Re: [fw-wiz] OT: vendors please respond
From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 09/26/03
- Previous message: Robert L. Wanamaker: "RE: [fw-wiz] OT: vendors please respond"
- In reply to: admin security Mehta: "[fw-wiz] OT: vendors please respond"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Fri, 26 Sep 2003 23:23:19 +0530
On 26/09/03 13:56 -0000, admin security Mehta wrote:
(Following Paul's reply, I will try to make a few generic points for the
archives).
> My company is looking for security devices for its network of
> branches.
> I posted this mail here because I need experts choice.
> I was in doubt whether my earlier mail is posted or not so I
> subscribed for this mailing list to post my query.
>
> We are looking into the following features:
> -stateful inspection firewall
> - support most used applications( ALGs)
> - Powerful attack detection engine
> - VPN
> a) IPSec/IKE
> b) L2TP over IPSec to use WIN XP VPN client
> c) LDAP,SCEP
> d) Hub and spoke support
A few questions:
1> Exactly what is this firewall supposed to be protecting?
Eg: Windows users from email borne malware, Web browsers from Javascript
based attacks, database servers from direct Internet access....
2> What are the skill sets available in your organization?
3> Are you willing to hire new personnel if needed to expand the
available skillset?
4> Are you looking for a single device to do all this? Or will you be
willing to deal with multiple devices? Or perhaps multiple boxes with
command line management?
5> Are you looking for a single vendor to provide everything, or is mix
and match acceptable?
6> Do you need these at each location? Or one central location? Or
packet filters everywhere while all connections to the Internet go
through the main office which has ALGs available?
7> Do you need an IDS integrated with the firewall? A separate IDS? Do
you have a team of people who can deal with IDS reports? Do you need it
to be an inline IDS?
8> Do you need failover? Redundancy? Can you deal with downtime if a
system fails?
10> Do you need centralized management? Can each unit have its own
management interface?
9> Is a management GUI a must, or can command line controls work?
> NOTE: My company prefers Indian based products.
Indian based or locally supported? Right now, I know of very few
companies which make firewall products for all your requirements, though
I know a whole bunch of consultants who can mix and match a *BSD and/or
Linux solution to suit your requirements.
There are probably more questions you should be asking, but a basic sort
order would be:
1> Features you MUST have.
2> Features you SHOULD have, but you can do without if needed without
compromising on functionality.
3> Features it would be nice to have, but are really not needed for core
functionality.
Devdas Bhagat
[ My choice, as I have often stated previously would be a packet filter
in front, with ALGs for a few chosen protocols behind it. Branches have
simple SPFs, which VPN into the head office, and then allow further
access from there onwards. ]
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Robert L. Wanamaker: "RE: [fw-wiz] OT: vendors please respond"
- In reply to: admin security Mehta: "[fw-wiz] OT: vendors please respond"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
