Re: [fw-wiz] Opinions wanted...



On Nov 23, 2007 3:06 PM, Dave Piscitello <dave@xxxxxxxxxxx> wrote:
We might be able to offer better insights if we understood why you were
replacing your current firewalls.

Obsolescence (the current firewalls are EOL) and a perceived need to
more sophisticated capabilities.

Tim's comment re: common server platform is a good example of one
motivation. In his situation, he's (presumably) confident that his
server team can secure the underlying platform as well as an appliance
solution (claims to) secure its product. Your motivation might be
performance, issues with feature set of proxies, desire for an
application level security feature you currently don't have, IPv6
support, etc.

Nothing against VARs, but I would trust a security decision to security
professionals. If the VAR has some and they can provide a security basis
to support their recommendation, terrific. If not, then money may be
the motive and that's not always the best motive where security comes
into play.

I'd suggest you sit with your security team and anyone in your company
who might have some insight into long term business objectives that will
influence security requirements (e.g., VOIP). Identify the security
objectives the current firewall cannot satisfy. Identify any new
security objectives you expect you'll need to satisfy for whatever
"business horizon" you can see.

I *am* the security team Scary, isn't it? At the very least, it scares
me, when I stop to think about it. I think that's a good thing,
really, as it makes me confident of my ignorance, and I try not to
take anything for granted.

That said, I've worked with the IT Director, and we're making our best
effort at predicting the needs/requirements for our environment for
the next few years. We have a fair but assuredly incomplete picture of
what we expect to do near to mid term, and are trying to arrange for a
solution that will work for us.

But - I recognize that what we're doing isn't terribly sophisticated.
I've monitored this list, and many others for a *long* time
(greatcircle.com, anyone?), so have confidence that either product
will do what we need it to do given proper care and feeding. However,
I also recognize that these products are different, and those
differences may prove crucial to our operations. Unfortunately, we
don't have the time or manpower or sophistication to make a good
comparison ourselves. Hiring a consultant to make a recommendation
might not be a bad approach, but our best effort at the moment is to
pick two VARs with broad product lines, meet with them to describe our
situation, and ask our best questions and get their best
recommendations.


Checkpoint is more widely deployed that Sidewinder (or at least *way*
more talked about), but my recollections of talk on various lists,
this one in particular, plus other reading, leads me to believe that
it's a serious contender, and worthy of consideration. However, war
stories, or distillations thereof, from actual experience are at least
as valuable as any list of competing marketing bullet points.

Kurt
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Defense in Depth
    ... What is meant by "layers" of security, is this: the entry points that must be ... Physical Layer - Physical access to the resources. ... attacks and other attacks that go after the software itself. ... "layer" in one long chain (lots of firewalls). ...
    (Security-Basics)
  • RE: Wireless Security for Home Users
    ... for most home users to create and/or manage 2 firewalls and a DMZ. ... As with most network security, ... investigate additional security features available from the WAP ...
    (Security-Basics)
  • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
    ... > 1) I don't trust MS products for security related tasks. ... firewalls running on NT? ... necessary steps to mitigate the risk and protect yourself. ... We still had six boxes hit. ...
    (Full-Disclosure)
  • RE: IDS is dead, etc
    ... Most firewall logs are just as tough to decipher as IDSs. ... Automated security analytics is a tough animal I don't care what the system. ... firewalls and IDSs, not just IDSs. ... There is no solution to these problems, therefore IDS is dead and we ...
    (Focus-IDS)
  • PenTest Checklist
    ... wanted to know what your favorite tools/methods are for testing methods ... F- Web App Testing - tests website as an application for security holes, ... all firewalls should be tested together and ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
    (Security-Basics)