CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 11 of 11

Thread: OSE with Cisco routers

  1. #1
    Join Date
    2007-08-03
    Posts
    6
    Rep Power
    0

    Default OSE with Cisco routers

    I cannot seem to find much on the checkpoint website - but can checkpoint be used to control acls on cisco routers?
    If so how effective is it?

  2. #2
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default Re: OSE with Cisco routers

    you really want to do this? It's like putting a yugo engine into
    a Acurra NSX race car.

  3. #3
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    15

    Default Re: OSE with Cisco routers

    Centralized management. Need I say more?

  4. #4
    Join Date
    2007-08-03
    Posts
    6
    Rep Power
    0

    Default Re: OSE with Cisco routers

    I am looking a many options - but as melipla says it is an option to keep security policies in sync.
    Anyway why would the method of ACL deployment affect performance - surely it's just about the amount of ACLS?

  5. #5
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    16

    Default Re: OSE with Cisco routers

    It doesn't affect performance. I have to assume the yugo here is the router and not the Check Point.

    As for the question, it works with in its limitation. VMS or whatever its called now, is probably a little more flexible but unless Cisco has changed it, it tends to write ACLs that no one can understand.

    I at one point had a customer with a Management Module (predisesor to SmartCenter) who was running nothing but OSEs to manage several 100's of routers and PIXen. The PIX/ASA isn't supported any more though.

  6. #6
    Join Date
    2006-09-26
    Posts
    3,193
    Rep Power
    16

    Default Re: OSE with Cisco routers

    Cisco VMS (VPN Management Server) is a piece of sh_t.
    Cisco has re-branded a new product called Cisco
    Security Manager (CSM) which is an enhanced product
    of VMS. CSM is another piece of sh_t.

    The point I am trying to make here is that Checkpoint
    SmartCenter or CMA is designed to manage
    Checkpoint products (InterSpect, Firewall, Connectra, etc...)
    Checkpoint SmartCenter or CMA is NOT designed to
    manage Cisco Pix/ASA or IOS routers. Cisco and
    Checkpoint are competitiors and checkpoint will NOT
    design a product to help cisco manage its security
    device and vice versa. Checkpoint is a security
    company while cisco is NOT. There will always a "lag"
    behind for SmartCenter or CMAs to support the latest
    revision of either IOS or Pix/ASA code. Last but
    not least, use it at your own risk.

    If I have to pick a product to manage cisco security
    devices, Solsoft seems to be the best product out
    there at this time. Solsoft still sucks but it is
    better than both VMS and CSM combined.

  7. #7
    Join Date
    2007-08-03
    Posts
    6
    Rep Power
    0

    Default Re: OSE with Cisco routers

    Thanks for the advice on Solsoft I will take a look.

    But whilst I agree Cisco will never help with checkpoint the other way round is always a possibility.

    Checkpoint are a software company and do not deal in routing and layer 3.
    The software uses the underlying operating system whether it be linux , nokia or windows.
    So they are not in competion with Cisco for routing and realise a large proportion of their client base use Cisco routers.


    So although for us the first answer is to look at Cisco products for ACLs - checkpoint is still worth a look.
    Being able to apply polcies from the same security interface and even review log through the tracker maybe of some benefit.

    I take the point about tha lag in the latest code revisons - but this would probably be the case for any vendor other than Cisco.

    Also in a large scale environment turn around in upgrading IOS is not fast and generally there is a delay anyway with product revision testing and waiting for any bugs/flaws to be spotted and fixed first anyway.

  8. #8
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    16

    Default Re: OSE with Cisco routers

    H*ll Cisco's management lags its IOS :)

    OSE is a solution, though there are likely better ones out there.
    I don't see a lot of OSE in the field, so I would doubt there is a lot of development effort on it.

    As for logs, SmartCenter can take in SYSLOG and Eventia can even alert on Cisco events.

  9. #9
    Join Date
    2007-05-01
    Location
    Winnipeg, Canada
    Posts
    11
    Rep Power
    0

    Default Re: OSE with Cisco routers

    I am 100% in agreement with "CSM is a piece of sh!t". Total waste of time, effort, server resources and capital. Anyway... with that off of my chest...

    How does one go about integrating syslog messages from Cisco ASA's into Smart Center? I have been looking for a "Check Point Tracker"-style log solution for ASAs for years. (So I know of about every open-source and commercial Syslog package out there so I don't need suggestions there, thnx.)

    I would like to setup some sort of secure session between ASA and Smart Center. I know ASA sends syslog events using native udp which is unreliable delivery. One of my requirements for a logging solution is to use TLS for encryption in addition to TCP's reliable delivery of syslog messages. I understand ASA will support logging over TLS.

    Has anybody attempted this or is using this setup now? I have not found too much on Check Point's site regarding integrating ASAs.

  10. #10
    Join Date
    2007-06-04
    Posts
    3,301
    Rep Power
    17

    Default Re: OSE with Cisco routers

    Only thing I have found regarding accepting logging from ASA is that the Log Server part of the CMA/SMARTCenter can accept SysLog messages.

    Is found under the Additional Logging and is a check box. I haven't performed the task myself, however you should then just need to point the ASA at the SMARTCenter/CMA.

    However if I understand correctly this is just listening on the standard udp port for syslog, it doesn't establish a secure connection in the same manner as a Check Point Gateway to SMARTCenter is established.

  11. #11
    Join Date
    2007-05-01
    Location
    Winnipeg, Canada
    Posts
    11
    Rep Power
    0

    Default Re: OSE with Cisco routers

    This has got to be the easiest thing ever. I was working with a proof of concept server running R71.30 and it just worked. I couldn't get anything working in R65, though.

    I even have "logging device hostname" set in the ASA's which usually breaks most syslog parsers. But, Check Point is still able to parse the log and provide the proper columnar rows in Tracker for filtering.

Similar Threads

  1. VPN Tunnel between CP SPLAT and Cisco Routers
    By papalove in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2009-11-06, 03:04
  2. QoS over redundant routers..How do?
    By detsh in forum QoS (Quality of Service) (Formerly FloodGate-1)
    Replies: 0
    Last Post: 2008-02-04, 08:30
  3. VPN - MEP with internal routers
    By yelwoci in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2007-03-22, 12:43
  4. ISP Redundancy vs BGP routers
    By jmcgrady in forum ISP Redundancy
    Replies: 1
    Last Post: 2006-07-19, 15:19
  5. Multiple Routers possible ?
    By gfont96 in forum Installing And Upgrading
    Replies: 1
    Last Post: 2006-04-04, 09:05

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •