Re: Options for 50+ firewall deployment
From: Richard H Miller (rick_at_bcm.tmc.edu)
Date: 10 Jul 2004 02:51:07 GMT
JT (.) wrote:
: "tonesurfer" <firstname.lastname@example.org> wrote
: > We will be installing 50 or more internal firewalls to protect critial
: > portions of our network. The hope is to manage them all centrally with
: > a very small team (ie 3 people or so).
: Check out CiscoWorks VMS:
: In thier words, it:
: Enables the large-scale deployment of Cisco firewalls. Smart Rules is an
: innovative feature that allows a security policy to be consistently applied
: to all firewalls. Smart Rules allows a user to define common rules once,
: reducing configuration time and resulting in fewer administrative errors.
: <end excerpt>
: I've used it, and while it isn't the easiest software to learn (or cheap),
: it does a very good job of managing multiple devices.
50+ firewalls will represent a major investment so I would offer the following
1) if you are not CISSP or have several years in the field, hire a consultant to
assist you in the evaluation. If there is a firm that VAR's several different
firewalls, give them a higher wait in the election. They will not be as biased
on one manufactor's produ t line.
2) Take a look at what is out there, collect the marketing information and select
2-4 vendors that might work for you. [And if your current firewall does have this
capability weight it higher in the selection process; current expertise by your staff
3) I would seriously consider writing a formal RFP to require each of your candidates
to respond in writing to whether they can even meet your requirements. If you have
the cycles, make it an open RFP;you might be surprised by a vendor you knew nothing
about. Makue sure the RFP specifies throughput, fault tolerance, support and maintenance.
It also should include training
4) The RFP should be used to cut it down 2-3 finalists. Eahc of them should provide
you with demonstration equipment to allow you to see how easy each of them is for
YOU. This should be at no cost to you.
Checkpoint especially with the Edge-1 and Provider-1 provides the most widely deployed
enterprise level distributed enforcement/central management. NG has removed some of
the limitations and it is very easy to write complex policies.
>From what I have heard from other large scale firewall users is that Cisco still has
a bit of ground to make up in this type of environment. They are miles ahead of where
they were but still lag on some of the features other enterprise vendors now provide.
The bottom line is that given the size of your project, you have some leverage to try
before you buy;use it to make sure you and your staff are comfortable with the solution.
You all are the ones who have to make it work. All of us in the newsgroup simply provide
you with our advice, we are not responsble for making it work
Richard H. Miller, MCSE, CCSE+
Information Security Manager
Information Technology Security and Compliance
Information Technology - Baylor College of Medicine