RE: OT: vendors please respond

["Robert L. Wanamaker" <rlw () avantsystems com>]

But what about Microsoft ISA Server?

[Sorry, couldn't resist in the context of the @Stake event]

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Paul
Robertson
Sent: Friday, September 26, 2003 11:10 AM
To: admin security Mehta
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] OT: vendors please respond


On 26 Sep 2003, admin security Mehta wrote:

> Greetings all,

[Vendors can respond directly to the queryant, as can the legeons of 
faithful for $freeware products.  I'll entertain interesting threads for

the community on-list only.]
>   My company is looking for security devices for its network of
> branches.
> I posted this mail here because I need experts choice.
> I was in doubt whether my earlier mail is posted or not so I 
> subscribed for this mailing list to post my query.

I've seen somewhere north of 65 different commercial firewall products
up 
at ICSA Labs soaking up power.  If there was a single firewall that was 
the firewall of choice, the market wouldn't support more than about 4 
products.

> We are looking into the following features:
>     -stateful inspection firewall

Stateful inspection is a trademark, and limits you to two choices.  You 
need to start with a security policy and decide which technologies
support 
the protocols the business needs.  Then choose the products that best 
encapsulate those features.  

>     - support most used applications( ALGs)

Most ALGs don't spend their dev time well on state, and most stateful 
firewalls dont' spend their dev time well on ALGs.  You're basically 
saying, "I'd like a vehicle capable of running in the GT race series,
and 
I'd like to have it seat 60 children on their way to school!"

Trying to pick a single product that does everything is doomed to 
mediocrity at best.  You want multiple products.  More importantly, you 
want to figure out what protocols you want to use which technologes for 
and *why*.


You've got a shopping list of firewall buzzwords, and not much else.  
That's a poor way to choose a firewall.

>     - Powerful attack detection engine

This sounds like buzzworditis from a marketing brochure...

>     - VPN
>       a) IPSec/IKE
>       b) L2TP over IPSec to use WIN XP VPN client
>       c) LDAP,SCEP
>       d) Hub and spoke support

You really want a VPN solution for VPN stuff if you have requirements to

support lots of different VPNs.  Anything as complex as a VPN that's 
supporting that many protocols is bound to be full of implementation 
issues though, so don't think of it as part of the security 
infrastructure!

> NOTE: My company prefers Indian based products.

Throwing geographic criteria on top of a laundry list of product
criteria 
is likely to doom you to failure.

Paul
------------------------------------------------------------------------
-----
Paul D. Robertson      "My statements in this message are personal
opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure
Corporation

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards