There was a time when working with Checkpoint firewalls intimidated me - that day is gone. I have been through so many firewall upgrades (many of them failed upgrades) that I no longer contain the capacity to fear them. Today I was struggling with a configuration issue on a remotely managed firewall. There is a bug and the firewall logs are not making it to the management console - I won't bore you with the details here. Even though about half of the functions they claim to have don't work, Checkpoint is really progressive. One of the sexiest features of their latest offering (NG) is their
Secure Internal Communications or SIC. The firewall management console contains a certificate authority which is capable of generating and distributing certificates. The firewall itself is distributed. The firewall enforcement modules are the actual firewalls, they block traffic etc, etc. The management console can be on a separate machine, the rule base is store here, compiled and uploaded to the firewall enforcement modules. I noticed today that the logging, which is normally done on the management console, can be broken off onto a separate platform as well. Beyond that, by giving the management console a static NAT address, it can be used to remotely manage firewalls elsewhere on the Internet. This is amazing when you see it working. From one management console, I was able to initialize a certificate, pull that certificate from the remote firewall, apply that certificate and then use the certificate to provide an encrypted communication channel for the manipulation of the firewall rules. I defined a separate firewall policy for the remote machine, compiled it and pushed it to the remote firewall where it was installed. *grin*) This is an internet success story. A distributed system (albeit very small in this case) using certificates and ... yes, it is working!!!
