Security Basics mailing list archives
RE: Firewall Hardware Recommendations
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Mon, 29 Dec 2003 13:33:42 -0800
Doc's *murmur* *spit* *bubble*, must read more material *shudder*. Personally I like Microsoft documentation to cure my insomnia but Cisco makes for good medicine also. I've never used the manager, so next time I setup a PIX I'll have to load it on up and give it a shot. I work with the Cisco routers CLI more then the PIX CLI, so when working in the S-IOS CLI I'm a bit slow, like a moron reading a FAQ. You're absolutely right, the PIX isn't a wire speed firewall, if there even is a thing. But personally using a PIX 525 in a high traffic 1000+ node environment it didn't become a bottleneck. I've never had a problem with the 'few' WatchGuard boxes I've worked with, what are the circumstances of their 'crash and burn'? Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com] Sent: Monday, December 29, 2003 1:11 PM To: Shawn Jackson Cc: jamesworld () intelligencia com; Keith Duemling; security-basics () securityfocus com Subject: RE: Firewall Hardware Recommendations Shawn, WatchGuard has you pay for VPN lic's. If you want to configure a VPN straight CLI and you are not proficient with it, yes it can be challenging (but that's what the doc's are for :-) Have you tried working with the PDM? You can have a VPN connection (remote access or point-to-point end) set up in minutes QUITE easily. The netscreen box is not mature enough yet in my analysis. (an yes I have talked with some ppl who were rather high up in the netscreen chain and it's echoed). Is it fast, yes of course it's asic based. Is the PIX fast? of course. Unless you are pushing Gigabit traffic with a tremendous load 80%+ 100% of the time, the PIX is great. And like you said, it's secure. Heck, the NSA gave version 4.4 thumbs up! and we are at 6.3 currently and the boxes are plenty fast. BTW....WatchGuards have a NASTY habit of crashing and having to be reconfigured from scratch ( yes I am certified and have heard it even from their tech support) FWIW, -J At 12:03 12/29/2003, Shawn Jackson wrote:
WatchGuard more secure then PIX? Probably a sales person from another vendor gotta love them. I've protected banks with the PIX 515 and 525 series and their rock solid. Update your Secure-IOS and
maintain
your ACL's and your golden. Unlike SonicWall (maybe even WatchGuard now too) you don't have to pay for the VPN component. A SonicWall PRO 230 + VPN Licensees + Client Licensees = More then a PIX 515. I've heard, but never seen, that WatchGuard in the same licensing frenzy. Can't speak for NetScreen, I've personally tried to stay away from them, they give me the willies, but it's been a while since I looked at them last. Same Q's as J. What Model? What S-IOS version? How Old, etc. I admit, with head held in shame, that configuring the PIX can be a pain in the arse, especially when you're working with the IPSEC end of a VPN configuration and I've never setup PPTP on a PIX, but have done so on many Cisco routers with little problems. Honestly, whoever sold you that load a bull needs help, no disrespect intended but in security facts rule the digital road and misinformation is the hazard just around the next corner. I hope EVERYONE had a safe and uneventful Christmas + Boxing Day. Set aside some time today to review your logs (that built up) in full
before
saving them and clearing from the active log files. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: jamesworld () intelligencia com
[mailto:jamesworld () intelligencia com]
Sent: Sunday, December 28, 2003 10:34 PM To: Keith Duemling Cc: security-basics () securityfocus com Subject: Re: Firewall Hardware Recommendations Keith, Curious, What cisco firewall do you currently have and what version OS is on it? Who told you that a WatchGuard firewall is more secure than a Cisco firewall? The PIX does what you are asking for. If you have information to the counter, please post. Cheers! -J At 19:32 12/23/2003, Keith Duemling wrote:Just wanted to get some feedback from the list regarding some
research
I'mcurrently working on. We're replacing our existing Cisco firewall
with
adedicated firewall hardware/software solution to provider greatersecurityand VPN access. I've been looking at the Netscreen and various Watchguard products atthistime. The current environment is as follows; - NAT environment - DMZ to host web accessible servers - 100 internal users - Extensive intranet site & visitation to several high profile B2Bsites.- Constant 10 user VPN community. - Redundant T1 connection managed by RADware Linkproof hardwaresolution.Any recommendations would be greatly appreciated. Thanks in advance. Keith Duemling MCP----------------------------------------------------------------------- ---- ----------------------------------------------------------------------- ----- -----------------------------------------------------------------------
-
--- -----------------------------------------------------------------------
-
---- -----------------------------------------------------------------------
----
-----------------------------------------------------------------------
----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Firewall Hardware Recommendations Keith Duemling (Dec 23)
- Re: Firewall Hardware Recommendations Ramsy (Dec 24)
- Re: Firewall Hardware Recommendations jamesworld (Dec 29)
- <Possible follow-ups>
- RE: Firewall Hardware Recommendations Ehab Abu Al -Khair (Dec 24)
- RE: Firewall Hardware Recommendations Shawn Jackson (Dec 29)
- RE: Firewall Hardware Recommendations jamesworld (Dec 30)
- Re: Firewall Hardware Recommendations Lard van den Berg (Dec 30)
- RE: Firewall Hardware Recommendations Naren - Pactech (Dec 30)
- RE: Firewall Hardware Recommendations Shawn Jackson (Dec 30)
- RE: Firewall Hardware Recommendations jamesworld (Dec 30)
- Re: Firewall Hardware Recommendations Naren (Dec 31)
- Re: Firewall Hardware Recommendations Scott M. Algatt (Dec 31)
- RE: Firewall Hardware Recommendations jamesworld (Dec 30)
- RE: Firewall Hardware Recommendations Shawn Jackson (Dec 30)