Re: Enterprise Firewalls

["Miller, Richard H" <rick () BCM EDU>]

There are several good options out there

Cisco ASAs would be good since you are used to the Cisco technology and it would minimize your
internal cost since you would not have to relearn nor have a major effort in converting your policy

Checkpoint also makes a good product either with their appliances or with a software solution using
commodity hardware. I do have a concern with the ability to handle the higher bandwidth.

Juniper also has an excellent product and we have been very interested in it. It also seems to be positioned
to be able to handle not only the 10GB interfaces but potentially higher interfaces without having to swap
out the entire frame.

The Palo Alto also looks interesting but I would have some capacity concerns.

Are you looking just for firewall or do you also need S2S VPN, C2S VPN and IDS/IPS?. I know all of the
vendors will try to sell you a setup that will do everything but if this is your perimeter, you also might
consider splitting the firewall from the IDP/IPS and web filter. Also, you do need to determine what
your bandwidth requirements will be. I see you want a 10-20 Gbps firewall but will you have a requirement
for a 10GB interface and will your bandwidth requirements approach 10Gbps through a single interface.

Determine what your requirements are and invite the major players in to discuss. You also might
see if you can lab it up in a POC (we captured traffic and then replayed it through the candidates).
You may wish to formalize your requirements into either an RFP or RFQ

We selected based on


*         Best technology

*         Ease in converting our policy to a new vendor (depending on how complex your policy is this is a major 
consideration)

*         Training internal staff on administration and engineering of the new gear

And in our case it was better to stay with our current vendor.



Richard H. Miller, CISSP, CCSE+
Information Security Manager
Information Technology Security and Compliance
Information Technology - Baylor College of Medicine



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Foerst, 
Daniel P.
Sent: Wednesday, October 26, 2011 4:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Enterprise Firewalls

Hey all,

For the past several years we have been operating with Cisco Firewall Services Modules. They have done what we needed 
them to do, but they are getting quite a bit long in the tooth.
Recently I was asked what projects I would need funding for in the coming fiscal year and I mentioned the need to 
upgrade a set of our FWSMs to be able to accommodate greater increase in our network infrastructure in addition to the 
ever changing network security topology.

I am aware that Cisco has recently made their ASA line of firewalls available as a services module to the 6500 & 7600 
series chassis switches & routers as the future for the Firewall Services Module.
However I would like to learn what others on this list use for their network security and why they chose a specific 
vendor over another. Whatever solution I select will have a minimum of 10Gbps throughput, more likely 20Gbps
So I can make an even comparison between the Cisco ASA services module and another vendor, but I really do not know 
what else to search for yet. The idea of next generation firewalls sounds interesting, but I really do not know yet.

Thanks much for anything you are will to share!

-dan

Daniel Foerst
Assistant Director, Networks & Security
The Catholic University of America
Washington, DC 20064