Re: [fw-wiz] Intel vs. special purpose FW-1 servers

From: Keith A. Glass (salgak_at_speakeasy.net)
Date: 07/21/05

  • Next message: Jim Seymour: "Re: [fw-wiz] Discretionary WiFi Access" 
    To: "Emily Conrad" <emilydconrad@hotmail.com>, firewall-wizards@honor.icsalabs.com
Date: Thu, 21 Jul 2005 13:40:20 +0000

    > -----Original Message-----
    > From: Emily Conrad [mailto:emilydconrad@hotmail.com]
    > Sent: Tuesday, July 12, 2005 08:17 PM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] Intel vs. special purpose FW-1 servers
    >
    > Hello,
    >
    > We are working on a project to upgrade our firewall infrastructure.
    >
    > One of the questions is whether to use FW-1 on a standard Intel server or to
    > use a special-purpose optimized version of FW-1 on a dedicated hardware
    > platform such as Nokia firewall appliance or Crossbeam systems C30/X40.
    >
    > Does anyone have any advice on what factors are important when making such a
    > decision?

    Several comments.

    1. Have you EVER previously implemented FW-1 on an Intel platform ? IF not, I'd suggest an appliance-based solution. Personally, if I wanted to run FW-1 on generic hardware, I'd buy some cheap SunFire 120s and run it on Solaris, now that single-processor licenses for Solaris are free. I'd specifically recommend Solaris 9, and note that locking down a Solaris system for firewall usage is FAR easier and more complete than trying to lock down a Win2K/2K3 system.

    2. Are you looking to CLUSTER FW-1 for HA or load balancing ? If so, you will DEFINITELY need to look for an optimized appliance-based solution. And, based on my experience, I'd suggest the Nortel "Alteon" systems for FW-1: a pair of Alteon Directors and a pair of compatible Alteon Accelerators give you a clustered solution that doesn't require you to play any oddball Cisco tricks on your switches, allows you a NUMBER of separated nets behind the firewall, and even multiple DMZs. I've used Nokia IP-series before, as well as FW-1 on Solaris, and can't say enough about the Alteon platform. . .

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Jim Seymour: "Re: [fw-wiz] Discretionary WiFi Access"

    Relevant Pages

    • Re: ANY OPINIONS ON THE S-BOX?
      ... Actually I think it's manufactured by Sofaware and runs Checkpoint FW-1. ... this is even possible with the S-box, but if it is, it would cost you extra ... subscribe to a third party ISP that would remotely manage your firewall. ...
      (comp.security.firewalls)
    • R: Questions about fw-1
      ... > 1- FW-1 works with Statefull inspection technology, ... > SecureWay Firewall does, but does anybody know some CheckPoint ... It's good for enforcing bastions, natting, implementing security rules, ...
      (Security-Basics)
    • [fw-wiz] Intel vs. special purpose FW-1 servers
      ... We are working on a project to upgrade our firewall infrastructure. ... One of the questions is whether to use FW-1 on a standard Intel server or to ...
      (Firewall-Wizards)
    • Re: SonicWall Pro 300 vs CheckPoint 4.0
      ... As far as comparing a Pro300 to FW-1 for the setup you've described, ... right infront of the firewall (and if you say pcAnywhere, ... blah blah blah. ...
      (comp.security.firewalls)
    • Re: Checkpoint Front End server - ISA Back End server - OWA Setup
      ... What version of FW-1? ... the traffic between ISA's internal interface and the Exchange server. ... Exchange server in plain HTTP format, ... I am not a firewall expert, but our firewall guy tells me this is a risk, ...
      (microsoft.public.isa)