Re: Checkpoint experiences

From: Wolfgang Lonien (wjlonien_at_gmx.net)
Date: 10/16/03 

Date: Thu, 16 Oct 2003 10:09:13 +0200

john dobbs wrote:

> [bad Checkpoint experiences]

Hi John,

first thanks for the interesting story. After the very good answer from
Beowulf, I think I can add:

we are (actually we *were*, more to this later) a small business with <25
employees, started with 2 customers with whom we needed to set up VPNs, and
one of our collegues works partly at home - so he needed a VPN too.

We reviewed a handful of hardware devices from the big ZyWalls up to
Watchguard, which I knew already, and we reviewed software solutions from
free (IPCop/Smoothwall) to half-free to commercial as well. Things like
Checkpoint or a PIX were clearly out of the range which we wanted to
invest.

We ended up with the Astaro Secure Linux Firewall, and we never regretted
it. It *can* be managed by someone without Linux experience, tho he/she
should know something of networks and routing of course. It protected us to
over 100.000 incidents reported by the cost-free IDS I set up as well. It
tunnels successfully with our homeworker and also with our clients, which
use Checkpoint (in fact, *I* helped *them* in both cases (one customer has
their own admins, the other use external help)). So all in all we are
really happy with taking much effort in investigating & reviewing before we
made the decision.

What is the drawback?

Concerning the product we chose: nothing. The rest are "political" issues:

Our small company was bought by a global player. They have an IT department
with approx. 250 people, and of course they make their own reviews, have
their own policies, and they have a list of products which they support and
which ones they don't.

Now the important guys here need access to the mother companies' Notes
Domino and SAP and everything, and the problem here is that the IT
department won't accept that - "who? Astaro? whotsdad?" - firewall to setup
up tunnels to their PIXen. Instead, they want to sent us a PIX which *they*
configure from external etc etc - a "blackbox" for us. This won't work of
course, because that way we would lose the VPNs to our customers and our
homeworkers, so after many days of talk we will get an additional Cisco
which I will hang onto the internet and a free interface of the Astaro - so
the PIX can make it's tunnel to the big mama, and still *we* decide which
traffic goes in and out.

I hope you are happy with the results of your Netscreen tests - we found it
too expensive for what we wanted to do. If you're in doubt, check the
Astaro. You can download it, personal use (at home for instance) is free,
and prices are moderate compared to whatever we looked at. If you're not
kicked at because of political issues, this would be the way to go.

HTH,
wjl aka Wolfgang Lonien 

-- 
Honda NTV '94 24-42Mm running on fuel
everything else runs Debian ;-)