kerberos transparent page will not work. For the second question, I do not understand the concern. Multiple URLs mean multiple TCP session, each of those will be accepted or dropped in correlation with particular application or category you allow or deny. Dd I miss a point here?
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  8. #8
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    903
    Rep Power
    12

    Default Re: Replacing Bluecoat with Check Point

    Quote Originally Posted by cciesec2006 View Post
    I have to respectfully disagree here

    My 2c
    It is your opinion, and I respect that. I also have mine, backed up by decades of experience in this field. In this particular case, multiple customers are abandoning BlueCoat towards other security solutions. The current trend is to consolidate, not diversify, those. Some goes not only with Check Point, but also with Forti, PAN and even Cisco.

    However, this is an offtopic. TS is asking about experience with moving from BC to Check Point AC. As said above, we have multiple customers who've done that, with certain degree of success. None of them returned to BC or another proxy solution. All of them were facing some challenges and limitations that are also mentioned above. With certain degree of efforts, none of those was a showstopper.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  9. #9
    Join Date
    2006-04-19
    Location
    London
    Posts
    14
    Rep Power
    0

    Default Re: Replacing Bluecoat with Check Point

    Quote Originally Posted by varera View Post
    Transparent Kerberos browser based auth is part of IA. The limitation is about HTTPS though. If the first connection is HTTPS and HTTP, redirection to kerberos transparent page will not work. For the second question, I do not understand the concern. Multiple URLs mean multiple TCP session, each of those will be accepted or dropped in correlation with particular application or category you allow or deny. Dd I miss a point here?
    So as an example, user Bob tries to go to Facebook. Policy rule 1 says nobody can access Facebook, but policy rule 10 says members of AD group HR can access Facebook and Bob is a member of that AD Group. How is the policy evaluated, top down like the firewall policy? Which rule would apply to Bob in this scenario?

  10. #10
    Join Date
    2014-09-23
    Location
    Austin, TX
    Posts
    136
    Rep Power
    3

    Default Re: Replacing Bluecoat with Check Point

    Quote Originally Posted by hodgsonk View Post
    So as an example, user Bob tries to go to Facebook. Policy rule 1 says nobody can access Facebook, but policy rule 10 says members of AD group HR can access Facebook and Bob is a member of that AD Group. How is the policy evaluated, top down like the firewall policy? Which rule would apply to Bob in this scenario?
    The App Control & URL Filtering blades evaluates traffic differently then the firewall blade (top down as you said) so in the example you have given you are essentially using both the whitelist and blacklist methods in enforcing application control policy. Blacklisting is the most common configuration approach because it is easier to manage. Bob would be able to access Facebook since he is a member of the HR group

  11. #11
    Join Date
    2006-04-19
    Location
    London
    Posts
    14
    Rep Power
    0

    Default Re: Replacing Bluecoat with Check Point

    Thanks for all the input on this folks, you've all been very helpful.

  12. #12
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    903
    Rep Power
    12

    Default Re: Replacing Bluecoat with Check Point

    In addition to Cory's comment, accept rule should be upper still, with blacklist approach :-)
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  13. #13
    Join Date
    2007-06-04
    Posts
    3,216
    Rep Power
    15

    Default Re: Replacing Bluecoat with Check Point

    Quote Originally Posted by hodgsonk View Post
    So as an example, user Bob tries to go to Facebook. Policy rule 1 says nobody can access Facebook, but policy rule 10 says members of AD group HR can access Facebook and Bob is a member of that AD Group. How is the policy evaluated, top down like the firewall policy? Which rule would apply to Bob in this scenario?
    If Rule 1 says no-one can access facebook then rule 10 says AD Group HR can then No-One will get access to Facebook, as traffic would match Rule 1 First

    Source = Any - Would Match that as Bob would indeed be Any
    Dest = Internet - Destination would be on the Internet so would match
    App = Facebook - Would be Facebook so would
    Action = Block - Would drop the traffic, display block page etc

    Has matched a rule so would therefore drop out of the AppCtrl/URL policy

    What you would need to do is

    Rule 1 = Src = Access Role mapped to AD Group HR, Dest = Internet, Apps/Site = Facebook, Action = Accept
    Rule 2 = Src = Any, Dest = Internet, Apps/Site = Facebook, Action = Block

    This way Bob ( or anyone else matching the Access Role ) would be able to access Facebook but everyone else would get blocked. Rulebase order same as in the Firewall Blade is key to achieving what you want.

    What I suggest people do is have an Access Role to grant access to a Resource/Common Resources, then create a rule that allows that Access Role to use that Resource/Common Resources, then beneath that then have a rule that denies everyone access to the

    As such your AppCtrl Policy looks like

    1.) Section of Black Listed Apps/Sites that NOBODY should access
    2.) Section of Conditional Access to Sites where use paired rules, 1st Rule giving Access Roll access to resources, 2nd Rule blocking access for anyone else to that resource
    3.) Catch All permit at the bottom

    So unless you say Do Not give access to someone then you will get access, which is a very different approach to traditional vendors.

    To give someone access to the resources then simply make them a member of the appropriate AD Group which will then make them part of the Access Role next time the Login Event seen for the user. No need for a Policy Installation either.

Similar Threads

  1. Replies: 3
    Last Post: 2016-06-10, 14:12
  2. Check point Security Server vs real proxy like Bluecoat
    By Alex34 in forum Content Security/Security Servers/CVP/UFP
    Replies: 11
    Last Post: 2014-03-17, 14:38
  3. Replies: 3
    Last Post: 2012-05-17, 20:48
  4. Logging proxy connections from bluecoat
    By harumscarum in forum SmartView Tracker
    Replies: 5
    Last Post: 2010-06-10, 23:23
  5. How to use BlueCoat with Checkpoint
    By jtengue in forum Check Point SecurePlatform (SPLAT)
    Replies: 3
    Last Post: 2007-12-16, 07:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •