Re: PIX 501 vs Netscreen 5xp and suitability?
From: SA (noel_at_coserv.net)
Date: 05/11/03
- Next message: Thomas Stian Bergheim: "iptables multiple clients internal network warcraft3"
- Previous message: Larry W4CSC: "NSA in Windows?"
- In reply to: Paul Hutchings: "PIX 501 vs Netscreen 5xp and suitability?"
- Next in thread: Hannes Deeken: "Re: PIX 501 vs Netscreen 5xp and suitability?"
- Reply: Hannes Deeken: "Re: PIX 501 vs Netscreen 5xp and suitability?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 11 May 2003 08:10:20 -0500
As far as the NetScreen goes, I wouldn't go with a 5XP. I would use a
NetScreen-25 or higher. True the NS-5XP will do what you need it to do but,
it is limited by 10 IP's unless you go with the elite (unlimited IP's).
Also, the NS-25 and up have a separate DMZ port thus segregating outside
traffic to just that port without the worry of outside traffic seeping into
the private LAN. Another thing is the NS-5XP ports are 10M while the 25 and
up series are 10/100M. There is a whole list of differences but, it seems
for what your needs are that the NS-5XP would be better suited for remote
users that need to tunnel into your network. Hope that helps.
-Scott
-- quaere verum "Paul Hutchings" <paul@spamcop.net> wrote in message news:Xns937869AD08E5paulhutchingsspamcop@130.133.1.4... > Every so often I look at replacing our ageing Checkpoint perimeter > firewall. > > Basically we have the following setup: > > LAN (Private IPs) > | > ISA Internal NIC (Private IP) > ISA External NIC (Primary Public IP + several additional public IPs) > | > DMZ (two machines, around seven public IPs across them) > | > Checkpoint (Public IP) > | > Internet > > Now, the Checkpoint works perfectly but I keep getting a little paranoid > that it's old/unsupported. > > We're in the UK and out of reach of anything other than leased lines, so > bandwidth is really expensive, we currently have 512kbps, this may go up > to 2mbps in six or so months.. > > Now, the ISA does outbound NAT for all our internal machines, nothing on > our LAN bypasses it, we also use ISA server publishing to map some of > its public IPs to private IPs. > > Out checkpoint ruleset pretty much boils down to allowing the primary > public IPs of the ISA and the two DMZ machines out on certain protocols, > and allowing "the internet" in on certain protocols to access our > web/ftp sites and smtp/imap servers etc.. > > At present we don't do VPN, though this may happen - if/when it does I > imagine it will be on a small scale. > > Do I _really_ need any more than a PIX 501 or a Netscreen 5XP? > > I only have the ISA and DMZ boxes initiating outbound connections (the DMZ > boxes only do this when I'm fetching updates and the likes) so that should > be three IP addresses, well within the limits of the smaller PIX/5XP right? > > How do the 501 and 5XP stack up for inbound access - at present we have > inbound rules allowing "the internet" various http/https/smtp/imap/ftp to > various resources behind the checkpoint but all on public IPs. > > It seems the 501 and 5XP are sold as home-user boxes, when it appears they > would do everything I need - given our setup, I'm unclear as to why I would > need anything more? > > regards > Paul > -- > paul <at> spamcop.net
- Next message: Thomas Stian Bergheim: "iptables multiple clients internal network warcraft3"
- Previous message: Larry W4CSC: "NSA in Windows?"
- In reply to: Paul Hutchings: "PIX 501 vs Netscreen 5xp and suitability?"
- Next in thread: Hannes Deeken: "Re: PIX 501 vs Netscreen 5xp and suitability?"
- Reply: Hannes Deeken: "Re: PIX 501 vs Netscreen 5xp and suitability?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
