Re: Firewall Info/Recommendations?
From: x y (jamescagney90210@excite.com)Date: 06/15/02
- Next message: x y: "Re: using Sonicwall to deny fin scan, etc"
- Previous message: : "Re: (NIS) security alert popup n/w"
- In reply to: Paul Hutchings: "Firewall Info/Recommendations?"
- Next in thread: Paul Hutchings: "Re: Firewall Info/Recommendations?"
- Reply: Paul Hutchings: "Re: Firewall Info/Recommendations?"
- Reply: Paul Hutchings: "Re: Firewall Info/Recommendations?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "x y" <jamescagney90210@excite.com> Date: Fri, 14 Jun 2002 20:35:38 -0400
Checkpoint is not a bad firewall for small data pipes and the easy GUI may
help you save money and keep yourself more secure without having to rely on
outside contractors who generally don't seem to know how to secure a
firewall. However, $9,000 makes it one of the most expensive solutions, and
it will cost maybe 40% again of that amount each year to get both updates
and tech support. That would be as much as $3600, or the price of three
Nortel Contivity switches or 7 Netscreen 5XPs, each year.
Having a third interface for DMZ capability is going to cost you a heap of
money no matter what product you go with [unless you go with a free OpenBSD,
FreeBSD or a Linux product with free firewall on an old 486 or 586 PC.
Steep learning curve but fairly easy installation, extra nic cards are free,
hot or cold spare backup or redundant firewalls in case of system failure
are free, and there are tons of freeware add-ons like reporting, vpn, etc.]
If you're keeping your ISA server, you don't really 100% need a firewall
with 3 interfaces or "DMZ capability" listed. It is an acceptable DMZ
architecture for a small network to have two firewalls in front of your
private network with the DMZ in between the two firewalls. You'll save a
lot of money if you settle for a device with only 2 interfaces and keep your
ISA server. One issue with doing this is that if someone was able to hack
into one of your servers in the DMZ, they could set up a sniffer and sniff
all the traffic from your internal network to the internet... although on
the other hand, internet-bound traffic like your internet email and web
browsing should be considered somewhat of a public conversation anyways.
I would recommend looking into the Netscreen 5XP. It has a lot of features,
all the features of their high end firewalls, including VPN and traffic
shaping and reporting that you don't even fully get with the Checkpoing
product at that price, and it's probably easy enough for you to learn to
configure it. Starts at $500, check ebay for prices on new and used models.
And for VPN connections at the remote offices, you could consider getting
two more Netscreen 5XPs. Some people here like Watchguard, but I have read
negative things about their tech support.
Cisco Pix 501 or 506 is another option also for a few hundred dollars, but
the gui is reportedly not the best and there is a learning curve if you want
to manage it yourself using IOS. On the other hand, Cisco has tons of free
support documentation on their web site, unlike other vendors. Nortel
Contivity is another firewall appliance starting around $1000 that
reportedly has good VPN.
If you like Checkpoint, there are appliances listed on the checkpoint.com
web page such as intrusion.com and nokia, some as low as $600 dollars.
These are small office FW-1, but Checkpoint seems to claim the features are
about the same. I would recommend making sure you can pay more to get the
Checkpoint FW-1 management software, and find out the price, since any
appliance that only has a web interface is probably not going to be
sufficient. checkpoint has a large number of vulnerabilities and patches
released each year, so the maintenance agreement to get updates is not
really optional. If you read a book and take and pass the CCSA
certification test for $125, you reportedly get 3 free tech support
incidents good for a year, and access to their searchable knowledge-base web
page. Then again, that should really be free.
"Paul Hutchings" <paul.hutchings@gmx.netNOSPAM> wrote in message
news:Xns922DB5F35AAE5paulhutchingsgmxnet@216.168.3.40...
> Current setup consists of our Internal Network and two satellite offices,
> all outbound Internet traffic goes through a Microsoft ISA server which
> controls who has outbound access, ISA then proxies the outbound connection
> through a Checkpoint FW-1 server.
>
> Our inbound connectivity consists of allowing SMTP/POP3/IMAP through both
> boxes to our internal mailservers, http/https to some websites on the
> internal LAN that are published through ISA (eg OWA), and http/https/ftp
> access to a webserver in a DMZ off the FW-1 box.
>
> It's possible that in the future we'd like to allow remote workers to VPN
> into our network.
>
> Our Internet connection is a 512kbps leased line, and approx 250 people
> have Internet access.
>
> I guess given US levels of bandwidth this looks tiny, but with the
proxying
> that ISA provides we've no problem with speed/performance.
>
> The FW-1 box is running a fairly old version of FW-1 (3.x), upgrading to
> the latest version has been suggested my my boss.
>
> The approximate cost would be $9000, plus a server.
>
> I thought it would be worth considering an appliance firewall such as a
> PIX/Sonicwall as I like the idea of a dedicated brick which doesn't have
> any PC hardware/Windows/Microsoft issues for me to worry about (I get
> enough of that with ISA)
>
> I was looking at the Cisco website and noticed a PIX-506 which looked
> ideal, but then I saw it doesn't offer DMZ capability, so now I'm in the
> middle of looking at the 515, a PIX-515-R-DMZ runs at around $2800.
>
> Any thoughts on the PIX family, or alternatives?
>
> TIA for any suggestions/advice.
>
> rgds
> Paul
> --
> Paul Hutchings
> ****Remove NOSPAM when replying****
- Next message: x y: "Re: using Sonicwall to deny fin scan, etc"
- Previous message: : "Re: (NIS) security alert popup n/w"
- In reply to: Paul Hutchings: "Firewall Info/Recommendations?"
- Next in thread: Paul Hutchings: "Re: Firewall Info/Recommendations?"
- Reply: Paul Hutchings: "Re: Firewall Info/Recommendations?"
- Reply: Paul Hutchings: "Re: Firewall Info/Recommendations?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
