Re: all-in-one vs one-on-each (feat. Comercial vs FOSS)

[John Jasen <jjasen () realityfailure org>]

Alex wrote:
> Hello list,
>
> I would like some opinions, again.
> For a fixed budget would you go for 
>  * an all-in-one "Firewall" ( FW+IPS+VPN+...) ie. Checkpoint,
>  * a dedicated, known and expensive firewall/gateway with the company of
> an Open Source solution for IPS, URL filtering etc?
>  * a full Open Source solution (iptables,snort,ossec,squid etc) and
> spend the money elsewhere :)

Personally, I don't think that Checkpoint SmartDefense is an adequate 
replacement for a decent IDS/IPS. That said ...

> The things that concern me are,
>
> Redundancy. I can live without IPS for a while but not without Internet
> ( and by "I" I mean "The Company")

Checkpoint offers a version of ClusterXL that supports higher 
availability and load balancing. It does have a few limitations, but 
isn't bad.

I'm not as aware of open source high availability solutions as I perhaps 
should be.

> Scalability. Not only performance-wise but cost-wise too. I think that
> having to pay for every "extra feature" is going to lead to Open Source
> anyway...

Out of the gate, FOSS is going to cost less than a commercial all-in-one.

Whether or not a FOSS solution is better than a commercial one is 
partially religious, and partially driven by what your staff can handle.

Whether or not it costs less by the time you get everything working 
correctly is another matter. That is mostly driven by the experience, 
willingness and talent possessed by your staff.

IE: if you have a pool of highly capable and willing IT professionals to 
help build it out, FOSS probably will end up being cheaper and better. 
If, forgive the phrase, you have a bunch of button pushing reboot 
monkeys, going the FOSS route will be painful and difficult.

That said, in regards to scalability, it depends on how much bandwidth 
you think you're going to be pushing around -- now, and for the service 
life of the solution (ie: about 3 years from now). However, in general, 
both checkpoint and FOSS scale pretty well (of course, with checkpoint, 
the more you want to scale, the more you have to pay!)

--
-- John E. Jasen (jjasen () realityfailure org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring