Re: Firewall Products

["Scholz, Greg" <gscholz () KEENE EDU>]

I have not used a PIX for about 2 years now so not sure what has
changed.  I will say though that for the experience I do have with it
and others, this is one case where Cisco's pricing does tend to be
pretty competitive (if not outright better).  I also prefer PIXen
compared to other "smarter" OS based firewalls.  Although most vendors
are going to stripped down Linux kernels and technically all Cisco OSs
are probably some derivative of a stripped down *nix variant I find a
lot more comfort in devices where you can not find ANY traces of the
original base OS.

Bang for the buck, I would still be seriously considering PIX as a pure
and effective firewall.

FYI: our organization is currently using checkpoint.  We have too much
dollars and staff time/staff comfort invested to consider changing at
this point but may consider in the future.  The gripe I have with
checkpoint is that it seems overly complicated for what we need it to
do.  Also, by being "smarter" also leaves a lot of room for mistakes
(both by us and the vendor). And at the firewall is the last place I
want mistakes. (e.g. a new feature set to "monitor", not "enforce",
still enforced and broke a needed application leading some on campus to
have valid reason to "blame the firewall")

_________________________
Thank you,
Gregory R. Scholz
Lead Network Engineer
Information Technology Group
Keene State College
(603)358-2070

-----Original Message-----
From: Lee Weers [mailto:weersl () CENTRAL EDU] 
Sent: Friday, February 03, 2006 9:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Firewall Products

I have a similar situation in that we have a 515 classic that we have
out grown.  Limited budget (actually no budget until July).  I will be
looking at pricing of the Sidewinder from Secure computing next week
with a vendor.  It sounds like a great appliance, but I am nervous about
the cost. 

-----Original Message-----
From: Flagg, Martin D. [mailto:FlaggMD () HIRAM EDU] 
Sent: Friday, February 03, 2006 8:24 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Firewall Products

 I am a long time user of the PIX.  Currently we have out grown our PIX.
My first thought was to replace it with another PIX.  I am having
seconds thoughts and am looking for opinions and advice.  The products
we have considered, so far, are PIX(or ASA line from Cisco), Fortigate
and the Astaro.  I like both the Fortigate and the Astaro but am
reluctant since I do not know anyone else using these products.

I am a little confused about where Cisco is going with its IDSM-2, FWSM
(PIX blade for 6500) and its ASA line.


My scenario is as follows

Limited budget, I can afford a Firewall but not a Firewall and a Web
Proxy/Web Antivirus product

Currently we have nothing protecting HTTP/HTTPs from virus's

I need to get nice reports and probably need a new syslog product/report
product, I have hardware already for this.

We currently have AntiSpam that we are happy with, a VPN that we are
happy with, A Cisco IDSM-2 that I am not happy with (not dynamic enough
and too much time spent tuning) and Email anti-virus that is OK.


Any help on or offline is appreciated.

Martin D. Flagg
Network Engineer/Administrator
Hiram College