Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Once again..appliance firewall input requested

From: Jason Hamilton <Jason.Hamilton () InfoTechFL Com>
Date: Fri, 21 Jan 2005 17:33:55 -0500
Second vote for the PIX.  I have been using CheckPoint FW-1 for years, and 
although it has an amazingly intuitive interface, the PIX boxes haven't been
brain surgery to set up either.  I had one PIX dead out of the box, but it was
replaced by  cisco via a person who drove 2 hours to get it on-site by the
COB the same day.  The functionality of the failover is first rate, and 
the amount of documentation both on their site and the WWW generally gets
you through any questions without having to bother TAC.

Jason

On Fri, Jan 21, 2005 at 03:18:51PM -0600, Victor Williams wrote:

I have basically all the same requirements as you.  I use Cisco PIX, and won't 
use anything else.  You can buy 2 brand new units (1 unrestricted, 1 failover) 
of the PIX 515E for less than $9000 total with 6 physical interfaces and a VPN 
Accelerator card.  As always, get the 24x7 support/replacement contracts for 
each device, just in case one goes bad.  Thing I like about Cisco, they don't 
muck around trying to troubleshoot.  If you call in and say "It's dead Jim", 
they have another one shipped before you get off the phone.

I have yet to see an intuitive interface in a firewall product...they all have 
their interpretation of similar/same featuresets, but I have come to like 
Cisco's PDM for their pix.  It all happens over SSL, and depending on your 
connection to the device can be clunky, but I find it very usable.  That being 
said, give me CLI anyday.

Personally, I haven't had a PIX die yet (I know people who have though, and 
they've gotten replacements within the same day), but I've been using them for 
over 5 years.  Nothing but rock solid performance for me.

As for logging, PIX sends it all to SNMP traps or Syslog servers.  I never 
wanted a firewall to do that for me, I always just wanted a dump of the data, 
and I pick what data I want by my own means, so the PIX logging may not be 
enough for you.


Matt Bazan wrote:


Ok <takes deep breath>..I may be in need of a replacement solution for
our current firewall appliances (two NetScreen 50s running in an active
/ passive high availability solution).  For reasons I won't get into (NS
being purchased by Juniper?) my trust in these units has been badly
eroded.  I'd like input on what people are using and their satisfaction
levels with them.

Our requirements:

    1) We run a rapidly growing 24X7 web presence.  As our Internet
uplink is 4Mb (ok, this will soon be going up..but only by a couple
Mb..) we don't need a beefy packet pushing device. 
    2) We have 25 or so inbound NATs.  I like to have 'granular'
control over source and dest NAT.  By this I mean being able to split
these features based upon traffic flow and not having to create the
typical bi-directional NAT mapping.
    3) Need for 20 or so box-to-box VPNs.  Auto key and manual key
with the usual VPN flavors
    4) The basic requirements for setting policy based access (blah
blah)
    5) 3 interfaces (4 ideal)
    6) High availability solution
    6) Static routing only
    7) Intuitive web gui
    8) 'Robust' command line feature set
    9) Detailed reporting
    10) Configuration flexibility a must.  I'll leave this to your
imagination.
    11) Something I can setup and it will *work* *work* *work*
    12) I'm sure there's more I'm forgetting but I'm suffering from
NetScreen induced sleep deprivation and am tired of typing.
    13) <=$15K for pair of units

Thanks for the input!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


-- 
Jason Hamilton, System Administrator    |   5700 SW 34th St. Suite 1235
Info Tech, Inc.                         |   Gainesville, FL 32608
Jason.Hamilton () InfoTechFl com           |   (352)381-4400 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: