R: Questions about fw-1

From: Fabio De Maron (fdemaron@intesis.it)
Date: 10/03/01 

From: "Fabio De Maron" <fdemaron@intesis.it>
To: "Mario Behring" <mariobehring@yahoo.com>, <SECURITY-BASICS@securityfocus.com>
Subject: R: Questions about fw-1
Date: Wed, 3 Oct 2001 12:42:16 +0200
Message-ID: <DNEOKLFHKFAGJPILLANBAECCCFAA.fdemaron@intesis.it>

Mario Behring wrote:
> Subject: Questions about fw-1

(...)
> 1- FW-1 works with Statefull inspection technology, but is
> there any way to
> configure fw-1 to work both as packet filter and as application
> proxy gateway,
> just like a hybrid firewall software would do ??
You can do it but I don't recommend it.

> 2- FW-1 does not perform the OS hardening at installation time like IBM
> SecureWay Firewall does, but does anybody know some CheckPoint
> product or
> module that perform this task before fw-1 installation ? Also,
> is there any
> CheckPoint tool that checks the OS for configuration problems ?
no. You can search about Firewall-1 Appliance (Nokia IP).

> 3- Do fw-1 (or CheckPoint) have an anti-tampering tool, i.e., a
> tool that
> prevents system files from being altered and verifies file
> authenticity ?
no

I think the best thing a firewall must do is... firewall.
Every software have its own scope and Firewall-1 is a good firewall
product.
It's good for enforcing bastions, natting, implementing security rules,
...
Maybe you need a complete solution with something like tripwire, hardening
OS and other but you can buy it from a system integrator or security
company.
As always "security is a process not a product".

I don't work for CheckPoint and they don't pay me.

Fabio Dema