Firewall Wizards mailing list archives
Re: SCC buys Gauntlet
From: kadokev () msg net
Date: Fri, 22 Feb 2002 12:44:57 -0600 (CST)
I'm tempted to take this off list, but as long as the discussion stays civil and on-topic, I feel this debate may be of value to other list members.
If I were you, I'd quit complaining and just use what you feel best suits your organization, as there is obviously no convincing you that you might be wrong.
The issue isn't what this organization wants, or needs. The issue is that we were a satisified customer of TIS, then later a (mostly) satisified customer of NAI, and deployed large numbers of Sparc systems based on the product offered to us by the vendor. We once had a small number of BSDI Gauntlet firewalls -- we just retired the last one (uptime of 600 days) a few weeks ago, and no longer have _any_ firewalls on the PC platform, in part because NAI withdrew support, in part because of hardware concerns, and the issue of remote management and troubleshooting. Now SCC owns the Gauntlet product, and apparently intends to terminate Sparc support, but would like to retain us (and other large organizations) as customers. That is our complaint.
And if you have GigEthernet, you certainly don't need Quad-port Ethernet cards. Besides, what are you protecting with your firewall?
Ultimately, the firewalls exist to protect corporate assets. This includes single firewalls that protect multiple DMZ networks (Extranet, Vendor-net, etc) and a back-channel management network distinct from everything else. Other IT groups within our organization deploy 280R Gauntlet systems with _dual_ QFE's, but even I find that excessive :-)
Most people protect their trusted networks (their internal network) from either a perimeter network ("DMZ") or an untrusted network, directly (usually, the Internet). Do you have have 20 T3's connecting you to the Internet? Because that's what you'ld have to have to make it worthwhile having GigEthernet interfaces in your firewall.
Gig from the core to the 'private' side (service interface) of extranet servers has little to do with internet connection speeds. This requirement is related to content updating (pushes from the 'trusted' developers to the web servers) database connections, and similar issues than Internet traffic.
If you just have a T1 connection, then you'll never need anything more than just 10BaseT NIC's in your firewall. If you have a T3, then you'll never need more than FastEthernet NIC's in your firewall.
And for a site with two DS-3's in place, currently negotiating for OC-3 to the NAP? For a site with a constantly expanding extranet deployment where every server has 100Mbps connections to a Cisco 6500 switch, you would recommend that the connection back to the core be a single FE NIC in the firewall?
I'm sorry, but it appears to me that your arguments simply don't stand up to logical application. It appears that you are simply trying to find things that Sidewinder can't do and then use that as the basis for your arguments.
No, what I am stating is that until this week, we were a customer of NAI and deployed Gauntlet on Solaris. Now we are a customer of SCC, and if we want to continue with a supported firewall product for the long term, we may be asked to deploy Sidewinder on Intel. That is a lot for any vendor to ask of their customer...
And there isn't anything that you can do with a Gauntlet (that you really need) that you can't do with a Sidewinder (and, in my opinion, a Sidewinder is more secure).
It is not up to you to determine what we 'really need'. It is not up to SCC to decide what Gauntlet customers 'really need'. If we need to replace QMail with sendmail, we can do that on a Gauntlet, we cannot do that on Sidewinder. If we need to compile and install our own custom application proxy software, we cannot do that on Sidewinder. We 'need' to be able to completely build a new firewall, starting from a blank system with unformatted drives? I did this last week, entirely remotely, without being forced to have a person physically present at any point in the installation. It is not up to you or to SCC to tell us that this isn't something we, the customer, 'really need'.
What I fear is that in order to continue to have support for our firewalls two or four years down the road, we would be required to scrap the Sparc hardware and migrate to a PC platform. At that point we would need to seriously evaluate our options, including switching to another firewall product that _will_ run on Sparc 64, or developing our own in-house solution.
Kevin Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SCC buys Gauntlet, (continued)
- Re: SCC buys Gauntlet firewalls (Feb 21)
- Re: SCC buys Gauntlet Tina Bird (Feb 21)
- Re: SCC buys Gauntlet firewalls (Feb 22)
- Re: SCC buys Gauntlet ark (Feb 21)
- Re: SCC buys Gauntlet firewalls (Feb 22)
- Re: SCC buys Gauntlet Tina Bird (Feb 21)
- Re: SCC buys Gauntlet Carson Gaspar (Feb 22)
- Re: SCC buys Gauntlet ark (Feb 23)
- Re: SCC buys Gauntlet ark (Feb 22)
- RE: SCC buys Gauntlet Charles Roten (Feb 23)
- RE: SCC buys Gauntlet Woeltje, Donald (Feb 23)
- Re: SCC buys Gauntlet kadokev (Feb 23)
- Re: SCC buys Gauntlet Tracy R Reed (Feb 24)
- Re: SCC buys Gauntlet kadokev (Feb 23)
- RE: SCC buys Gauntlet Roger Marquis (Feb 24)
- Re: SCC buys Gauntlet Jeffery . Gieser (Feb 25)
- Re: SCC buys Gauntlet Jeffery . Gieser (Feb 25)
- Re: SCC buys Gauntlet firewalls (Feb 21)