Re: High-Availability FW/VPN for Data Centers

[Shane Amante <shane () amante org>]

NetScreen's "Global Manager" Product:
http://www.netscreen.com/products/nsglobal.html

Alternatively, there are MSPs[0] (Managed Security Providers) that
can manage it on your behalf -- if that's an option.

-shane

[0] DISCLAIMER: I happen to work for an MSP.  If you would like
further information about our service, please contact me privately.



On Tue, Mar 13, 2001 at 09:55:27PM -0800, Joe Ippolito wrote:
> What about global management?  I need a common database for my internal
> networks, DMZs and encryption domains.  80-sites is too much to manage on
> 100 (~40x2 for HA +20) or more individual devices.  I must use something
> like Provider-1 or Cisco Secure Policy Manager.  Does NetScreen have
> anything comparable?  The support costs are a very significant part of a
> fully-meshed VPN-based WAN of this magnitude.
>
> Thank you for your input.
>
> -----Original Message-----
> From: Shane Amante [mailto:shane () amante org]
> Sent: Tuesday, March 13, 2001 4:19 PM
> To: Joe Ippolito
> Subject: Re: [fw-wiz] High-Availability FW/VPN for Data Centers
>
>
> NetScreen 100
> -or-
> NetScreen 1000 (very pricey)
>
> -shane
>
>
> On Mon, Mar 12, 2001 at 07:28:57AM -0800, Joe Ippolito wrote:
> > We have successfully deployed a primarily VPN-based WAN connecting
> 59-sites
> > in a very large manufacturing company.  The push now is to move
> > line-of-business applications to three data centers, one in the US, one in
> > Europe and one in Asia.  The data centers will have multiple T3/E3
> circuits
> > to two major providers.  We wish to change the FW/VPN platform that we
> > currently use due an occasional NDIS buffer overflow problem that requires
> a
> > re-boot.  Hardware for almost all of our firewalls is aging and is due for
> > refresh.
> >
> > Some of the requirements are:
> >
> > Secure Internet firewalls.
> > High availability - a single hardware failure cannot cause a loss of
> > connectivity.
> > High throughput - up to 90 Mbits/sec of IPSec 3DES encryption.
> > Global management - A single database of network definitions, rulebases,
> etc
> > for over 100 firewalls/VPN devices.
> >
> > Desirable:
> >
> > Quality of service so that the transfer of very large CAD files to/from
> data
> > centers cannot easily slow down time-sensitive ERP interactive sessions.
> >
> > Products currently being considered:
> >
> > Firewall-1/VPN-1 CP HA on Linux and Provider-10
> > Nokia Fw1/VPN1, VRRP and Provider-10
> > Cisco Pix and CSPM
> > MS ISA, Win 2K L2TP/IPSec, NLB, MMC
> >
> > I do not give the fourth option much chance due to low a level of
> experience
> > but, pricing makes it an alternative that I would like to keep in the
> > analysis for reference.
> >
> > I would like to get your opinions on the options I have described above
> for
> > my initial presentation to my management.
> >
> > Thank you in advance for your valued input.
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () nfr com
> > http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards