Re: [fw-wiz] Opinions wanted...
- From: "Kurt Buff" <kurt.buff@xxxxxxxxx>
- Date: Sat, 24 Nov 2007 09:42:20 -0800
On Nov 23, 2007 3:06 PM, Dave Piscitello <dave@xxxxxxxxxxx> wrote:
We might be able to offer better insights if we understood why you were
replacing your current firewalls.
Obsolescence (the current firewalls are EOL) and a perceived need to
more sophisticated capabilities.
Tim's comment re: common server platform is a good example of one
motivation. In his situation, he's (presumably) confident that his
server team can secure the underlying platform as well as an appliance
solution (claims to) secure its product. Your motivation might be
performance, issues with feature set of proxies, desire for an
application level security feature you currently don't have, IPv6
Nothing against VARs, but I would trust a security decision to security
professionals. If the VAR has some and they can provide a security basis
to support their recommendation, terrific. If not, then money may be
the motive and that's not always the best motive where security comes
I'd suggest you sit with your security team and anyone in your company
who might have some insight into long term business objectives that will
influence security requirements (e.g., VOIP). Identify the security
objectives the current firewall cannot satisfy. Identify any new
security objectives you expect you'll need to satisfy for whatever
"business horizon" you can see.
I *am* the security team Scary, isn't it? At the very least, it scares
me, when I stop to think about it. I think that's a good thing,
really, as it makes me confident of my ignorance, and I try not to
take anything for granted.
That said, I've worked with the IT Director, and we're making our best
effort at predicting the needs/requirements for our environment for
the next few years. We have a fair but assuredly incomplete picture of
what we expect to do near to mid term, and are trying to arrange for a
solution that will work for us.
But - I recognize that what we're doing isn't terribly sophisticated.
I've monitored this list, and many others for a *long* time
(greatcircle.com, anyone?), so have confidence that either product
will do what we need it to do given proper care and feeding. However,
I also recognize that these products are different, and those
differences may prove crucial to our operations. Unfortunately, we
don't have the time or manpower or sophistication to make a good
comparison ourselves. Hiring a consultant to make a recommendation
might not be a bad approach, but our best effort at the moment is to
pick two VARs with broad product lines, meet with them to describe our
situation, and ask our best questions and get their best
Checkpoint is more widely deployed that Sidewinder (or at least *way*
more talked about), but my recollections of talk on various lists,
this one in particular, plus other reading, leads me to believe that
it's a serious contender, and worthy of consideration. However, war
stories, or distillations thereof, from actual experience are at least
as valuable as any list of competing marketing bullet points.
firewall-wizards mailing list
- Prev by Date: Re: [fw-wiz] Opinions wanted...
- Next by Date: Re: [fw-wiz] Firewalls that generate new packets..
- Previous by thread: Re: [fw-wiz] Opinions wanted...
- Next by thread: Re: [fw-wiz] Opinions wanted...