Firewall Wizards mailing list archives
Re: OT: vendors please respond
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Fri, 26 Sep 2003 23:23:19 +0530
On 26/09/03 13:56 -0000, admin security Mehta wrote: (Following Paul's reply, I will try to make a few generic points for the archives).
My company is looking for security devices for its network of branches. I posted this mail here because I need experts choice. I was in doubt whether my earlier mail is posted or not so I subscribed for this mailing list to post my query. We are looking into the following features: -stateful inspection firewall - support most used applications( ALGs) - Powerful attack detection engine - VPN a) IPSec/IKE b) L2TP over IPSec to use WIN XP VPN client c) LDAP,SCEP d) Hub and spoke support
A few questions: 1> Exactly what is this firewall supposed to be protecting? Eg: Windows users from email borne malware, Web browsers from Javascript based attacks, database servers from direct Internet access.... 2> What are the skill sets available in your organization? 3> Are you willing to hire new personnel if needed to expand the available skillset? 4> Are you looking for a single device to do all this? Or will you be willing to deal with multiple devices? Or perhaps multiple boxes with command line management? 5> Are you looking for a single vendor to provide everything, or is mix and match acceptable? 6> Do you need these at each location? Or one central location? Or packet filters everywhere while all connections to the Internet go through the main office which has ALGs available? 7> Do you need an IDS integrated with the firewall? A separate IDS? Do you have a team of people who can deal with IDS reports? Do you need it to be an inline IDS? 8> Do you need failover? Redundancy? Can you deal with downtime if a system fails? 10> Do you need centralized management? Can each unit have its own management interface? 9> Is a management GUI a must, or can command line controls work?
NOTE: My company prefers Indian based products.
Indian based or locally supported? Right now, I know of very few companies which make firewall products for all your requirements, though I know a whole bunch of consultants who can mix and match a *BSD and/or Linux solution to suit your requirements. There are probably more questions you should be asking, but a basic sort order would be: 1> Features you MUST have. 2> Features you SHOULD have, but you can do without if needed without compromising on functionality. 3> Features it would be nice to have, but are really not needed for core functionality. Devdas Bhagat [ My choice, as I have often stated previously would be a packet filter in front, with ALGs for a few chosen protocols behind it. Branches have simple SPFs, which VPN into the head office, and then allow further access from there onwards. ] _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- OT: vendors please respond admin security Mehta (Sep 26)
- Re: OT: vendors please respond Paul Robertson (Sep 26)
- RE: OT: vendors please respond Robert L. Wanamaker (Sep 26)
- Re: OT: vendors please respond Devdas Bhagat (Sep 26)
- Re: OT: vendors please respond Paul Robertson (Sep 26)