Re: [fw-wiz] Once again..appliance firewall input requested

From: Victor Williams (vbwilliams_at_neb.rr.com)
Date: 01/21/05

  • Next message: Victor Williams: "Re: [fw-wiz] Exchange 2003 OWA compromise reached" 
    To: Matt Bazan <Mbazan@onelegal.com>
Date: Fri, 21 Jan 2005 15:18:51 -0600

    I have basically all the same requirements as you. I use Cisco PIX, and won't
    use anything else. You can buy 2 brand new units (1 unrestricted, 1 failover)
    of the PIX 515E for less than $9000 total with 6 physical interfaces and a VPN
    Accelerator card. As always, get the 24x7 support/replacement contracts for
    each device, just in case one goes bad. Thing I like about Cisco, they don't
    muck around trying to troubleshoot. If you call in and say "It's dead Jim",
    they have another one shipped before you get off the phone.

    I have yet to see an intuitive interface in a firewall product...they all have
    their interpretation of similar/same featuresets, but I have come to like
    Cisco's PDM for their pix. It all happens over SSL, and depending on your
    connection to the device can be clunky, but I find it very usable. That being
    said, give me CLI anyday.

    Personally, I haven't had a PIX die yet (I know people who have though, and
    they've gotten replacements within the same day), but I've been using them for
    over 5 years. Nothing but rock solid performance for me.

    As for logging, PIX sends it all to SNMP traps or Syslog servers. I never
    wanted a firewall to do that for me, I always just wanted a dump of the data,
    and I pick what data I want by my own means, so the PIX logging may not be
    enough for you.

    Matt Bazan wrote:

    > Ok <takes deep breath>..I may be in need of a replacement solution for
    > our current firewall appliances (two NetScreen 50s running in an active
    > / passive high availability solution). For reasons I won't get into (NS
    > being purchased by Juniper?) my trust in these units has been badly
    > eroded. I'd like input on what people are using and their satisfaction
    > levels with them.
    >
    > Our requirements:
    >
    > 1) We run a rapidly growing 24X7 web presence. As our Internet
    > uplink is 4Mb (ok, this will soon be going up..but only by a couple
    > Mb..) we don't need a beefy packet pushing device.
    > 2) We have 25 or so inbound NATs. I like to have 'granular'
    > control over source and dest NAT. By this I mean being able to split
    > these features based upon traffic flow and not having to create the
    > typical bi-directional NAT mapping.
    > 3) Need for 20 or so box-to-box VPNs. Auto key and manual key
    > with the usual VPN flavors
    > 4) The basic requirements for setting policy based access (blah
    > blah)
    > 5) 3 interfaces (4 ideal)
    > 6) High availability solution
    > 6) Static routing only
    > 7) Intuitive web gui
    > 8) 'Robust' command line feature set
    > 9) Detailed reporting
    > 10) Configuration flexibility a must. I'll leave this to your
    > imagination.
    > 11) Something I can setup and it will *work* *work* *work*
    > 12) I'm sure there's more I'm forgetting but I'm suffering from
    > NetScreen induced sleep deprivation and am tired of typing.
    > 13) <=$15K for pair of units
    >
    > Thanks for the input!
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Victor Williams: "Re: [fw-wiz] Exchange 2003 OWA compromise reached"

    Relevant Pages