fundamental disagreements (was Re: Firewall/VPN recommendation for (Ex-) Gauntlet reseller)

["Chris Trudeau" <chris () trudeau org>]

From: "Stuart Flisher" <stuart.flisher () btinternet com>
To: "Patrick M. Hausen" <hausen () punkt de>,
"fw-wiz" <firewall-wizards () nfr net>
Subject: Re: [fw-wiz] Firewall/VPN recommendation for (Ex-) Gauntlet
reseller
Date: Tue, 26 Sep 2000 16:56:36 +0100
charset="iso-8859-1"

> For me has to be Check Point FW1 / VPN1. Easy to install and use. Check out
> www.phoneboy.com for loads of info.

Checkpoint is fast...not neccessarily the most secure...If ease of use is a
requirement, then by all measn consider Checkpoint.

> Which platform? Easiest is probably the Nokia boxes for low to medium
> traffic. I think there is a limit of four NICs on the Nokia box if it is
> important. Nokia boxes can be configured for failover.

That of course ould depend on the model Nokia you purchase.  They make these
to suit many different business requirements.

> My favourite is Check Point on Sun Ultra 5's or E220's, the latter if you
> think you need more memory and more processors. The ultra 5 has a maximum
of
> 7 Nics and the E220 is 16 (I think) if you use QFE cards. Sun boxes
probably
> offer better performance than Nokia boxes.

I don't understand the limit of 7 NICs on an Ultra 5.  I thought there were
three or four PCI slots, which would in theory accomodate 12 or 16
respectively using Quad Fast Ethernet cards.  The 220R does in fact have
more room for expansion, as mentioned above.

> If you need VPN accelerator cards then I don't think the Nokia boxes
support
> them (yet), whereas the Sun boxes do. Check Point firewall integrates well
> with Entrust and Baltimore PKI's and probably others if needed. Checkpoint
> is IPSEC compliant so integration with FSecure should be OK for manual
IPSEC
> and shared secret IPSEC.

The Nokia boxes, depending on the model you select, do in fact accomodate
and have software packages avaialble for the VPN accelerator cards.  The VPN
CAN be configured to accept manual and shared secret IPSEC keys for
auth/access and F-secure's client works well.

> Other things to consider...

> High availability / failover / dynamic load balancing can be achieved using
> Stonebeat having upto 16 nodes in a cluster.

Rainfinity's competitive solution has a theorhtical limit of 256 devices in
a cluster.  Check out http://www.rainfinity.com

> This will use up more NICs than your standard firewall with DMZ's (that's
why I mentioned the numbers
> above), as heartbeat lans are used. This solution uses multicast to get all
> traffic to all firewall nodes. More to think about than the Nokia's for the
> budding die hard techies.

Rainfinity's solution is supposed to be a bit more slick and more functional
than Stonebeat's.  These I believe have also been ported to run on the Nokia
Platform.  Expansion across different firewalling technologies will probably
follow soon...

> Other solutions for load balancing involve layer 3 switches such as those
> from Hyperflow and alteon.

Although I have never agreed with the marketing behind calling these layer
anything switches, I'm fairly certain that I wouldn't limit their
capabilities to layer-3 as that market is pretty saturated anyway.  These
devices operate at layer-4 and above to provide things like port redirection
and proxying capabilities.  Included are also Arrowpoin t and a virtual
plethora of others.

> FSecure Anti-Virus can be used with Check Point for network monitoring of
> ftp, http and smtp traffic.

As can others.  F-secure's is pretty tight, but Trend, Norton and others
make CVP compliant packages.

> Check Point has other products such as Floodgate for bandwidth management
> which is quite useful although doesn't work well if you are using stonebeat
> clustering mentioned above. Not sure about Floodgate with Nokia.

Never understood why I would pay for that license when there are specialized
devices that do this.  Consider Packeteer...

> If you like getting your hands dirty then there is always a Linux box and
> ipchains, your command line skills will be needed here but some of your
> pre-requisites will not be met.

See that you didn;t mention Checkpoint/Linux.  A very affordbale and speedy
solution.  Functional and fast.  Although I'm not convinced that a clever
consolidation of ipcahins/netfilter and FreeSWAN couldn't offer the same
functionality, I'm fairly certain that Checkpoint's hefty price tag and
market strength provide a level of recognition (although one would hope that
recognition would not come from a cracker hoping to get a nut...)

> Sorry NT didn't get a mention :)

Please don;t be!

CT



_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards