RE: Firewall Hardware Recommendations

["Shawn Jackson" <sjackson () horizonusa com>]

        Doc's *murmur* *spit* *bubble*, must read more material
*shudder*. Personally I like Microsoft documentation to cure my insomnia
but Cisco makes for good medicine also. I've never used the manager, so
next time I setup a PIX I'll have to load it on up and give it a shot. I
work with the Cisco routers CLI more then the PIX CLI, so when working
in the S-IOS CLI I'm a bit slow, like a moron reading a FAQ.

        You're absolutely right, the PIX isn't a wire speed firewall, if
there even is a thing. But personally using a PIX 525 in a high traffic
1000+ node environment it didn't become a bottleneck.

        I've never had a problem with the 'few' WatchGuard boxes I've
worked with, what are the circumstances of their 'crash and burn'?

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com]

Sent: Monday, December 29, 2003 1:11 PM
To: Shawn Jackson
Cc: jamesworld () intelligencia com; Keith Duemling;
security-basics () securityfocus com
Subject: RE: Firewall Hardware Recommendations

Shawn,

WatchGuard has you pay for VPN lic's.

If you want to configure a VPN straight CLI and you are not proficient
with 
it, yes it can be challenging (but that's what the doc's are for :-)

Have you tried working with the PDM?  You can have a VPN connection
(remote 
access or point-to-point end) set up in minutes QUITE easily.

The netscreen box is not mature enough yet in my analysis.  (an yes I
have 
talked with some ppl who were rather high up in the netscreen chain and 
it's echoed).

Is it fast, yes of course it's asic based.  Is the PIX fast? of 
course.  Unless you are pushing Gigabit traffic with a tremendous load
80%+ 
100% of the time, the PIX is great.  And like you said, it's secure.
Heck, 
the NSA gave version 4.4 thumbs up!  and we are at 6.3 currently and the

boxes are plenty fast.

BTW....WatchGuards have a NASTY habit of crashing and having to be 
reconfigured from scratch ( yes I am certified and have heard it even
from 
their tech support)

FWIW,
-J

At 12:03 12/29/2003, Shawn Jackson wrote:

>         WatchGuard more secure then PIX? Probably a sales person from
> another vendor gotta love them. I've protected banks with the PIX 515
> and 525 series and their rock solid. Update your Secure-IOS and
maintain
> your ACL's and your golden. Unlike SonicWall (maybe even WatchGuard now
> too) you don't have to pay for the VPN component. A SonicWall PRO 230 +
> VPN Licensees + Client Licensees = More then a PIX 515. I've heard, but
> never seen, that WatchGuard in the same licensing frenzy. Can't speak
> for NetScreen, I've personally tried to stay away from them, they give
> me the willies, but it's been a while since I looked at them last.
>
>         Same Q's as J. What Model? What S-IOS version? How Old, etc. I
> admit, with head held in shame, that configuring the PIX can be a pain
> in the arse, especially when you're working with the IPSEC end of a VPN
> configuration and I've never setup PPTP on a PIX, but have done so on
> many Cisco routers with little problems.
>
>         Honestly, whoever sold you that load a bull needs help, no
> disrespect intended but in security facts rule the digital road and
> misinformation is the hazard just around the next corner.
>
> I hope EVERYONE had a safe and uneventful Christmas + Boxing Day. Set
> aside some time today to review your logs (that built up) in full
before
> saving them and clearing from the active log files.
>
> Shawn Jackson
> Systems Administrator
> Horizon USA
> 1190 Trademark Dr #107
> Reno NV 89521
> www.horizonusa.com
>
> Email: sjackson () horizonusa com
> Phone: (775) 858-2338
>        (800) 325-1199 x338
>
> -----Original Message-----
> From: jamesworld () intelligencia com
[mailto:jamesworld () intelligencia com]
> Sent: Sunday, December 28, 2003 10:34 PM
> To: Keith Duemling
> Cc: security-basics () securityfocus com
> Subject: Re: Firewall Hardware Recommendations
>
> Keith,
>
> Curious,  What cisco firewall do you currently have and what version OS
> is
> on it?
>
> Who told you that a WatchGuard firewall is more secure than a Cisco
> firewall?
>
> The PIX does what you are asking for.  If you have information to the
> counter, please post.
>
> Cheers!
> -J
>
> At 19:32 12/23/2003, Keith Duemling wrote:
> > Just wanted to get some feedback from the list regarding some
research
> I'm
> > currently working on.  We're replacing our existing Cisco firewall
with
> a
> > dedicated firewall hardware/software solution to provider greater
> security
> > and VPN access.
> >
> > I've been looking at the Netscreen and various Watchguard products at
> this
> > time.  The current environment is as follows;
> >
> > - NAT environment
> > - DMZ to host web accessible servers
> > - 100 internal users
> > - Extensive intranet site & visitation to several high profile B2B
> sites.
> > - Constant 10 user VPN community.
> > - Redundant T1 connection managed by RADware Linkproof hardware
> solution.
> > Any recommendations would be greatly appreciated.  Thanks in advance.
> >
> > Keith Duemling
> > MCP
>
> -----------------------------------------------------------------------
> ----
>
> -----------------------------------------------------------------------
> -----
>
>
> -----------------------------------------------------------------------
-
> ---
> -----------------------------------------------------------------------
-
> ----
>
>
> -----------------------------------------------------------------------
----
> -----------------------------------------------------------------------
-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------