Firewall fast track?

THE PROBLEM WITH security appliances is that they include hardware that you must pay for. The problem with most security software is that you must spend hours installing and configuring it, negating any savings you might get by using hardware you already have.

But suppose you could simply pop a CD into that old computer in the back room, and in a few minutes have an appliance up and running? That’s the premise behind Check Point Software Technologies’ SecurePlatform Media Pack.

And it almost works. If it weren’t for significant gaps in documentation, and some software that simply doesn’t work, we’d be singing praises. But almost doesn’t count in software installations.

Fortunately, if you’re familiar with Check Point’s firewall and VPN software, you can probably get around most of the problems easily. But if you’re a small office customer, or a network administrator trying to set up SecurePlatform for a remote office, you’re almost hopelessly out of luck. Without help from Check Point, you’ll never get the product running.

The idea behind SecurePlatform is that you should only need to insert a CD into an Intel machine, restart it, and allow the CD to do the rest. Check Point’s installer formats the hard drive, installs Linux, installs the selected security software (Firewall-1 and perhaps VPN-1, or the small business versions of those), and then asks for some input, such as the IP address, network mask, and so forth. You’re also asked for the license information, and after you answer several more questions, the newly created appliance reboots. It takes only about 10 minutes.

If you’ve configured the box to run VPN-1/Firewall-1 SmallOffice, what you don’t find out until this point is that you can’t actually run anything you’ve installed. There are two reasons for this. The first is that the standard multiprocessor kernel can’t run the SmallOffice version of the software, a fact not mentioned anywhere in the documentation. For SmallOffice, you have to run the uniprocessor version of the kernel. It turns out the uniprocessor kernel is available when you reboot the machine, but this fact also is omitted from the documentation. To make matters worse, if you happen to be installing SmallOffice on a multiprocessor platform, the default is the multiprocessor kernel; if you don’t do anything, that’s what runs.

The second problem concerns the licensing software that runs early in the installation process. Normally, you’d put the license file on a disk, and let the installer read it. But you can’t use the CD, because the installer resides there. And you can’t use a floppy disk, because you have no way to mount the floppy disk, and no way to enter the complete path name even if you could mount the disk. So when your effort to install the license fails — which it will, because there’s no way to copy the license to the hard disk during the process — you get only a brief notice, and then the installer moves on to other things.

Fortunately, if you know Linux, it’s not particularly difficult to go back later, mount a drive where the file is, or will be, copy it over, and then run the licensing utility separately. Unfortunately, you simply have to know that this is required because nothing in the SecurePlatform instructions will tell you.

Normally, we wouldn’t devote so much space to discussing the installation process. After all, you only install the product once, so our main focus is typically on using the product. But with SecurePlatform, simple installation is its raison d”tre. Without it, this would simply be a CD of Check Point’s otherwise excellent products.

Fortunately, Check Point’s firewall and VPN products really are excellent, and the single-CD installation process really does eliminate most of the pain of installing it, once you find out the secrets to making the products work. A spokesperson for Check Point said that the company would be replacing the current instructions with more detailed documentation, and would also improve the licensing installation process.

Although Check Point says that SecurePlatform is intended to be used mainly by the technical staff at a reseller location, this product is clearly being marketed to end-users by those resellers, who will gladly sell the product and licenses by mail to anyone. Be forewarned.

After you get past the problems of getting everything running, Check Point’s Firewall-1 and VPN-1 are very nice products indeed. Couple that with the secure and hardened Linux operating system that SecurePlatform installs, and you’ve got everything you’d want for either purpose. Likewise, the SmallOffice version provides a complete Internet gateway that integrates seamlessly into the network, providing high-performance, secure gateway services, including NAT (network address translation) and DHCP (dynamic host configuration protocol) serving. About the only thing you’d have to provide on your network is a DNS server, and you’d be ready to go.

We found that managing both the enterprise and the small office packages was easy and intuitive. As you might expect, you can screen for nearly anything inbound or outbound. The VPN software is highly configurable and flexible, and both versions, enterprise and small office alike, perform well, given potential hardware limits.

Managing the enterprise version of SecurePlatform is done through a graphical Windows application. After you have the product up and running and some basic configuration accomplished, you can do everything else, from logging to rule-making, through the Windows-based manager. This same tool can also manage the SmallOffice version of the product, or you can reach it through your Web browser.

You also get a great deal more control over the gateway, firewall, and VPN functions than you normally would with browser-based managers.

The Check Point SecurePlatform delivers an excellent firewall and VPN manager. If only the simple setup truly worked and the instructions were more complete, this product would be hard to beat.