Re: Juniper Firewalls

["Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>]

We've been standardizing internally on the Juniper SSG line. I concur that transparent can be a little more difficult, 
partially because the documentation on transparent mode is less complete.  But it does make the deployment easy, since 
you don't have to change anyone's addressing.

Also (and this may have changed in the most recent OS) I believe that Active-Active HA is only supported with routed 
mode.

Steve

============================================
Steven Lovaas, MSIA, CISSP
IT Security Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
============================================


-----Original Message-----
From: John Kemp [mailto:kemp () NETWORK-SERVICES UOREGON EDU]
Sent: Thursday, December 06, 2007 4:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Juniper Firewalls

Clark, Joseph K wrote:
> How many segments?
> 3-4 Segments
>
> Transparent or routed
> Still testing both methods to determine what will be the best fit for
> our environment. I am currently leaning toward routed due to the load
> balancing option.

Yes, definitely.

> From a management standpoint, it becomes a bear
to even identify machine locations when you have
that many segments and you are transparent.

The other place it gets you is VPN termination.
Some of it you can't do, and in general it gets
much harder if you are transparent.

2 cents.

/jgk