Security Basics mailing list archives
Re: Firewall recommendations?
From: Myroslav Halecky <mhalecky () optonline net>
Date: Thu, 13 Mar 2003 18:28:54 -0500
I have had the ability to work with several different firewalls. Some earlier model like the V-one, and the ANS firewall and more recently the cyberguard, checkpoint and PIX. I think that the recent ones are all good commercial firewalls but each one requires a different level of configuration skills. The cyberguard comes as an appliance, and you can say so does the PIX. The checkpoint can be had as an appliance or you might want to install and configure it yourself on an microsoft or unix server. I think that even if you are skilled its much easier to go with an appliance type firewall. You also might want to check out the level of customer support you get, and how much you want to pay for it. Then you should consider your network requirementand your business requirements which might dictate how you need to secure your network. For example will you need a DMZ for your web servers? Will external vendors require access to your internal network, ie: your VPN requirements. Will you be responsible for the firewall configuration, network configuration and design. Will you require a lot of NAT? Remeber the more NAT you use the more complex network diagnostics become. And you might have to run diagnostics on the firewall. I like the cyberguard. It comes as an appliance, it has many proxies for your major network services, it does stateful packet inspection, and it is easy to configure via the GUI interface, or through the command line, if thats what you require, perhaps for remote trouble shooting and configuration. It has many logging capabilites. The PIX on the other hand is also fairly easy to configure, although I think that the configuration is not as easy to understand. The checkpoint has a central configuration station, where you manage the firewall policies. It is also well known for its VPN support. rgds Myro Tom Sevy wrote:
Pix's Nat capabilities (or lack thereof) are a major PIA when you have worked with the flexible NAT capabilities of CP. Major Major PIA... -----Original Message----- From: David Ellis [mailto:dellis () unicam com] Sent: Friday, March 07, 2003 9:05 PM To: 'Thorsten Dampf -- 7stein.net'; 'rdusek () myway com'; 'security-basics () securityfocus com' Subject: RE: Firewall recommendations? Hi at my current job we use checkpoint, and I personally love that firewall product. I am not a big fan of the pix and I have never played with the ISA server cause it is a microsoft product and would not trust it. We are very security conscious company. I think checkpoint has the best interface around. But hey that's my personal opinion. The cisco pix is not a true stateful packet inspection firewall. I have a classified pdf that talk about the pix versus checkpoint in a situation with multiple exchange servers and the ports you had to allow open for the pix to work in the environment that was documented was totally unsafe. At my next job, I would suggest going with checkpoint. Its not that expensive when you start thinking about isa server cause You still need the hardware, the windows server OS license and then the ISA license. -----Original Message----- From: Thorsten Dampf -- 7stein.net [mailto:thorsten.dampf () 7stein net] Sent: Friday, March 07, 2003 3:48 PM To: rdusek () myway com; security-basics () securityfocus com Subject: AW: Firewall recommendations? Take a look at the watchguard products. www.watchguard.com Regards, Thorsten-----Ursprüngliche Nachricht----- Von: rdusek () myway com [mailto:rdusek () myway com] Gesendet: Donnerstag, 6. März 2003 21:05 An: security-basics () securityfocus com Betreff: Firewall recommendations? I am in charge of researching a firewall to replace what we currently have. At my previous job I had used Microsoft ISA in a low-security environment, and was happy with its features, and its integration with the Windows environment there. However, at my current job, security is a much greater concern, and I have to admit, I am somewhat uneasy running a Microsoft firewall product on top of a Microsoft OS. We also had investigated Checkpoint as well as Cisco Pix, and found that for our needs, the Pix at least seemed to need _many_ separate components for the same functionality. My question is what are your experiences with using ISA from a security standpoint? Usability issues? From the Mac end? Or would we be better off pursuing the Checkpoint or the Pix solution? We also plan on implementing VPN over whatever we choose, so if you recommend something other than these, it should support at least PPTP and perhaps eventually IPSec/L2TP. We have also considered placing ISA behind a Linux (or BSD) IP Chains firewall and our perimeter network to block some of the traffic from getting to ISA. Any comments here? Thanks to everybody in advance!**************************************************************************** ********************** ** eSafe-portsmouth scanned this email for viruses, vandals and malicious content ** **************************************************************************** **********************
Current thread:
- RE: Firewall recommendations?, (continued)
- RE: Firewall recommendations? Mark Kelsay (Mar 08)
- RE: Firewall recommendations? John Tolmachoff (Mar 11)
- RE: Firewall recommendations? Jacob (Mar 12)
- RE: Firewall recommendations? John Tolmachoff (Mar 13)
- RE: Firewall recommendations? Jeremy Stinson (Mar 13)
- RE: Firewall recommendations? David Gillett (Mar 17)
- RE: Firewall recommendations? Kevin Saenz (Mar 18)
- RE: Firewall recommendations? John Tolmachoff (Mar 11)
- RE: Firewall recommendations? Mark Kelsay (Mar 08)
- RE: Firewall recommendations? Bhavin (Mar 12)
- RE: Firewall recommendations? Ernest Lau (Mar 13)
- Re: Firewall recommendations? Myroslav Halecky (Mar 17)
- Re: Firewall recommendations? planz (Mar 13)
- RE: Firewall recommendations? mhunt (Mar 21)
- Re: Firewall recommendations? Meritt James (Mar 20)