Re: Firewall Info/Recommendations?
From: G (george.gebhardt@attbi.com)Date: 07/07/02
- Next message: G: "Re: Netscreen VPN: Performance Good?"
- Previous message: G: "Re: Firewall advice required please"
- In reply to: : "Re: Firewall Info/Recommendations?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "G" <george.gebhardt@attbi.com> Date: Sun, 07 Jul 2002 17:54:04 GMT
I would seriously consider an air-gap solution. This is the next generation
gateway. It provides a secure frontend by virtue of an air-gap...you could
offer secure access from any web browser without a VPN. I know this sounds
strange, but I am a security professional and air-gap is the only product we
carry. Let me outline a few features that no other firewall can touch.
1. Air-gap technology can inspect encrypted traffic
2. Provide secure access without a VPN from any web browser (this greatly
reduces helpdesk costs in supporting VPN clients) 3. Acts as certificate
server, authentication, SSL engine 4. Upgrades and patches to the backend
can be performed as part of regular maintenance.
Basically the Air-gap switch gives you a physical disconnection, yet
allowing real time throughput at 100mbs This has been used as a military
grade firewall in Israel. Easy to administer by virtue of a learning tool.
But best of all, it scales easily. Take a look at our website
www.infinitegenesys.com and look for Whale Communications in our product
section. I have been a security consultant for almost 10yrs and I can tell
you that all firewalls (with the exception of air gap) are pretty much
alike. Different interfaces, proxy or not etc... Let me know if you'd like
to know more Sincerely, George Gebhardt
"Thom Price" <whuddageek@yahoo.com> wrote in message
news:be5d5a74.0206250631.8ad7e83@posting.google.com...
> While CheckPoint is a great firewall system, it's highly overpriced,
> esp. in yearly maintenance, as stated. That's been corrected somewhat
> in recent years, but still very high priced. Plus, it's not usually
> manageable without much higher-level support if you want things like
> VPN and DMZ.
>
> Used to be that SonicWall was a personal favorite, bang-for-the-buck,
> till they decided that the "3rd-gen" (their 3rd) units wouldn't come
> with unlimited firmware upgrades. I'd still get the yearly warranty
> on the units, but *forcing* people to buy the yearly support just to
> get what used to be free is quite a bit slimy, IMO. They setup
> easily, with good initial defaults, and allow DMZ in the ProVX at
> least, but again... think about what they may yank *next* year...
> Makes me avoid 'em.
>
> WatchGuard is a fine alternative, though SonicWall's interface is a
> bit better, again IMO.
>
> Cisco has really changed pricing in the last 2 years, so they
> absolutely become a high contender.
>
> When mentioning pricing, I expect that you'll want to provide a
> hardware firewall at each remote VPN site, so the pricing for 5- or
> 10-user is more what I mean. You can buy high-end at similar pricing,
> but low-end varies greatly, and now Cisco contends there. True that
> their support is more expensive than most, but their policies don't
> change. ;-/
>
> Stick with 1 brand when choosing, too. Don't get stuck trying to get
> VPN negotiations working between disparate theories, possible when you
> mix-and-match hardware vendors.
>
> BTW, I'll be checking out some Symantec devices at a show this week,
> to see how much Raptor has been built into their hardware units that
> are also attractively priced.
>
> Lastly, I saw a question about the mini- and pico-BSD (or similar)
> firewall units. If you're not a xN?X shop, and don't want the
> headache of learning on-the-fly, then avoid these for now. Play on
> your own, and get comfy with Linux or BSD, and introduce your bosses
> into it, *then* consider this kind of firewall... You don't want 'em
> screamin' cos they can't close/open a port, or even check a log 'cos
> they don't where it is...
>
> 'luck. HTH a bit.
> Thom
> (really disappointed in SonicWall's turnaround on product support...
> bad news), but that's another thread)
>
> Paul Hutchings <paul.hutchings@gmx.netNOSPAM> wrote in message
news:<Xns922DB5F35AAE5paulhutchingsgmxnet@216.168.3.40>...
> > Current setup consists of our Internal Network and two satellite
offices,
> > all outbound Internet traffic goes through a Microsoft ISA server which
> > controls who has outbound access, ISA then proxies the outbound
connection
> > through a Checkpoint FW-1 server.
> >
> > Our inbound connectivity consists of allowing SMTP/POP3/IMAP through
both
> > boxes to our internal mailservers, http/https to some websites on the
> > internal LAN that are published through ISA (eg OWA), and http/https/ftp
> > access to a webserver in a DMZ off the FW-1 box.
> >
> > It's possible that in the future we'd like to allow remote workers to
VPN
> > into our network.
> >
> > Our Internet connection is a 512kbps leased line, and approx 250 people
> > have Internet access.
> >
> > I guess given US levels of bandwidth this looks tiny, but with the
proxying
> > that ISA provides we've no problem with speed/performance.
> >
> > The FW-1 box is running a fairly old version of FW-1 (3.x), upgrading to
> > the latest version has been suggested my my boss.
> >
> > The approximate cost would be $9000, plus a server.
> >
> > I thought it would be worth considering an appliance firewall such as a
> > PIX/Sonicwall as I like the idea of a dedicated brick which doesn't have
> > any PC hardware/Windows/Microsoft issues for me to worry about (I get
> > enough of that with ISA)
> >
> > I was looking at the Cisco website and noticed a PIX-506 which looked
> > ideal, but then I saw it doesn't offer DMZ capability, so now I'm in the
> > middle of looking at the 515, a PIX-515-R-DMZ runs at around $2800.
> >
> > Any thoughts on the PIX family, or alternatives?
> >
> > TIA for any suggestions/advice.
> >
> > rgds
> > Paul
- Next message: G: "Re: Netscreen VPN: Performance Good?"
- Previous message: G: "Re: Firewall advice required please"
- In reply to: : "Re: Firewall Info/Recommendations?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
