Checkpoint 13500 Next Generation Firewall/Security

["Boyd, Daniel" <dboyd () BERRY EDU>]

First, let me say we do not have experience with this equipment, nor do we have 14,000 students, so you can stop 
reading now if you are not interested, but I wanted to offer some validity to the idea that Internet traffic is 
different and devices don't all handle it the same way.

We've seen this before in our environment.  We tested a firewall product from a vendor that will remain unnamed (not 
Checkpoint).  The throughput of the device and the capabilities were easily ten times what we would ever run, even at 
peak times, but this device fell on its face under the load of our network, particularly the residence hall network.  
Even when running only parts of our network through it, it failed time and time again.  No amount of software updates 
or configuration changes would make it work, both we and their support engineers were baffled.  We went back to our 
original vendor, Sonicwall (now Dell Sonicwall) for our solution and didn't look back.

I think it proves that while network traffic might just be streams of data, the way the designers expect traffic to 
flow determines their design and optimizations and when the device sees traffic that is radically different, it could 
potentially not handle it and fall over.  That seemed to be the case in our instance, as I had seen this firewall 
perform just fine on much larger networks.  Sometimes the only solution is just to find another vendor, but I know it 
is never that simple once a solution has been purchased.

Just my $.02

Daniel H. Boyd (94C)
Senior Network Architect
Security Governance and Documentation Committee Chair
Network Operations
Berry College
Phone: 706-236-1750
Fax:     706-238-5824

There are two rules to follow with your account passwords:
1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!!
2. If unsure, consult rule #1