Re: bridging enterprise hardware firewall

[Chad Schieken <cschieken () lucent com>]

I can think of two off hand --

Netscreen --

Strong product, really strong price/performance ratio. I could think of a 
couple minor improvements that would go a long way... Some neat features 
are, support admin via for local CLI (via ssh), local web (allows for SSL), 
or secure centralized management (for some extra $$$, but well worth it, if 
you're gonna have a few of these). There are some quirks to the way you 
need to specify rules in "transparent/bridge mode"so that you don't fill up 
memory/table space with things that are not relevant to your security 
design, but they document these well online at the knowledge base.

Has awesome QoS features, and strong IPsec support with decent 
interoperability (cisco, checkpoint, etc). I wish the online knowledge base 
had a little more detail in solutions it offers, I think I'd always say no 
matter what.  Has poor support for Non-tcp/IP type stuff like GRE, IPx, 
DecNet, Appletalk (but so do most firewall vendors). Multicast support is 
kinda big weak point, especially if you want mulicast with IPsec VPN's 
(here comes the GRE tunnel between the routers....)


Lucent Brick -- aka "lucent managed firewall"
Really strong admin interface, but that requires a centralized mgmt station 
to run it on. One neat thing is that it doesn't contain any method of 
control outside of the mgmt interface, meaning even if you have physical 
access you can't change rules (although you could power cycle the box, and 
command it to talk to a different mgmt station, but the central station 
would notice this activity)

Rules are specified and applied according to zone definitions (a zone is a 
collection of specific IP's). This allows for very granular control, 
including strong features for multiple administrators. I E- Admin from R&D 
can be given access, and control over the R&D zone, while admin from Sales 
can have a different entire ruleset or policy.

Mgmt station works great, but it's a real pain to install it without 
Xwindows on Solaris. Makes it kinda tough to minimize the system and harden 
it as well. I know the product people typically reccomend that you hang the 
admin off an interface a brick (the fireall appliance itself), but I like 
defence in depth . Once it's up and running it even allows for a HA setup 
between mgmt stations, and sync between them.



later...
chad

*I work for lucent, but for a division that isn't tied to the product house 
that sells the brick.


At 11:02 AM 2/13/2002, luke () setel com wrote:

> I'm investigating various commercial firewall solutions for a client
> at the moment.  Currently their branch offices are behind OpenBSD
> 3.0 firewalls operating in transparent bridging mode.
> We've discussed moving to a commercial firewall solution for all
> branches (mostly because of management desires), and I'm looking at
> a variety of products at the moment.  Ideally, we would still like
> to stick w/ a transparent bridging solution to avoid addressing and
> routing complications that would otherwise be introduced.  We're
> currently looking at Nokia IPSO devices, but I am unaware if that  product 
> line can be used in the same way.
>
> So basically my question is, what enterprise integrated firewall
> products are capable of similar functionality at this point?
>
> TIA
>
> --
> PGP Key ID = DEC7301B
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> <http://list.nfr.com/mailman/listinfo/firewall-wizards>http://list.nfr.com/mailman/listinfo/firewall-wizards 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards