Re: Firewall recommendations

["Perry, Jeff" <perry () KU EDU>]

Jeff,
We recently looked at Cisco's FSMs & ASAs, Checkpoint on Crossbeam, and
Junipers larger scale products.  
 
We have a very large firewall infrastructure and our core needs were:
Functionality
Flexibility
Management
Scalability
Cost
 
I have to agree w/ Mr. Consolvo (Texas State) about the ASA's we rated
them "ok" too for the same reasons. Compared to the FSMS they are night
and day different in functionality.  Overall the FSM's were faster but
less flexible and provided less deep inspection (layer 7) capabilities
(due to being an ASIC based design).  Although w/ the ASA vs. FSMs you
also have to really think about topology and what interface/circuit
designs you can use.  We liked the functionality of the Netscreen
products overall but found the Checkpoint software had a few whistles we
liked better (on the management side mostly).
 
Overall all the products had value that was tied greatly to:
Your specific topology and security infrastructure (physically, and
logically on the network).  For instance layer 2 serialization vs layer
3 routing etc.
How much deep inspection you want to do (all can do some but the amount
and type varies greatly based on the market segment the product is
designed for)
Additional Features you actually need to support your specific security
posture (like web url protection, vpn, ssl vpn, tunneling, offloading)
Management capabilities of the systems is pretty different and worth
looking in to as it's a real deal breaker for us do to the size of our
implementation.
 
I'd be happy to discuss who we selected and why if you want to email me
directly.
Best of luck,
 
--------------------------------------------
Jeff Perry, CISSP
Manager, Security Services and Operations
Information Security Office - A Division of Information Services
The University of Kansas
Office +1 785-864-9003
Direct +1 785-864-0489
Fax    +1 785-864-0485
Email perry () ku edu
--------------------------------------------
http://www.security.ku.edu <http://www.security.ku.edu/> 


________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Holden
Sent: Friday, February 29, 2008 4:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Firewall recommendations



We are looking at upgrading our campus's firewall.  We are currently
using a pair of end of life PIX 515s.  We have been looking at the Cisco
ASA and Juniper Netscreen products.  We are very early in our evaluation
and haven't talked with any venders yet.  We are wondering if any other
campus has been through this process recently and can offer any
suggestions.  We are looking at the bandwidth they can handle, price,
added features such as VPN, IDS/IPS functionality, likes and dislikes
and any other helpful advise.    Currently we are a mixed Cisco and HP
shop, but are open to any and all vendors solutions. 

Thanks,
Jeff Holden, CISSP, RHCE
Manager, Network & Data Security
Mt. San Antonio College
(909) 594-5611 X5017