Re: Checkpoint disaster Recovery
From: Richard H Miller (rick_at_bcm.tmc.edu)
Date: 10/07/03
- Next message: jaarons: "Spyware, key logger detection and removal (Norton Corporate Edition doesn't have it)"
- Previous message: PapaBear: "Re: Something (Trojan?) Takes Over Mouse - Mouse Was Probably Bad"
- In reply to: Mike Vore: "Re: Checkpoint disaster Recovery"
- Next in thread: Aliensurfer: "Re: Checkpoint disaster Recovery"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 7 Oct 2003 17:36:32 GMT
Mike Vore (mvore@ix.dot.netcom.dot.com.dot) wrote:
: On Tue, 7 Oct 2003 16:41:13 +0100, Aliensurfer <alien@mbf7.NOSPAM.freeserve.co.uk> wrote:
: >
: >
: > Hi all,
: >
: > We have two Checkpoint firewalls one NG and one 4.1. I've been
: > given the task of writing a disaster recovery procedure should
: > everything go belly up. Does anybody have an diea of where to
: > start? I've noted the rules, the object IP's, the NAT, the license.
: > Is there anything else? I basically need to be able to recover from
: > scratch and prepare for the worst case scenerio ie no backups
: > available either.
: A recovery with no backup!? I'm assuming that there are no tapes you
: can backup onto.
: You do seem to have a basic idea of what you need. I'd start by
: making a backup (onto floppy if needed) of the entire conf and state
: directories. Then make a copy of the $FWDIR tree, not necessarily the
: files- so you know where things go. Also have copies of the license
: handy. You probably also need copies of .../etc/hosts and the routing
: table - in short - everything you need to put each of the boxen online
: as working systems without the firewall.
: Do this for each firewall. Then find an unused machine(s) and build
: yourself both firewalls from scratch and put them online - document
: ALL the steps to get them running. Remember the three basic (and
: necessary) steps to getting a firewall (any brand) working - 1) the
: Hardware (NICs, CAT5 cables) & O/S (patches, user/password) 2)
: Networking (etc/hosts, routing), 3) and finally, only after the first
: two steps are proven, the firewall.
: Then probably try to keep your just built "Hot Spare" put away
: somewhere no one will touch it. This one would be configured for the
: most important system - ready to swap in with the least delay. Keep it
: in storage - turned off, you don't want to have it fry on the same surge
: that frys the on-line machine.
: mike
This will work pretty good if you are trying to implement your current setup
without rethinking your entire approach to fault tolerance.
If you want to have a somewhat fault tolerant system that is easy to do DR on
1) move to the distributed module, a management console and a series of enforcement
modules. You also really need to upgrade the 4.1 to NG.
2) once you are on a distributed module, use an appliance approach [the Nokia or
secureplatform] for your enforcement modules. Convert your licenses to central
mode. Store the platform configuration elements on the management console. With this
you can build a new enforcement module in 15-20 minutes from scratch [with secureplatform],
upload the static routes file, reboot, establish SIC and re-push the policy.
3) Back up your management server using normal backup tools.
4) If your uptime requirements mandate it, using the management HA to keep a synchronized secondary
management server ready to go.
We have used Mike's approach and it does work, this simply takes it to the next level
Richard H. Miller, MCSE, CCSE
Information Security Manager
Information Technology Security and Compliance
Information Technology - Baylor College of Medicine
- Next message: jaarons: "Spyware, key logger detection and removal (Norton Corporate Edition doesn't have it)"
- Previous message: PapaBear: "Re: Something (Trojan?) Takes Over Mouse - Mouse Was Probably Bad"
- In reply to: Mike Vore: "Re: Checkpoint disaster Recovery"
- Next in thread: Aliensurfer: "Re: Checkpoint disaster Recovery"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
