Re: Options for 50+ firewall deployment

From: Richard H Miller (
Date: 07/10/04

  • Next message: Banana: "Re: Block Inbound Traffic"
    Date: 10 Jul 2004 02:51:07 GMT

    JT (.) wrote:
    : "tonesurfer" <> wrote
    : > We will be installing 50 or more internal firewalls to protect critial
    : > portions of our network. The hope is to manage them all centrally with
    : > a very small team (ie 3 people or so).

    : Check out CiscoWorks VMS:


    : In thier words, it:

    : Enables the large-scale deployment of Cisco firewalls. Smart Rules is an
    : innovative feature that allows a security policy to be consistently applied
    : to all firewalls. Smart Rules allows a user to define common rules once,
    : reducing configuration time and resulting in fewer administrative errors.
    : <end excerpt>

    : I've used it, and while it isn't the easiest software to learn (or cheap),
    : it does a very good job of managing multiple devices.

    : JT

    50+ firewalls will represent a major investment so I would offer the following

    1) if you are not CISSP or have several years in the field, hire a consultant to
    assist you in the evaluation. If there is a firm that VAR's several different
    firewalls, give them a higher wait in the election. They will not be as biased
    on one manufactor's produ t line.

    2) Take a look at what is out there, collect the marketing information and select
    2-4 vendors that might work for you. [And if your current firewall does have this
    capability weight it higher in the selection process; current expertise by your staff
    is important]

    3) I would seriously consider writing a formal RFP to require each of your candidates
    to respond in writing to whether they can even meet your requirements. If you have
    the cycles, make it an open RFP;you might be surprised by a vendor you knew nothing
    about. Makue sure the RFP specifies throughput, fault tolerance, support and maintenance.
    It also should include training

    4) The RFP should be used to cut it down 2-3 finalists. Eahc of them should provide
    you with demonstration equipment to allow you to see how easy each of them is for
    YOU. This should be at no cost to you.

    Checkpoint especially with the Edge-1 and Provider-1 provides the most widely deployed
    enterprise level distributed enforcement/central management. NG has removed some of
    the limitations and it is very easy to write complex policies.

    >From what I have heard from other large scale firewall users is that Cisco still has
    a bit of ground to make up in this type of environment. They are miles ahead of where
    they were but still lag on some of the features other enterprise vendors now provide.

    The bottom line is that given the size of your project, you have some leverage to try
    before you buy;use it to make sure you and your staff are comfortable with the solution.
    You all are the ones who have to make it work. All of us in the newsgroup simply provide
    you with our advice, we are not responsble for making it work


    Richard H. Miller, MCSE, CCSE+
    Information Security Manager
    Information Technology Security and Compliance
    Information Technology - Baylor College of Medicine

  • Next message: Banana: "Re: Block Inbound Traffic"

    Relevant Pages

    • Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)
      ... > At first, there were packet filters, which only cared about what ports were ... > used and which hosts were talking; they were ignorant with regard to ... you missed the first step -- proxy firewalls. ... The vendors failed to ...
    • RE: Firewall Basics
      ... I think it is prudent to have firewalls from 2 different vendors. ... vendor firewalls to successfully exploit your network. ... to facilitate one-on-one interaction with one of our expert instructors. ...
    • RE: [fw-wiz] so much for "deny all"
      ... I think that Gartner's assertion that these firewalls "...allow all network ... capabilities in addition to features. ... Despite the obvious problems firewall vendors are ultimately just ... that appeal to our lazy networks and lax policies. ...
    • RE: firewall
      ... the vendors for those firewalls. ... '--'On Saturday my computer would not access the internet with my Norton's ... For the benefit of the community-at-large, all responses to this message are best ...