commercial firewall licencing

[Jyri Kaljundi <jk () stallion ee>]

I have a need to connect multiple firewalled sites together using VPN, and
I am trying to find a commercial firewall to do this. I encountered some
problems with this while using FireWall-1, so I probably have to use
something else. The problem arises about how firewall vendors licence
their products with limited IP-addresses.

Let's say we have 10 sites in different countries, each with less than 50
machines (or less than 50 IP-addresses) in internal network. I will
situate the VPN device in the internal network and allow incoming traffic
from one VPN device in another country to this internal VPN, where it gets
decrypted. All of these 10 networks can talk to each other using VPN. 

Now what FireWall-1 does is it counts the different source IP-addresses it
sees in the internal network (or actually all network interfaces besides
one which is called external and connected to Internet). Now the VPN
packets enter through the firewall, but once they get decrypted, their
source address will be changed and the FireWall-1 counts them as internal
machines. So the 50-IP licence gets a violation real soon, as the firewall
will notice 9 times 50 other addresses which seem internal to him.

So I need to use another firewall vendor, any ideas? The price is pretty
important (otherwise I could just buy an unlimited fw for every country),
and all the firewalls in other countries must be managed from one station
here in Estonia. 

How does TIS Gauntlet count the licences for the 50- and 250-IP addresses,
does it also listen to all the packets it hears or does it trust the
customer not to have more hosts (although Gauntlet 50-user fw is as
expencive as FireWall-1 unlimited module). 

And why not use a firewall VPN - because I have not found a firewall VPN
in the free world which would have strong encryption.

Jyri Kaljundi
jk () stallion ee
AS Stallion Ltd
http://www.stallion.ee/