Provider-1 is made up of three distinct components. MDS (Multi-Domain Server) houses the CMAs (Customer Management Add-ons), which are the Provider-1 NG management servers. Individual customers are assigned to a CMA. MDG (Multi-Domain GUI) is the administrator's user interface for managing the MDS and individual CMAs.

Provider-1 has a robust access-control system, which allows tiered access to the MDS and CMAs. Each CMA is a complete Check Point NG management station, and only administrators with access defined in the MDS can connect and make configuration changes via the MDG. Provider-1 is backward-compatible with VPN-1/Firewall-1 4.x and NG FCS, and integrating previous versions of Check Point firewalls is seamless and shouldn't pose any problems.

Made-to-Order Interface Makes It Easy on You

Customized user interfaces have been a part of network management applications for years, and the maturing field of multi-unit firewall management is finally catching up. I created a customized system that brought frequently used commands to the GUI by associating command-line commands and parameters with a menu item. For example, I frequently used Check Point's support site during testing to find answers to questions, so I simply added a command on the command line that launched Netscape Navigator and passed the Check Point support URL. I used other utilities such as "ping" and ftp often enough to justify adding those commands as well. If you can run it on the CLI, you can add it to the menu.

Two optional context-sensitive variables, Object Name and Object IP, replace the variable name with either the actual name or the IP address of the highlighted object. So when I created a command to ping a firewall, I used ping in the command line and ıIPı in the parameter field. Only administrators with SuperUser status can define custom commands, but once created, the commands are available to all administrators. It would make more sense to me to offer custom commands on a per-user MDG basis.

One of the advantages of global managers is that global policy management is streamlined across your customer base, as long as a base policy can be applied to all firewalls. Global policies define systemwide policies that you don't want CMA administrators modifying. A default-deny rule, which blocks all access through the firewall as a last resort, is one example, as is a rule that allows DNS from the internal network to the external network. However, without some sort of template system in place, global policies are of limited use.

Usually reserved for required static services, global polices allow unalterable baseline security configurations. Provider-1 NG ensures that rules don't conflict with each other before they are sent to the firewall. So, for example, a global policy that allows outbound DNS queries cannot be blocked by a locally defined rule.

To test this, I defined a global policy that allowed DNS queries from any source IP address to any destination IP address, and I assigned that policy to a CMA. Then I created a rule in the CMA to block DNS queries from any source to any destination. When I tried to apply the policy, the policy editor told me that my DNS block rule hid the DNS allow rule and wouldnıt apply the policy to the firewalls. Next, I tried changing the source IP addresses and the destination IP addresses in an attempt to block DNS access with a more restrictive rule. Again, Provider-1 NG flagged the conflict as an error and would not apply the policy.

I doubt there will be many installations where one global policy can be applied to all customers, so I was glad to see that I could create multiple global polices. Only one global policy can be assigned to a CMA, but multiple CMAs can have the same global policy.

I wanted to have a global policy on each firewall allowing DNS, SMTP and IMAP, and HTTP to internal DNS, mail and Web servers, respectively. Because Check Point's management applications work on objects such as servers and networks, which are defined by the administrator, as well as on objects that are predefined, such as network services, I could have defined local servers at the global level and then created and applied the global policy to the target CMAs. However, if I wanted any custom rules applied locally, I would have had to re-create those same objects on the CMA. If I then wanted to move a server from one IP address to another, I would have to modify both the global and the local objects, which is not efficient.

Dynamic Global Objects Save the Day

Luckily, Provider-1 NG has a workaround for this efficiency problem -- Dynamic Global Objects. Dynamic Global Objects are placeholders in the global policy for similarly named objects on the local CMA. When a global policy is applied to the local CMA, the Dynamic Global Objects are replaced automatically with the local objects.

Vendor Information Provider-1 Next Generation Feature Pack-1 (NG FP-1), $70,000. Available: Now. Check Point Software Technologies, (800) 429-4391, (650) 628-2000; fax (650) 654-4233. www.checkpoint.com

For example, the first step I took was to define the servers on each gateway with a common name, such as "localdns_global" and "localmail_global," and assign the appropriate IP addresses to each. Then, in the global policy editor, I created Dynamic Global Objects with the same names, "localdns_global" and "localmail_global," and used them in the policy rules. When I applied the global policy to the gateways, the Dynamic Global Objects were replaced at the CMA level with the IP addresses of the actual objects.

If in the future I change the IP addresses of the "localdns_global" or "localmail_global" objects, I can simply reapply the policy without having to make any changes to the global policy. Provider-1 NG also has global services that function similarly.

The Bottom Line

While itıs not a groundbreaking advancement in multifirewall management, Provider-1 NG FP-1 is a natural evolution in the Check Point management line. Provider-1 NG has a rather short learning curve because it retains Provider-1ıs existing GUI for firewall management and its natural layout for SuperUsers.

Sticking with a tried-and-true management interface and architecture should maintain continuity on the upgrade path. Unlike other products, such as NetScreen Technologies' Global Pro 3.0 or SonicWALL's Global Management System, which are radical departures from standalone management stations, Provider-1 NG FP-1 offers a lot of new features in a familiar shell.