You can also have a look at www.securecomputing.com
<http://www.securecomputing.com/> and the product is sidewinder G2. It is
UTM product with all the facilities what a Enterprise firewall should have.
Hope this helps.
Regards
Arunodhay.
_____
From: harsh_verma@sify.com [mailto:harsh_verma@sify.com]
Sent: Thursday, March 23, 2006 1:56 PM
To: VolkerTanger
Cc: firewalls@securityfocus.com
Subject: Re: Enterprise Gigabit Firewall
Before going for any other product make sure you checkout this link
:
http://www.watchguard.com/products/x2500.asp
It can cater up to
following requirements :
1) upto 500 Users
2) IPS
3) upto 400
Branch office VPN
4) Mobile User VPN tunnels 1,000 also PPTP with
IPSEC
5)spamBlocker
6) WebBlocker URL Filtering
AND many
more...simple GUI ...Higher capabilites..Also I dont think you need a
Dedicated Firewall Guy for this ...A good network Guy with little
training can manage this.
vtlists@wyae.de:
Greetings!
On
Wed, 22 Mar 2006 15:34:24 +0530
"3 shool"
<3shool@gmail.com>wrote:
We are planning to purchase an Enterprise Firewall for our
Head
Quarters. I have been doing some research recently on various
possible
options. I do have budget restrictions and that is one
important
factor which is going to influence management's
decision.
Use the firewall brand you or your staff know inside-out.
If you do not
have a knowledgeable firewall man, get one first.
1. Establish site-to-site VPN between our 4 branch locations
2.
Establish client-to-site VPN for roaming users
3. Should support 500
Internet users at HO
...which probably can be managed by nearly any
firewall appliance
above DSL-router level.
"500 users" is quite a
bit variable. There are worlds between 500 people
just receiving a few
text mails and occasionally surfing after office
hours - and 500 people
doing high-turnover photo/audio/video editing and
-sharing via the web.
The type of usage and speed of your uplink is at
least as interesting
as the pure number of users.
4. Has a Gateway Antivirus, IPS
and Content Filtering
Well, here we are - meet THE area of sales fog
throwing and THE
performance bump. There are BIG differences in
technique used,
effectivity and performance impact.
Gateway-AV
sometimes is just a small daemon checking wether the client
has a
current AV system installed and running (like Sonicwall did in the
past
and probably still is doing) - and no virus filtering at all on the
FW
itself. Or it could be a complete AV intercepting all common
protocols
and unpacking/scanning/repacking all.
Similar the IPS: ranging from a
few trivial attack schemes (smurf
attack, ping of death, syn-flooding -
SonicWall is listing 22
"signatures") to a fully-blown in-line IDS. The
first is comparatively
cheap, the latter (Snort-Inline with all
signatures enabled) nearly is
impossible to scale to scan a saturated
1Gbit/s line without missing
packets.
Content filtering is similar
in range: from just blocking a few IPs/URLs
up to weighed keyword scan
and image classification. Thus similar range
on impact.
Especially
for email you'll usually be much better off with a separate
email gate
with RBL/AV/spamfilter than with trying to cover it with an
all-in-one
FW/AV/Email/IDS/VPN/ContentFilter/Proxy/CoffeeCooking/...
appliance.
Similar for HTTP - especially as content filter usually call for
a
separate system anyway.
Optionally, we also plan to move our
SAP servers on this firewall in a
new zone. We would opt this only if
the firewall provides us gigabit
throughput for our SAP
servers.
*Please* *DO* leave your key ERP systems in the back of your
LAN -
better protect it by a separate firewall. Do not push them into
the
front lines of your defense. That would be a Bad Idea(TM).
On
an internet firewall AV/content filtering can make sense and will eat
a
lot of performance - but you usually have a very limited
uplink
(usually single-digit Mbit/s) anyway. For a backend firewall you
just
need a stateful packet filter - but one that can can handle Gbit/s
and
many simultaneous connections.
For this solution I have
been thinking of ISS, SonicWALL, Checkpoint
and Netscreen. It would
be great if the list could put their thoughts
on what would be ideal
for our scenario.
Choose whatever you are familiar with. If you are
not familiar with
firewalling and designing secure networks, hire a
colleague who is.
Buying a system without someone capable of handling
it and incidents
around it will give you just a dead iron. A firewall
is a (key)point of
network control - but useless if noone is (capable
of) controlling it.
I have also heard that
SonicWALL has a
gigabit firewall model, Pro 5060. The price seems to
be really low
compared to Checkpoint+Nokia, but would SonicWALL 5060
be a good
option?
None will, unless you have the man and knowledge to handle
it. Comparing
such FW systems without knowing their inner workings is
nearly
impossible, even if the sales brochures are boasting similar
technical
terms.
One example just highlighting anti virus
measures - that of course are
all included in the FW according to
brochures: CheckPoint only has
INTERFACES for transparently hooking up
HTTP/SMTP AV systems - but
usually none installed on the machine.
SonicWall has (had?) just a check
wether an AV system is installed on
the client wanting to access the
internet, no AV installed on the FW
box itself.
In contrast to this Astaro has full transparent proxies
(e.g. the HTTP
one is squid based) with ClamAV and Kaspersky AV running
on the box,
in parallel to Cobion URL filtering plus a complete Snort
IDS. Sound
great, doesn't it? Similar is the dramatic drop in
throughput. I've
seen boxes capable of multi-100Mbit/s firewalling
breaking down to
effective few-kbit/s rates because of such
setups...
And all those nice AV/URL/Content/SPAM filtering
meachanisms will be
useless on a firewall if you are using encrypted
protocols.
First clearly define your needs - only after that start
looking into
possible solutions. With asking (only) for a (all-in-one)
firewall you
deprived yourself e.g. of a three-box-solution (http proxy
+ email gate
+ packet filter). Maybe you even already have such a
system running.
Open source is an option - again, if you have the
knowledge in your
staff to do so.
Again:
You FIRST need the man
- the system choice will follow automatically.
If you do not have
(and do not intend to hire) the knowledge you need to
properly run a
gate, outsourcing the internet gate to a managed security
service might
be another option. But have a close look at the SLAs -
especially at
response AND solution times as well as
on
responsibilities/fines.
Good luck!
Volker
--
Volker
Tanger
http://www.wyae.de/volker.tanger/
-------------------------------------
-------------
vtlists@wyae.de PGP Fingerprint
378A
7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
<http://ads.sify.com/RealMedia/ads/click_nx.ads/mail.sify.com/sentmail@Botto
m>
