WOW.. All good questions.. however I am afraid the answers are all bad :(. Also if you have any other questions I will be more then happy to tell you what I know. I have CCSA and CCSE certs on firewall-1 (Administrator and Engineer Certs).
See my comments inline below. --TCroc --www.pasture.com/~tcroc *SNIP* > 1- FW-1 works with Statefull inspection technology, but is there any way to > configure fw-1 to work both as packet filter and as application proxy gateway, > just like a hybrid firewall software would do ?? Not that I am aware of. I haven't used FW-1 since 4.0 (IE I haven't touched 4.1) But as far as I know they have limited if any proxy ability. I would double check this with the vendor's sales rep directly to be sure tho as I have been away from firewalls for a few months. > 2- FW-1 does not perform the OS hardening at installation time like IBM > SecureWay Firewall does, but does anybody know some CheckPoint product or > module that perform this task before fw-1 installation ? Also, is there any > CheckPoint tool that checks the OS for configuration problems ? No it doesn't. And to be honest with you I wouldn't want my firewall to do my OS hardening. OS hardening isn't something that you can't just run a script on and be done with it. It is something that morphs over time as more and more vulnerabilities are discovered. Hardening is patching your machine, turning off unused services, and many other pieces that change from time to time. I wouldn't trust this to anything but a seasoned security engineer with a script that he/she has writen and tested and continues to modify over time. > 3- Do fw-1 (or CheckPoint) have an anti-tampering tool, i.e., a tool that > prevents system files from being altered and verifies file authenticity ? Again I wouldn't want FW-1 to do this. This is not their core competency. Install tripwire on the box and use that for authenticity of files. Much more robust and safer then trusting a firewall software to do host based IDS. Would you hire your auto mechanic to be your chef? Prob. not! :) > I need these information to compare FW-1 with other products. Any help would be > appreciated. >
