Summary: Contivity as a firewall?

From: Peter Farmer (url-securityfocus@freed.com)
Date: 12/27/01 

Date: Wed, 26 Dec 2001 21:32:37 -0500
To: security-basics@security-focus.com
From: Peter Farmer <url-securityfocus@freed.com>

Thanks to all who responded.

I'll summarize the responses:
The Contivity is a pretty good VPN, and the firewall is OK. But it doesn't
match a "real" firewall (very few people offered specifics as to
why). Besides, it's always best to keep separate functions on separate
hosts. Nortel's support got mixed reviews -- at best.

A source of external authentication, such as Radius, was also suggested.

My thoughts:
- These comments pretty much agree with my early assessment -- in
particular, the fact that combining VPN and firewall eliminates a line of
defense.

- I was curious about the oft-mentioned difference between this firewall
and a "real" firewall. The only difference actually noted was the
Contivity's lack of Intrusion Detection Signatures.

- I have some concern about the throughput of the box -- but that's on
general principles, not on any data. I'm suspect that our DMZ will
eventually outstrip the box's capabilities -- but by then we'll probably
have added a separate firewall anyway.

Thanks again for your responses.

At 12:26 PM 12/19/01 -0600, HOULE, FRANCIS wrote:
>Monday, December 17, 2001, 7:52:16 PM, you wrote:
>
>It ain't that bad. The contivity Firewall is based on the shasta wich
>was created by 2 ex-employees of Checkpoint. The way to proceed is
>alike checkpoint.
>
>pros: Statefull firewall, pretty good for vpn(DES, 3DES, l2tp, pptp)
>can apply rules on inbound vpn., in the contivity 600 you can had an
>other ethernet adapter and have a DMZ. So the box doesn't cost that
>much and represent a pretty good vpn box.
>
>cons: No ids, No good support from nortel. Nortel has a bad web site.
>
>I have implemented many contivity 100/600/1600. I would tell you: if
>your main issue is vpn and you want a firewall by the way, I would
>suggest the contivity.
>
>If you need a firewall as your main issue, and vpn is not major, use
>something else (Cisco PIX, Netscreen, CheckPoint).
>
>It's only my opinion, you can do what you want with it!
>
>--
>Francis

Relevant Pages

  • Re: Need help with VPN problem
    ... Thanks to both your responses. ... It seems to me that the corp's firewall ... I still can't connect thru VPN. ... But what I'm puzzled about is why remote desktop works thru the corp ...
    (microsoft.public.windowsxp.work_remotely)
  • RE: Sandboxing
    ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
    (Focus-IDS)
  • Re: VPN Firewall for new webserver
    ... > I'm setting up a webserver at a colocation and I need to put a VPN ... You're not going to get a quality firewall for that amount, ... and D-Link makes a DI-804HV unit ... users access to the SQL server, let them do it through a VPN session. ...
    (comp.security.firewalls)
  • Re: Firewall Info/Recommendations?
    ... I would seriously consider an air-gap solution. ... Let me outline a few features that no other firewall can touch. ... Provide secure access without a VPN from any web browser (this greatly ... > manageable without much higher-level support if you want things like ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
    ... complexity and architectural inelegance of having 3-5 gateway security ... VPN) convinced me to eventually champion a migration to Symantec's SGS ... Nice balance of "default deny" at the firewall, ...
    (Firewall-Wizards)