Firewalls

[howler]

We need to get an EAL4 Firewall. I have been looking at various vendors

3 that I have been looking at are:

Watchguard
Check Point
Cisco ASA

now the WatchGuard and the Check Point I know comply with EAL4, however Cisco PIX does but I can't find anything that says the ASA does although I am sure it does

Whats my best option, I can probably persuade work to send me on a training course for whichever one we choose

 

[atomiser]

We have to be EAL4 compliant too - I'm a fan of Juniper NetScreen firewalls, I've used most of the range from the baby 5GT's up to a pair of the ISG2000's and they are excellent products, really easy to configure and manage...and, on the rare occasion that I have had to use it, the support from TAC has also been very good. Their not expensive either.

 

[howler]

I steered clear of Juniper as I heard that they are a real pain to configure

This is not the case then?

How much of a headache is a check point firewall and would a course teach me what I need? I'm already CCNA standard so have some base knowledge

 

[Dangerous]

Stay well clear of Watchguard's IMO, truly awful things. The number of times I got called out because the firewalls simply died (not routing traffic, no response from the FW at all) was unreal.

The ASA uses the same OS as the PIX so I am sure it does. The ASA's are good units but IMO the Nokia Checkpoint combination is hard to beat (they can do VRRP for example which the ASA/PIX cannot). I am just about to put in a pair of IP390's but be warned the setup / licensing can be a bit painful if you have no experience so try and go on a course.

We have had 2 and they have never had a problem. Watchguard 700 and firebox x is the latest I think.

It’s a managed product on our site and the management is done by Easynet - Pain in the backside at times when we are testing new stuff but generally just sits there and works

 

[mdjmcnally]

I would second going with the Check Point, although if starting with a blank page I would go with the SecurePlatform based appliances. Should be a case of buy the appliance which comes with the license and then also a SMARTCenter license.

Although SPLAT is based on Linux most of it is hidden from you and is mostly done from the Web Front end for the platform management.

If going on a check point course then you will need Management 1 and 2 which total 5 days. When I first did them I found them quite slow in pace but very good for getting to grips with the product.

In general most complaints I hear about so and so firewall being difficult to configure are when you are proficent in one type and then jump to another.

For instance I find PIX/ASA difficult to work with, but then I have 6 years of Check Point so it is quite different way of working.

The other advantage that the Check point have is in there remote access functionality and also companion products such as Connectra and EndPoint Security.

 

[atomiser]

the juniper equipment is an absolute doddle to work with. you have the option of cli, webui and nsm for management and whether you are working on a baby 5gt or a cluster of top end isg's the management is identical.

i've no experience with other vendors so can't really compare them, though i've been taught by way of principles and concepts rather than platform so im confident i could move quite easily between vendors.

if you have any specific questions about the juniper stuff then give me a shout.

 

[topher]

how about a cisco pix.

had checkpoint NG a couple of years ago, and I really liked it.. nicer interface than the cisco pix.

However I think the pix was the cheaper option at the time.

 

[oddjob62]

the juniper equipment is an absolute doddle to work with. you have the option of cli, webui and nsm for management and whether you are working on a baby 5gt or a cluster of top end isg's the management is identical.

i've no experience with other vendors so can't really compare them, though i've been taught by way of principles and concepts rather than platform so im confident i could move quite easily between vendors.

if you have any specific questions about the juniper stuff then give me a shout.

Agreed, done a fair bit of work with Juniper Netscreens and Cisco Pixs, and the Netscreens have always seemed a lot more user friendly.

 

[ricky1981]

If you can afford it then Check Point is worth the extra particularly now they have their own appliances so you don't have to pay through the nose for Nokia kit!

 

[derfderfley]

We need to get an EAL4 Firewall. I have been looking at various vendors

3 that I have been looking at are:

Watchguard
Check Point
Cisco ASA

now the WatchGuard and the Check Point I know comply with EAL4, however Cisco PIX does but I can't find anything that says the ASA does although I am sure it does

Whats my best option, I can probably persuade work to send me on a training course for whichever one we choose

It may sound a little silly but what sort of budget / how big is the site?

A pair of Cisco ASA 5510's in fail over (active/passive or active/active) with appropriate licences will run you around 3K. A single Nokia IP390 alone will run you around that sort of money and your looking at 7K+ in Checkpoint licences.

If you want to go down the Checkpoint route, and if the budget is there that's the way I'd go. Personally I'd avoid running secure platform on generic (dell/hp/ibm) hardware* and go down the Nokia route. Why? Nokia's TAC support is superb (in real life situations), I wish I could say the same for Dell

If you fancy a slightly simpler route into Checkpoint and FW-1 I'd take a serious look at the new UTM-1 or Power-1.
The UTM-1 boxes run anywhere between 400Mbps/100Mbps to 4.5Gbps/1.1Gbps Firewall/VPN throughput and all come with unlimited internal user licences.

The UTM-1/Power-1 boxes can be bought with a full five year software/hardware support package which will keep your management happy and give some piece of mind.
*The UTM-1 / Power-1 boxes are SPLAT boxes but with full Software/Hardware support and compatibility guaranteed as they are a Checkpoint product.

Couple of quick gotchas with Checkpoint, everything is a separate license, and they tend to change the licensing at regular intervals. If you go down this route, go to your supplier and tell them exactly what you want and get a quote in writing, and don't expect it to be cheap.

Training for Checkpoint products in the UK tends to be done by DNS Arrow, if you go to someone like Global Knowledge, chances are the training will actually be delivered by DNS. This is not a bad thing as DNS are one of Checkpoints partners in the UK and their training tends to be very good (I've been on a couple of courses delivered by DNS and have been impressed with the quality), as the trainers are often those who deliver solutions to customers.

I should declare that I work for a company who provide managed Checkpoint FW-1 and Cisco Firewalls as solutions to customers (which is what I do for a living as a engineer).

Any more questions feel free to ask.

 

[howler]

How does the licencing work on these products? If you have a 10 user licence for example is that only for users sending traffic through the firewall from your LAN?

I'm not keen on going for a PIX as it has been replaced by an ASA and don't want to buy something out of date

Also can some of you name reptutable suppliers for these sorts of products, I will check our own suppliers but they aren't always great on hardware?

 

[atomiser]

checkpoint, or juniper? cant help you on the former, but with regards to the latter...

typically you buy either a baseline or an advanced product. with some of the smaller boxes you can buy really basic < 10 user units, or you can upgrade them (software key) to unlimited. there isn't any of this 'every feature is extra'. the data sheets on the juniper website show exact information on what the limitations of the baseline and advanced products - though typically it is throughput, number of sessions, types of routing protocols and number of routes, type of high availability functionality. those sorts of things.

juniper work in a three tier model - juniper > distributor > reseller. the reseller that i've dealt with is secon, and their distributor is horizon equip. i've been really pleased with the level of service from both. this is for purchasing. after sales service you deal directly with juniper through their tac where you have the option of completely web based, or you can always get through on the phone too. the very rare occasion that something has gone amiss, a quick call to the reseller and i've had things resolved very very quickly.

i know i'm tooting their horn a little bit here, but i've been really impressed with the company, the product, the pre-sales and the post-sales. the training that i have done (all of the courses) has been really good too - none of this 'training world' bs, the guy really gets you hands-on with the equipment and teaches you how to do stuff in the real world. can't really ask for much more! as i have said previously though, i haven't got anything to compare it to.

 

[howler]

also are Fortinet worth a look?

 

[atomiser]

when recommending what firewall technology to use, it might help us to understand a little about the environment you are working in...is this the sort of information you can put up on a public forum?

 

[howler]

I would rather not divulge too much but to give you an idea:

We are going to have a connection to an organisations very large network, there are specific sites on this network that will send data to us using secure ftp

there will be a machine at our site for receiving all of this data and then passing it onto our lan which is on a different subnet.

It is important to protect the receiving machine from unwanted attacks from the organisations network aswell as the internet which will be available through that connection. It also needs to prevent any traffic from our LAN traversing the corporate network although the router between the two LANs should help police that

hope that makes sense

 

[bigredshark]

juniper work in a three tier model - juniper > distributor > reseller. the reseller that i've dealt with is secon, and their distributor is horizon equip. i've been really pleased with the level of service from both. this is for purchasing. after sales service you deal directly with juniper through their tac where you have the option of completely web based, or you can always get through on the phone too. the very rare occasion that something has gone amiss, a quick call to the reseller and i've had things resolved very very quickly.

i know i'm tooting their horn a little bit here, but i've been really impressed with the company, the product, the pre-sales and the post-sales. the training that i have done (all of the courses) has been really good too - none of this 'training world' bs, the guy really gets you hands-on with the equipment and teaches you how to do stuff in the real world. can't really ask for much more! as i have said previously though, i haven't got anything to compare it to.

We deal directly with equip for all our juniper kit (well firewalls anyway, we buy our M series boxes elsewhere), they're pretty good.

I quite like the juniper firewall solutions, they're powerful, flexible and easy to configure. My only word of warning would be don't do ipsec VPNs on them, it's just not worth it. The client (rebranded safenet client) is truely awful compared to the Cisco VPN client, that said the new SA ssl vpn appliances are really rather nice (equip have given us a few to play with for a couple of months)

 

[bigredshark]

I would rather not divulge too much but to give you an idea:

We are going to have a connection to an organisations very large network, there are specific sites on this network that will send data to us using secure ftp

there will be a machine at our site for receiving all of this data and then passing it onto our lan which is on a different subnet.

It is important to protect the receiving machine from unwanted attacks from the organisations network aswell as the internet which will be available through that connection. It also needs to prevent any traffic from our LAN traversing the corporate network although the router between the two LANs should help police that

hope that makes sense

I'd say juniper or checkpoint, probably checkpoint as large companies respect it a lot (I've done a lot of work with BA and they use checkpoint pretty much exclusively). Juniper has a big foothold in FTSE100 companies too though and it'll be a lot cheaper...

 

[atomiser]

I would rather not divulge too much but to give you an idea:

We are going to have a connection to an organisations very large network, there are specific sites on this network that will send data to us using secure ftp

there will be a machine at our site for receiving all of this data and then passing it onto our lan which is on a different subnet.

It is important to protect the receiving machine from unwanted attacks from the organisations network aswell as the internet which will be available through that connection. It also needs to prevent any traffic from our LAN traversing the corporate network although the router between the two LANs should help police that

hope that makes sense

sure, that sounds extremely straightforward.

i've not much experience with the newer ssg range, but if i were speccing from the previous generation - something like a 25 or 50 (in either baseline or advanced dependant upon how much throughput/sessions you need to sustain) would suit you down to the ground. hell, if the throughput/sessions requirement isn't too big you could even get away with a baby 5gt + advanced license for this job as that allows you to split up the ports as required.

they come with four interfaces - untrust, trust, dmz, and a spare interface. you can do what you like with the interfaces - create new zones, rename them, place them between virtual routers etc. default would be fine for you though.

then simply connect untrust to the foreign network, connect trust to your network, and place the server in the dmz. allow the necessary incoming connections from untrust to dmz, and then onwards again from dmz into trust.

job done, literally - you could have that up and running in 10-15 minutes.

if you choose juniper and need any help setting it up, give me a shout!

 

[howler]

Sounds very straight forward which is a relief

Does the 5gt carry the EAL4 certification do you know?

 

[atomiser]

it would be, you wouldn't have any problems at all. aye, as far as i am aware it is...the whole product range is...they must be because we have to use that kit too and i look after about 30 of the adsl ones! i dont think it's just the hardware that is eal4 compliant, but also the code too. i can configure one of our test boxes as per your description and post up the config if you like...