Educause Security Discussion mailing list archives
Re: Checkpoint 13500 Next Generation Firewall/Security
From: "Flynn, Gary - flynngn" <flynngn () JMU EDU>
Date: Mon, 8 Dec 2014 15:21:41 +0000
No experience with checkpoint but I'll share some observations. When we first attempted to install a network IPS system around 2002-2003 the product crashed immediately when we put traffic through it. The vendor was unable to get it to work in our environment even though it was used in corporate environments. A year or two later, we tried again and were successful with the stability of several products including the original one we tested. It appeared, however, that the products were impacted in our environment more by the number and type of sessions than throughput. Lots of in-house servers. Lots of in-house clients with unrestricted outbound traffic. In the late 2000's, it became increasingly more important to inspect traffic from servers to clients as client attacks became more common. In our case, inspection of this traffic had detrimental effects on the performance of our product. I'm not sure why but I suspect it is because a lot more state has to be maintained. On top of that, the number and variety of client components and associated attacks against their vulnerabilities needing inspection is probably higher than the number of server components. This probably made the number of attack signatures traffic had to traverse for client attacks higher than those for server attacks. In recent years, Netflix and other streaming traffic also adversely affected the already burdened server to client inspection processes. Depending on your priorities, you can deal with this by altering inspection based on traffic source/destination (e.g. Netflix), file type, and/or content-type and adjusting inspection order, depth of inspection, and/or exemption lists accordingly. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Timothy Pierson Sent: Friday, December 05, 2014 3:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Checkpoint 13500 Next Generation Firewall/Security Greetings, I am not sure if this is the place to post this query, however it seems the likely place to start. We have purchased Checkpoint's Next Generation Firewall/Security Appliance. The model is 13500 and we have the 11 software blade suite with application and DLP services. Early September we turned the application security blade service on and it took our internet connection out, dropping the overall throughput from 750 Mbs to less than 50 Mbs. Naturally this had us turning the application service off and engaging checkpoint. After a couple of months, the issue, albeit somewhat improved, is not resolved to where it continues to significantly throttle our throughput, with massive packet drop and overall inferior end user experience. We are not performing any blocking, we have merely turned the software blade feature. Checkpoint had not been able to resolve the issue and spent a couple of months not even knowing what the problem was and were sure it is because of the unusual traffic patterns from our RESNET. One of the things I asked was if there were any Institutions equal to or greater than 14,000 students, with a significant resident hall presence, that was using the Checkpoint 13500, with the 11 security feature suite, with application and DLP services. Their response was that they did in fact have customers, however none of them would care to share their experience with this product and feature set. Knowing our constituencies, I am a little skeptical of this, as I have never had a circumstance where there was an unwillingness to share common experiences. I would like to ask if anyone is using this product, configured similarly to above, and what your experience was in hopes of hearing of a work around or fix. The feeling is that the resnet traffic, which is 29% Netflix and 24% software download (gaming, MS, Apple or other updates), and other student behavior is at the root of the Checkpoint system going "belly up" under minimal load. I would appreciate hearing within this forum or privately, from anyone who might have some experience with this product. Thank You, Tim Pierson DCIO Tenn Tech University
Attachment:
smime.p7s
Description:
Current thread:
- Checkpoint 13500 Next Generation Firewall/Security Timothy Pierson (Dec 05)
- Re: Checkpoint 13500 Next Generation Firewall/Security Ian McDonald (Dec 06)
- Re: Checkpoint 13500 Next Generation Firewall/Security Timothy Pierson (Dec 08)
- Re: Checkpoint 13500 Next Generation Firewall/Security Flynn, Gary - flynngn (Dec 08)
- <Possible follow-ups>
- Checkpoint 13500 Next Generation Firewall/Security Boyd, Daniel (Dec 08)
- Re: Checkpoint 13500 Next Generation Firewall/Security Timothy Pierson (Dec 08)
- Re: Checkpoint 13500 Next Generation Firewall/Security Robert Rudloff (Dec 08)
- Re: Checkpoint 13500 Next Generation Firewall/Security Ian McDonald (Dec 06)