Wednesday, April 29, 2020

Day 40: A New Firewall

This article is part of The 100 Days Offensive. Go to Day 39 or Day 41.

The Home Office needs to be defended, so I installed my new firewall last weekend.

If you know me, you will probably guess two things: I will overdo it and I will use Check Point Firewall.

I'm working professionally with Check Point since 1995 and I really have a deep respect for the guys and girls working there. This led to me selling their products for 25 years now. This also implies that I am well versed in their products which surely help when you set it up.

In terms of sizing I did not really overdo it much. I went for the Check Point 1550 appliance. A small model, but sufficiently powered up to Gigabit traffic.

I do not really need the WIFI module as I have an Unifi WIFI solution installed. But it doesn't hurt to have some backup WIFI available. I overdid it a bit with the license. I went for the full NGTX package with Threat Extraction. That is one piece of technology I don't have sufficient hands on experience with. So I am going to fix that. Unluckily that also means that I have to spend some time to become more familiar with SSL Inspection, a topic that I do not like as much.

The point where I certainly went overboard is when I also installed a Central Management based on R80.40 at home. But I really wanted to get my hands on Layered Policies. Combined with the the new API this holds a lot of promise to automate the tedious process of firewall policies. And what is a better way to play with it at home.

Luckily the migration went pretty well. The most problem I had with my Sonos prison. But that is a story for another post.

One feature I immediately liked was the improved ISP redundancy. As I currently have three uplinks, I can put that to use:

Though the migration went smoothly, the last days were long and exhausting and I will take a few days break before continuing there.

So I guess the topic of my firewall will recur in the next weeks as I play around with other features.

No comments:

Post a Comment