Re: NGFW Usage Information

["Miller, Richard H" <rick () BCM EDU>]

Unless things have changed the problem with CP is that it is hard to get it into a high (> 10GB) performance mix. The 
PC architecture
breaks down as the rate goes up which is one of the reasons we went away. In particular we had serious issues with 
thruput using
10GB PCI cards. The chassis architecture of both the Palo Alto and the Juniper support multi-gig thruput. Juniper will 
support 100GB
interfaces and should be able to pass 100GB+ of traffic. In our case we are already approach consistent 10GB traffic so 
the ability to
go higher is important. They do now have appliances that have 40GB interfaces and the carrier grade may reach 100GB

I also have some reservations about combining IPS and NGFW in the same box when you start getting to these rates. Palo 
Alto appears
to be able to combine both functions at higher data rates. 

In any case, get your vendors to do a PoC and try to span your interface to see if the proposed gear can handle your 
traffic, (You also can
record it off and replay it to simulate higher volumes. It is not as real is live traffic but you can usually find the 
bottlenecks)


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian 
Epstein
Sent: Wednesday, April 19, 2017 9:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] NGFW Usage Information


----------------------------------------------------------------------
We are a Checkpoint shop.  Previously, we had a separate IPS, but chose to use Checkpoints IPS blade instead.  Just 
like all IDS/IPS, it needs a lot of care and feeding.

The one thing I like about Checkpoint is that I can run it on my own hardware.  We have specific needs for copper and 
fiber.  By buying a Dell server, we are able to populate it with the exact NICs we need at a huge cost savings over 
purchasing a ready-made appliance.

I also like that Checkpoint can attach IPv4 and IPv6 addresses to the same object.  This reduces the number of objects 
in the ruleset significantly.

Thanks,
Brian

On 04/19/2017 09:46 AM, Pardonek, Jim wrote:
> I’ve finally been able to convince our leadership to pursue swapping 
> out our IPS and ASA’s for a set of next gen firewalls.  We are still 
> in the evaluation phase and as a part of our evaluations we are asked 
> by senior leadership to quert other universities to get a barometer of 
> what is being used.  If you would (and you can PM me) let me know if 
> you have a NGFW and what it is (not needing specifics)  It will help 
> us with our decision.  The 3 we looked at were Palo Alto, Check Point, 
> and Cisco Firepower.
>
>  
>
> Appreciate any responses in advance!
>
>  
>
> Best,
>
>  
>
> Jim
>
>  
>
> *James Pardonek, MS, CISSP, CEH*
>
> *Information Security Officer**
> Loyola University Chicago
> 1032 W. Sheridan Road | Chicago, IL  60660
> **
> (**: (773) 508-6086*
>
> *standard_isc2_cissp*
>
>  



-- 
Brian Epstein <bepstein () ias edu>                     +1 609-734-8179
Manager, Network and Security           Institute for Advanced Study
Key fingerprint = A6F3 9F5A 26C5 5847 79ED  C34C C0E5 244A 55CA 2B78