Re: SCC buys Gauntlet

[kadokev () msg net]

I'm tempted to take this off list, but as long as the discussion stays civil
and on-topic, I feel this debate may be of value to other list members.


> If I were you, I'd quit complaining and just use what you feel best suits
> your organization, as there is obviously no convincing you that you might be
> wrong.

The issue isn't what this organization wants, or needs.  The issue is that
we were a satisified customer of TIS, then later a (mostly) satisified
customer of NAI, and deployed large numbers of Sparc systems based on the
product offered to us by the vendor.  We once had a small number of BSDI
Gauntlet firewalls -- we just retired the last one (uptime of 600 days) a
few weeks ago, and no longer have _any_ firewalls on the PC platform,
in part because NAI withdrew support, in part because of hardware concerns,
and the issue of remote management and troubleshooting.

Now SCC owns the Gauntlet product, and apparently intends to terminate
Sparc support, but would like to retain us (and other large organizations)
as customers.  That is our complaint.


> And if you have GigEthernet, you  certainly don't need Quad-port Ethernet
> cards. Besides, what are you protecting with your firewall?

Ultimately, the firewalls exist to protect corporate assets. This includes
single firewalls that protect multiple DMZ networks (Extranet, Vendor-net, etc)
and a back-channel management network distinct from everything else. Other
IT groups within our organization deploy 280R Gauntlet systems with _dual_
QFE's, but even I find that excessive :-)


> Most people protect their trusted networks (their internal network)
> from either a perimeter network ("DMZ") or an  untrusted network,
> directly (usually, the Internet). Do you have have 20 T3's connecting
> you to the Internet? Because that's what you'ld have to have to make it
> worthwhile having GigEthernet interfaces in your firewall.

Gig from the core to the 'private' side (service interface) of extranet
servers has little to do with internet connection speeds.  This requirement
is related to content updating (pushes from the 'trusted' developers to the
web servers) database connections, and similar issues than Internet traffic.


> If you just have a T1 connection, then you'll never need anything more
> than just 10BaseT NIC's in your firewall. If you have a T3, then you'll
> never need more than FastEthernet NIC's in your firewall.

And for a site with two DS-3's in place, currently negotiating for OC-3
to the NAP?

For a site with a constantly expanding extranet deployment where every
server has 100Mbps connections to a Cisco 6500 switch, you would recommend
that the connection back to the core be a single FE NIC in the firewall? 


> I'm sorry, but it appears to me that your arguments simply don't stand up to
> logical application. It appears that you are simply trying to find things
> that Sidewinder can't do and then use that as the basis for your arguments.

No, what I am stating is that until this week, we were a customer of NAI and
deployed Gauntlet on Solaris. Now we are a customer of SCC, and if we want
to continue with a supported firewall product for the long term, we may be
asked to deploy Sidewinder on Intel.  That is a lot for any vendor to ask
of their customer...


> And there isn't anything that you can do with a Gauntlet (that  you really
> need) that you can't do with a Sidewinder (and, in my opinion, a Sidewinder
> is more secure).

It is not up to you to determine what we 'really need'.  It is not up to SCC
to decide what Gauntlet customers 'really need'.  If we need to replace
QMail with sendmail, we can do that on a Gauntlet, we cannot do that on
Sidewinder.  If we need to compile and install our own custom application
proxy software, we cannot do that on Sidewinder.

We 'need' to be able to completely build a new firewall, starting from
a blank system with unformatted drives? I did this last week, entirely
remotely,  without being forced to have a person physically present at
any point in the installation. It is not up to you or to SCC to tell us that
this isn't something we, the customer, 'really need'.

 
> > What I fear is that in order to continue to have support for our firewalls
> > two or four years down the road, we would be required to scrap the Sparc
> > hardware and migrate to a PC platform.
> >
> > At that point we would need to seriously evaluate our options, including
> > switching to another firewall product that _will_ run on Sparc 64, or
> > developing our own in-house solution.

Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards