Greetings!
On Wed, 22 Mar 2006 15:34:24 +0530
"3 shool" <3shool@gmail.com> wrote:
We are planning to purchase an Enterprise Firewall for our Head
Quarters. I have been doing some research recently on various possible
options. I do have budget restrictions and that is one important
factor which is going to influence management's decision.
Use the firewall brand you or your staff know inside-out. If you do not
have a knowledgeable firewall man, get one first.
1. Establish site-to-site VPN between our 4 branch locations
2. Establish client-to-site VPN for roaming users
3. Should support 500 Internet users at HO
...which probably can be managed by nearly any firewall appliance
above DSL-router level.
"500 users" is quite a bit variable. There are worlds between 500 people
just receiving a few text mails and occasionally surfing after office
hours - and 500 people doing high-turnover photo/audio/video editing and
-sharing via the web. The type of usage and speed of your uplink is at
least as interesting as the pure number of users.
4. Has a Gateway Antivirus, IPS and Content Filtering
Well, here we are - meet THE area of sales fog throwing and THE
performance bump. There are BIG differences in technique used,
effectivity and performance impact.
Gateway-AV sometimes is just a small daemon checking wether the client
has a current AV system installed and running (like Sonicwall did in the
past and probably still is doing) - and no virus filtering at all on the
FW itself. Or it could be a complete AV intercepting all common
protocols and unpacking/scanning/repacking all.
Similar the IPS: ranging from a few trivial attack schemes (smurf
attack, ping of death, syn-flooding - SonicWall is listing 22
"signatures") to a fully-blown in-line IDS. The first is comparatively
cheap, the latter (Snort-Inline with all signatures enabled) nearly is
impossible to scale to scan a saturated 1Gbit/s line without missing
packets.
Content filtering is similar in range: from just blocking a few IPs/URLs
up to weighed keyword scan and image classification. Thus similar range
on impact.
Especially for email you'll usually be much better off with a separate
email gate with RBL/AV/spamfilter than with trying to cover it with an
all-in-one FW/AV/Email/IDS/VPN/ContentFilter/Proxy/CoffeeCooking/...
appliance.
Similar for HTTP - especially as content filter usually call for a
separate system anyway.
Optionally, we also plan to move our SAP servers on this firewall in a
new zone. We would opt this only if the firewall provides us gigabit
throughput for our SAP servers.
*Please* *DO* leave your key ERP systems in the back of your LAN -
better protect it by a separate firewall. Do not push them into the
front lines of your defense. That would be a Bad Idea(TM).
On an internet firewall AV/content filtering can make sense and will eat
a lot of performance - but you usually have a very limited uplink
(usually single-digit Mbit/s) anyway. For a backend firewall you just
need a stateful packet filter - but one that can can handle Gbit/s and
many simultaneous connections.
For this solution I have been thinking of ISS, SonicWALL, Checkpoint
and Netscreen. It would be great if the list could put their thoughts
on what would be ideal for our scenario.
Choose whatever you are familiar with. If you are not familiar with
firewalling and designing secure networks, hire a colleague who is.
Buying a system without someone capable of handling it and incidents
around it will give you just a dead iron. A firewall is a (key)point of
network control - but useless if noone is (capable of) controlling it.
I have also heard that
SonicWALL has a gigabit firewall model, Pro 5060. The price seems to
be really low compared to Checkpoint+Nokia, but would SonicWALL 5060
be a good option?
None will, unless you have the man and knowledge to handle it. Comparing
such FW systems without knowing their inner workings is nearly
impossible, even if the sales brochures are boasting similar technical
terms.
One example just highlighting anti virus measures - that of course are
all included in the FW according to brochures: CheckPoint only has
INTERFACES for transparently hooking up HTTP/SMTP AV systems - but
usually none installed on the machine. SonicWall has (had?) just a check
wether an AV system is installed on the client wanting to access the
internet, no AV installed on the FW box itself.
In contrast to this Astaro has full transparent proxies (e.g. the HTTP
one is squid based) with ClamAV and Kaspersky AV running on the box,
in parallel to Cobion URL filtering plus a complete Snort IDS. Sound
great, doesn't it? Similar is the dramatic drop in throughput. I've
seen boxes capable of multi-100Mbit/s firewalling breaking down to
effective few-kbit/s rates because of such setups...
And all those nice AV/URL/Content/SPAM filtering meachanisms will be
useless on a firewall if you are using encrypted protocols.
First clearly define your needs - only after that start looking into
possible solutions. With asking (only) for a (all-in-one) firewall you
deprived yourself e.g. of a three-box-solution (http proxy + email gate
+ packet filter). Maybe you even already have such a system running.
Open source is an option - again, if you have the knowledge in your
staff to do so.
Again:
You FIRST need the man - the system choice will follow automatically.
If you do not have (and do not intend to hire) the knowledge you need to
properly run a gate, outsourcing the internet gate to a managed security
service might be another option. But have a close look at the SLAs -
especially at response AND solution times as well as on
responsibilities/fines.
Good luck!
Volker
--
Volker Tanger http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@wyae.de PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
