There are open-source firewalls, and there are commercial firewalls that are easier to configure. No software firewall, however, has the reputation for impermeability that Check Point FireWall-1 NG has. Essential Check Point FireWall-1 NG exists to serve the network administrator as a manual and ready reference for the defensive utility. It's a sensitive role, because a poorly administered firewall can be worse than no firewall at all. Dameon Welch-Abernathy provides his readers with the knowledge they need--in the form of both instructions and raw information--to install, set up, and administer FireWall-1 NG properly in a variety of configurations.

A word of warning: This book provides detailed installation instructions for Microsoft Windows 2000 only. Though other supported operating systems get some coverage, only for Windows does the author walk you through the complete set of installation screens. This may or may not be a problem for you. With installation out of the way, the book treats configuration in an approximately platform-neutral fashion (though all screen shots are from Windows 2000). Typically, Welch-Abernathy opens a section with some theoretical information (about authentication, say, or firewalling in VPNs), then provides a relevant stepped procedure for a typical scenario, then goes through a very useful series of questions and answers (which are indexed separately--a helpful feature). It's a good approach that helps guarantee the reader gets the required information. --David Wall

Topics covered: How to knowledgeably and effectively support Check Point FireWall-1 NG. In addition to basic firewall functionality and rule-setting, the author covers Virtual Private Network (VPN) setups, alternative forms of user authentication, Network Address Translation (NAT), and reliability issues. Special chapters cover the INSPECT and SecuRemote/SecureClient utilities.

From Book News, Inc.
Updating his earlier Essential Check Point FireWall-1, the author covers the "essential" features of the new version of the computer security software. Often including step-by-step configuration examples (with screenshots), he describes the steps necessary to go from installation of network firewalls to maintenance and troubleshooting. Chapters cover such topics as building the security policy, remote management, user authentication, content security, site-to-site virtual private networks (VPNs), the establishment of client-to-site VPNs, and the role of state synchronization in highly available firewalls.Copyright © 2004 Book News, Inc., Portland, OR

From the Back Cover
"When it comes to security products and technologies, experience is far and away the best teacher. PhoneBoy has been installing, running, and supporting Check Point FireWall-1 for years, and his experience shows in this book. Save yourself the pain of learning from your own mistakes--let PhoneBoy show you the right way to manage your FireWall-1 NG infrastructure."
--Tina Bird, Computer Security Officer, Stanford University"Dameon has taken his original definitive guide and updated it thoroughly for NG. No other book is informed by his depth of experience with Check Point. Accept no substitutes!"
--Matthew Gast, author of 802.11 Wireless Networks: The Definitive Guide "PhoneBoy is the de facto expert on this product, and people have been clamoring for an NG book from him since he published the first one. No one can compete with him."
--Valerie M. Leveille, Professional Educator "Dameon is the foremost authority on FireWall-1. He has the knowledge to give details of FireWall-1 functionality that no other reference on this topic can."
--Paul Keser, Senior Network Security Engineer, Raytheon ITSS/NASA Ames Research Center "This book is the Swiss army knife solution for Check Point FireWall-1 NG."
--Thomas Warfield, TNT-OK.com

Now there's a definitive insider's guide to planning, installing, configuring, and maintaining the newest version of the world's #1 firewall: Check Point™ FireWall-1® Next Generation™. Leading Check Point support authority Dameon Welch-Abernathy (a.k.a. PhoneBoy) offers exclusive hands-on tips, techniques, checklists, and detailed sample configurations you can use right now to improve reliability, efficiency, and manageability in your Check Point environment.

The author's previous Check Point FireWall-1 guide became an instant bestseller, earning the praise of security professionals worldwide. This new book has been thoroughly revamped to reflect Check Point FireWall-1 NG's powerful new features, and it includes even more expert solutions from PhoneBoy's FireWall-1 FAQ, the Web's #1 independent Check Point support site. Whether you're a security/network architect, administrator, or manager, you'll find it indispensable.

Whether you're running FireWall-1 NG on UNIX or Windows platforms, this book brings together expert guidance for virtually every challenge you'll face: building your rulebase, logging and alerting, remote management, user authentication, inbound/outbound content restriction, managing NAT environments, building site-to-site VPNs with SecuRemote, even INSPECT programming. Welch-Abernathy also covers high availability in detail, identifying proven solutions for the challenges of implementing multiple firewalls in parallel.

0321180615B12192003

About the Author

Dameon D. Welch-Abernathy, a.k.a. "PhoneBoy," has been supporting, deploying, and teaching Check Point™ FireWall-1® since 1996. He has assisted and instructed thousands of network professionals and currently maintains the largest industry FAQ site on FireWall-1® NG at http://blog.phoneboy.com/. Dameon works for Product Line Support at Nokia.

0321180615AB10212003

Excerpt. © Reprinted by permission. All rights reserved.

Every book should have some introductory text that explains it. This book is no exception. After reading this preface, you should know the following: How this book came to be What this book is and what it's not What typographical conventions are used in this book Some of the people who made this book possibleHow This Book Came to Be

After spending two years on the first edition of this book, I was relieved to finally have the book done. However, Check Point played a cruel trick on me and released FireWall-1 NG around the same time that my book came out in October 2001. That book was mostly on FireWall-1 4.1, so my book was already obsolete! People kept asking me, "So when are you going to update your book for NG?"

Another thing happened right around that time: My wife and I decided to move to the Seattle area from Spokane and build a new house. We had to live in a much smaller apartment for several months until the house was completed.

After moving twice and finally finding the motivation to do this again, I began the task of turning Essential Check Point FireWall-1 into Essential Check Point FireWall-1 NG in July 2002. Unlike the last attempt at this, I knew this was going to be a solo project. This didn't bother me. After all, I did it once.What This Book Is and Is NotWhat you are holding in your hands now is a book about Check Point FireWall-1 NG. It covers the essentials of the product. Each chapter discusses a major feature of the product or a specific topic that will help you plan for or maintain your FireWall-1 NG installation. You get step-by-step configuration instructions for many features in FireWall-1 complete with screenshots and several sample configurations you can try. The book also includes lots of information from my FireWall-1 Frequently Asked Questions (FAQs) on http://www.phoneboy.com.

Not every feature of FireWall-1 is covered in this text. The "essential" features I have chosen to cover are based on my experience as someone who has supported this product since 1996. Other peripheral topics, like encryption and network security, are covered briefly as they relate to FireWall-1 but are not covered in great detail. I feel that other authors do a better job of covering these topics--some examples are provided in Appendix H.

A summary of the chapters in this book follows. Note that where sample configurations are said to exist in a chapter, it means there are step-by-step examples you can follow to set up your own equipment, provided you have it.

Chapter 1, Introduction to Firewalls, briefly discusses firewalls in general, the different technologies used in today's firewalls, and how they are used in FireWall-1.

Chapter 2, Planning Your Firewall-1 Installation, talks about the issues that should be considered prior to installing a firewall, such as understanding your current network topology, establishing a formalized security policy, and reviewing the various types of licenses that exist in FireWall-1.

Chapter 3, Installing FireWall-1, walks you through the initial configuration of FireWall-1 when it is loaded for the first time. This chapter also covers the basics of preparing your system for a firewall installation.

Chapter 4, Building Your Rulebase, explains the basics of creating a security policy within FireWall-1 and includes how to use the Policy Editor application.

Chapter 5, Logging and Alerting, explains how logging and alerting work in FireWall-1. Details about how to use the Log Viewer and System Status Viewer applications are also provided.

Chapter 6, Common Issues, is a collection of FAQs that may come up once you have set up your firewall and become familiar with the SmartView Tracker/Log Viewer application. These FAQs are not specific to features covered in future sections of the book.

Chapter 7, Remote Management, explains how to manage multiple firewall modules from a single management console. Sample configurations are provided in this chapter.

Chapter 8, User Authentication, explains how you can provide access control for services based on individual users. Sample configurations are provided in this chapter.

Chapter 9, Content Security, explains how you can restrict the kind of content that enters or leaves your network via HTTP, FTP, and SMTP. Sample configurations are provided in this chapter.

Chapter 10, Network Address Translation (NAT), explains what NAT is, why it is a necessary evil, and how to configure NAT within FireWall-1. Sample configurations are provided in this chapter.

Chapter 11, Site-to-Site VPN, explains what a Virtual Private Network (VPN) is and how to configure FireWall-1 to support this feature. Sample configurations are provided in this chapter.

Chapter 12, SecuRemote and SecureClient, builds on Chapter 11. It explains how to establish client-to-site VPNs using Check Point's Windows-based VPN client called Secure Client, which is also known as SecuRemote. Sample configurations are provided in this chapter.

Chapter 13, High Availability, explains State Synchronization and how it plays a role in highly available firewalls. Also covered are the problems that arise when implementing multiple firewalls in parallel along with some ideas on how to overcome these problems.

Chapter 14, INSPECT, is an overview of the language that is the heart of Check Point FireWall-1. Several examples of working INSPECT code are provided in the chapter as well as in the appendixes.

The appendixes cover topics such as hardening an operating system, sample INSPECT code, performance tuning, recommended books, and Web sites on the Internet where you can obtain software and more information.Conventions

FireWall-1 runs on multiple operating systems, but there are two basic kinds of platforms: UNIX and Windows NT. My personal bias is UNIX; therefore, all pathnames and the like, unless otherwise specified, are always given in their UNIX form. For those of you who use Windows NT and are not familiar with UNIX conventions, the following paragraph describes how to convert the paths from a UNIX form to a Windows form.

Almost all paths given include FWDIR, which is an environment variable that should be defined and points to the directory under which FireWall-1 is installed. To reference this variable on a UNIX platform, it is preceded by a dollar sign (e.g., $FWDIR). On a Windows platform, the variable is surrounded by percent signs (e.g., %FWDIR%). Path components on a UNIX platform are separated by forward slashes (e.g., /), whereas on Windows, they are separated by back slashes (e.g., \).

To convert the path $FWDIR/bin to its Windows equivalent, replace $FWDIR with %FWDIR% and replace the forward slash with a back slash. On Windows, the path should look like this: %FWDIR%\bin.

Unless otherwise specified, all commands mentioned throughout the text should work on both UNIX and Windows. Examples of commands that you type in (and their output) appear in Courier font. I also use this font for filenames and daemon processes. The commands you type in appear in a bold Courier font. If what you type in does not echo back on the screen (usually because it is a password), this is reflected in a bold italic Courier font.

To put it all together, the following sample output results from running the UNIX passwd command to change my password: # passwd dwelch Enter login password: abc123 New password: def456 Re-enter new password: def456 passwd (SYSTEM): passwd successfully changed for dwelch #

The pound/hash sign (#) is the UNIX prompt and is typically used for the Super-User account. I type in the command passwd dwelch (which echoes to the screen). I am then prompted to enter my old password, abc123, which does not echo to the screen. Next, I am prompted to enter a new password, def456, which also does not echo to the screen. I am then asked to confirm my new password as my password choice, which means I type it again. Finally, I am told my password has been changed successfully.

Numbered FAQs appear starting in Chapter 4. For a full listing of these questions see the list starting on page xxiii.

Dameon D. Welch-Abernathy
a.k.a. PhoneBoy
dwelch@phoneboy.com
PGP Fingerprint: 72A2 8D9D BDC0 98D2 1E5D 3A2D 09D0 A5C1 597F 5D2A
November 2003

0321180615P01132004

FROM OUR EDITORS

The Barnes & Noble Review
Hey, if Check Point Firewall-1 NG isn￯﾿ﾽt mission-critical, what is? It￯﾿ﾽs got to work. You owe yourself a copy of Essential Check Point Firewall-1 NG.

Nobody knows more about Check Point firewalls than Daemon D. ￯﾿ﾽPhoneboy￯﾿ﾽ Welch-Abernathy, host of the Check Point FAQs and Firewall-1 Gurus Forum. He wrote the definitive book on Firewall-1. Now he￯﾿ﾽs done the same for Firewall-1 NG.

Phoneboy carefully walks you through planning, installation, and rulebase construction. Need to deploy content security? Build a secure VPN? Provide for high availability? Really understand how Check Point handles NAT? Figure out licensing? Troubleshoot authentication, remote management, or just about anything else? It￯﾿ﾽs all here -- reliable and readable. Bill Camarda

Bill Camarda is a consultant, writer, and web/multimedia content developer. His 15 books include Special Edition Using Word 2003 and Upgrading & Fixing Networks for Dummies, Second Edition.

FROM THE PUBLISHER

Now there's a definitive insider's guide to planning, installing, configuring, and maintaining the newest version of the world's #1 firewall: Check Point™ FireWall-1® Next Generation™. Leading Check Point support authority Dameon Welch-Abernathy (a.k.a. PhoneBoy) offers exclusive hands-on tips, techniques, checklists, and detailed sample configurations you can use right now to improve reliability, efficiency, and manageability in your Check Point environment.

Whether you're running FireWall-1 NG on UNIX or Windows platforms, this book brings together expert guidance for virtually every challenge you'll face: building your rulebase, logging and alerting, remote management, user authentication, inbound/outbound content restriction, managing NAT environments, building site-to-site VPNs with SecuRemote, even INSPECT programming. Welch-Abernathy also covers high availability in detail, identifying proven solutions for the challenges of implementing multiple firewalls in parallel.

The author's previous Check Point FireWall-1 guide became an instant bestseller, earning the praise of security professionals worldwide. This new book has been thoroughly revamped to reflect Check Point FireWall-1 NG's powerful new features, and it includes even more expert solutions from PhoneBoy's FireWall-1 FAQ, the Web's #1 independent Check Point support site. Whether you're a security/network architect, administrator, or manager, you'll find it indispensable.

SYNOPSIS