Firewall Wizards mailing list archives
fundamental disagreements (was Re: Firewall/VPN recommendation for (Ex-) Gauntlet reseller)
From: "Chris Trudeau" <chris () trudeau org>
Date: Sun, 1 Oct 2000 18:36:21 -0400
From: "Stuart Flisher" <stuart.flisher () btinternet com> To: "Patrick M. Hausen" <hausen () punkt de>, "fw-wiz" <firewall-wizards () nfr net> Subject: Re: [fw-wiz] Firewall/VPN recommendation for (Ex-) Gauntlet reseller Date: Tue, 26 Sep 2000 16:56:36 +0100 charset="iso-8859-1"
For me has to be Check Point FW1 / VPN1. Easy to install and use. Check out www.phoneboy.com for loads of info.
Checkpoint is fast...not neccessarily the most secure...If ease of use is a requirement, then by all measn consider Checkpoint.
Which platform? Easiest is probably the Nokia boxes for low to medium traffic. I think there is a limit of four NICs on the Nokia box if it is important. Nokia boxes can be configured for failover.
That of course ould depend on the model Nokia you purchase. They make these to suit many different business requirements.
My favourite is Check Point on Sun Ultra 5's or E220's, the latter if you think you need more memory and more processors. The ultra 5 has a maximum
of
7 Nics and the E220 is 16 (I think) if you use QFE cards. Sun boxes
probably
offer better performance than Nokia boxes.
I don't understand the limit of 7 NICs on an Ultra 5. I thought there were three or four PCI slots, which would in theory accomodate 12 or 16 respectively using Quad Fast Ethernet cards. The 220R does in fact have more room for expansion, as mentioned above.
If you need VPN accelerator cards then I don't think the Nokia boxes
support
them (yet), whereas the Sun boxes do. Check Point firewall integrates well with Entrust and Baltimore PKI's and probably others if needed. Checkpoint is IPSEC compliant so integration with FSecure should be OK for manual
IPSEC
and shared secret IPSEC.
The Nokia boxes, depending on the model you select, do in fact accomodate and have software packages avaialble for the VPN accelerator cards. The VPN CAN be configured to accept manual and shared secret IPSEC keys for auth/access and F-secure's client works well.
Other things to consider...
High availability / failover / dynamic load balancing can be achieved using Stonebeat having upto 16 nodes in a cluster.
Rainfinity's competitive solution has a theorhtical limit of 256 devices in a cluster. Check out http://www.rainfinity.com
This will use up more NICs than your standard firewall with DMZ's (that's
why I mentioned the numbers
above), as heartbeat lans are used. This solution uses multicast to get all traffic to all firewall nodes. More to think about than the Nokia's for the budding die hard techies.
Rainfinity's solution is supposed to be a bit more slick and more functional than Stonebeat's. These I believe have also been ported to run on the Nokia Platform. Expansion across different firewalling technologies will probably follow soon...
Other solutions for load balancing involve layer 3 switches such as those from Hyperflow and alteon.
Although I have never agreed with the marketing behind calling these layer anything switches, I'm fairly certain that I wouldn't limit their capabilities to layer-3 as that market is pretty saturated anyway. These devices operate at layer-4 and above to provide things like port redirection and proxying capabilities. Included are also Arrowpoin t and a virtual plethora of others.
FSecure Anti-Virus can be used with Check Point for network monitoring of ftp, http and smtp traffic.
As can others. F-secure's is pretty tight, but Trend, Norton and others make CVP compliant packages.
Check Point has other products such as Floodgate for bandwidth management which is quite useful although doesn't work well if you are using stonebeat clustering mentioned above. Not sure about Floodgate with Nokia.
Never understood why I would pay for that license when there are specialized devices that do this. Consider Packeteer...
If you like getting your hands dirty then there is always a Linux box and ipchains, your command line skills will be needed here but some of your pre-requisites will not be met.
See that you didn;t mention Checkpoint/Linux. A very affordbale and speedy solution. Functional and fast. Although I'm not convinced that a clever consolidation of ipcahins/netfilter and FreeSWAN couldn't offer the same functionality, I'm fairly certain that Checkpoint's hefty price tag and market strength provide a level of recognition (although one would hope that recognition would not come from a cracker hoping to get a nut...)
Sorry NT didn't get a mention :)
Please don;t be! CT _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- fundamental disagreements (was Re: Firewall/VPN recommendation for (Ex-) Gauntlet reseller) Chris Trudeau (Oct 03)