Educause Security Discussion mailing list archives
Re: CheckPoint vs ASA
From: Stephen John Smoogen <smooge () UNM EDU>
Date: Mon, 14 Apr 2008 17:14:13 -0600
Paul Keser wrote:
It you're strictly looking for performance/$ then you might want to use a Linux box running IPTables. There are a number of projects like FireStarter to give IPTables a GUI front end or Bastille-Linux to harden and configure it from the command line. It is hard to beat free. If you outgrow your firewall box, make it a web (or LDAP, SSLVPN, etc.) server and get a bigger faster box. This should work for speeds up to gigabit. If you need 10G that is a whole different (and *much* more expensive) game...give Moore's Law some time to catch up or be prepared to spend some serious coin... :-) Moving your Check Point licenses to a Linux box would let you increase your firewall performance with the only additional expense of the hardware (and of course continuing support on the CP licenses). This would also save the Nokia hardware support but you would still be using Check Point...might make a good interim step if you want to move towards an IPTables based solution. If you have an HA pair of Nokia's this probably isn't ideal solution since Linux doesn't have HA built in like IPSO, but I think you only have 1 firewall currently according to your email.
This is offtopic from the subject, but I can mostly agree with the iptables cost issues. I supported Linux firewalls at LANL.gov for a while. We were able to handle gigabit/s flows on commodity hardware with iptables and e1000 cards. I am a big proponent of iptables, but do not consider it to be "free". It takes a bit of learning to know what you are seeing is what you want and what you don't want. But on the other hand, it allows you to get your hands deep where the other firewall software used to not let you. Due to the nature of the firewalls, I never used a gui to setup or look at flows. I instead did all tables by hand so that I had a good idea of what I was blocking, letting through, and logging. What I have seen of the GUI's is that they are at the 'good-enough' state. Not a lot of bells and whistles.. but a good enough to say "X:Y->Z->A:B is blocked/allowed" -- Stephen Smoogen -- ITS/Linux Administrator MSC02 1520 1 University of New Mexico Albuquerque, NM 87131-0001 Phone: (505) 277-8219 Email: smooge () unm edu How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"
Current thread:
- CheckPoint vs ASA Disterhaft, Brian (Apr 14)
- <Possible follow-ups>
- Re: CheckPoint vs ASA Jenkins, Matthew (Apr 14)
- Re: CheckPoint vs ASA Tim Cantin (Apr 14)
- Re: CheckPoint vs ASA Consolvo, Corbett D (Apr 14)
- Re: CheckPoint vs ASA Barros, Jacob (Apr 14)
- Re: CheckPoint vs ASA Basgen, Brian (Apr 14)
- Re: CheckPoint vs ASA Paul Keser (Apr 14)
- Re: CheckPoint vs ASA Stephen John Smoogen (Apr 14)