Educause Security Discussion mailing list archives
Re: Enterprise Firewalls
From: "Miller, Richard H" <rick () BCM EDU>
Date: Thu, 27 Oct 2011 09:48:15 -0500
There are several good options out there Cisco ASAs would be good since you are used to the Cisco technology and it would minimize your internal cost since you would not have to relearn nor have a major effort in converting your policy Checkpoint also makes a good product either with their appliances or with a software solution using commodity hardware. I do have a concern with the ability to handle the higher bandwidth. Juniper also has an excellent product and we have been very interested in it. It also seems to be positioned to be able to handle not only the 10GB interfaces but potentially higher interfaces without having to swap out the entire frame. The Palo Alto also looks interesting but I would have some capacity concerns. Are you looking just for firewall or do you also need S2S VPN, C2S VPN and IDS/IPS?. I know all of the vendors will try to sell you a setup that will do everything but if this is your perimeter, you also might consider splitting the firewall from the IDP/IPS and web filter. Also, you do need to determine what your bandwidth requirements will be. I see you want a 10-20 Gbps firewall but will you have a requirement for a 10GB interface and will your bandwidth requirements approach 10Gbps through a single interface. Determine what your requirements are and invite the major players in to discuss. You also might see if you can lab it up in a POC (we captured traffic and then replayed it through the candidates). You may wish to formalize your requirements into either an RFP or RFQ We selected based on * Best technology * Ease in converting our policy to a new vendor (depending on how complex your policy is this is a major consideration) * Training internal staff on administration and engineering of the new gear And in our case it was better to stay with our current vendor. Richard H. Miller, CISSP, CCSE+ Information Security Manager Information Technology Security and Compliance Information Technology - Baylor College of Medicine From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Foerst, Daniel P. Sent: Wednesday, October 26, 2011 4:59 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Enterprise Firewalls Hey all, For the past several years we have been operating with Cisco Firewall Services Modules. They have done what we needed them to do, but they are getting quite a bit long in the tooth. Recently I was asked what projects I would need funding for in the coming fiscal year and I mentioned the need to upgrade a set of our FWSMs to be able to accommodate greater increase in our network infrastructure in addition to the ever changing network security topology. I am aware that Cisco has recently made their ASA line of firewalls available as a services module to the 6500 & 7600 series chassis switches & routers as the future for the Firewall Services Module. However I would like to learn what others on this list use for their network security and why they chose a specific vendor over another. Whatever solution I select will have a minimum of 10Gbps throughput, more likely 20Gbps So I can make an even comparison between the Cisco ASA services module and another vendor, but I really do not know what else to search for yet. The idea of next generation firewalls sounds interesting, but I really do not know yet. Thanks much for anything you are will to share! -dan Daniel Foerst Assistant Director, Networks & Security The Catholic University of America Washington, DC 20064
Current thread:
- Enterprise Firewalls Foerst, Daniel P. (Oct 26)
- Re: Enterprise Firewalls Miller, Richard H (Oct 27)
- Re: Enterprise Firewalls Bradley, Stephen W. Mr. (Oct 27)