Very kind of you sir!
I wouldn't go to any effort yet until we decide what to buy but I may need to call on your services at a later date should we go down the juniper route
Firewalls
- Thread starter howler
- Start date
Very kind of you sir!
I wouldn't go to any effort yet until we decide what to buy but I may need to call on your services at a later date should we go down the juniper route
Associate
- Joined
- 26 Oct 2002
- Posts
- 1,714
Checkpoint licensing is done on the number of internal IP addresses protected, as is Cisco's licensing on the on the smaller products.
Having read a bit further down I see you are looking at the Juniper SSG5/25, please don't take this the wrong way, but the SSG5/25 is fairly low end SOHO/SMB/Branch office kit (same market the ASA5505's are aimed at) and is not in the same class as as a Checkpoint FW-1 solution.
If you only have a budget of a couple of grand for the firewall you could do a lot worse than a Cisco ASA5510 (ASA5510-BUN-K9) 300Mbps of Firewall 170Mbps of VPN. You'll get 4 10/100 interfaces (plus a 5th interface also 10/100 which can be used either as out of band management or as a 5th interface) 250 VPN tunnels and unlimited inside hosts. Stick with the 7.2.x branch unless you want to be on the bleeding edge with the 8.0.x releases. ASDM takes a lot of the pain out of configuring them if you aren't to familiar with the CLI and is leagues ahead of the old PDM GUI interface.
I personally think the 5510's are a bit of a bargain, can't post links as most sites would be competitors but they can be had for less than £1400 inc vat.
from my perspective i would be looking whether the firewall is a complete perimeter solution, or merely a point solution to accept incoming data transfer and broker it to the internal network. if it were the former then the suggestion of a box with a decent amount of poke is perfectly valid, if it is the latter however then spending £1400 seems a bit overkill.
is the op able to post any further info as to the requirements? is this firewall going to form a proper perimeter network for you, or is it just a point solution? do you want something decent now that you can use for additional security in the future? can you aggregate security appliances or does your line of business dictate seperate physical security systems? do you need 300 meg of throughput and up to 250 tunnels?
i suppose i am a bit spoilt, as if it were me i would just be adding this as an additional service to an active/passive ha cluster of isg2000's - either into a shared dmz if permitted by security policy, or onto a dedicated interface if necessary.
it is always good to hear about other products though, i really need to branch out and pick up skills with other vendors!
is the op able to post any further info as to the requirements? is this firewall going to form a proper perimeter network for you, or is it just a point solution? do you want something decent now that you can use for additional security in the future? can you aggregate security appliances or does your line of business dictate seperate physical security systems? do you need 300 meg of throughput and up to 250 tunnels?
i suppose i am a bit spoilt, as if it were me i would just be adding this as an additional service to an active/passive ha cluster of isg2000's - either into a shared dmz if permitted by security policy, or onto a dedicated interface if necessary.
it is always good to hear about other products though, i really need to branch out and pick up skills with other vendors!
Last edited:
VPN tunnels don't matter there won't be any, as for throughput the data will be coming from two adsl connections throughout the day and pretty much all day by the time all the remote sites are live and sending data
I'm guessing that I don't need massive throughput due to the fact that the data is throttled down to 8 meg broadband?
The firewall is requirement is two fold, the network we are connecting to state that we must have an EAL4 firewall. I also want something that I know I can rely on so that I know it is well protected
Redunandancy is alos very important, if the firewall goes down then I need another to be able to seamlessley take over
Budget isn't a massive problem, we will spend what we need to so that we get a good solution, but obviously we aren't going to waste money on something we will not get any use from
I'm guessing that I don't need massive throughput due to the fact that the data is throttled down to 8 meg broadband?
The firewall is requirement is two fold, the network we are connecting to state that we must have an EAL4 firewall. I also want something that I know I can rely on so that I know it is well protected
Redunandancy is alos very important, if the firewall goes down then I need another to be able to seamlessley take over
Budget isn't a massive problem, we will spend what we need to so that we get a good solution, but obviously we aren't going to waste money on something we will not get any use from
Last edited:
Why do you say that?
typically the high availability features comes with the more advanced boxes - along with higher throughput, advanced routing protocol support, vpn features, ips functionality etc. this all costs money, so it would be a good idea to know if you do have a budget to work with.
i could do to understand a little more about the wan side of the setup. the adsl side of things, are you having two for redundancy or are they there to provide discrete connections to differing networks? if its the latter, whilst talking about firewall redundancy you might also need to think about redundancy in the wan connectivity too.
a sanitised network diagram might help us help you, if you see what i mean...
i could do to understand a little more about the wan side of the setup. the adsl side of things, are you having two for redundancy or are they there to provide discrete connections to differing networks? if its the latter, whilst talking about firewall redundancy you might also need to think about redundancy in the wan connectivity too.
a sanitised network diagram might help us help you, if you see what i mean...
Still?? Man last time i had to deal with that almost 2 years ago... i would have thought they'd have sorted it by now.
Associate
- Joined
- 26 Oct 2002
- Posts
- 1,714
Ok, you've filled in a bit more information
two things...1) xDSL is not a business critical solution to Internet access. Get a leased line with a proper SLA. (Your looking at spending what's required on the firewalls, don't go cheap with connectivity it will come back to bite you!)
2) If you need active/active or active/passive Firewall pairs no solution is going to be cheap.
It sounds like your solution is going to have to comply with what your business partner is happy with, which can be a little awkward.
What do you use at the moment as a connectivity / Firewall solution?
Would it be more cost effective to extend your current solution to fit this new business?
Are you looking at this as a opportunity to upgrade your current solution?
As a quick idea if your going for the last option;
Upgrade your current connectivity to a 2 or 4Mbps Leased line.
Upgrade your Firewalls to a pair of Nokia IP290's or IP390's in active/active.
Add a dedicated Server running Secure Platform as a management server.
Checkpoint VPN-1 NGX R65
Job done
Associate
- Joined
- 26 Oct 2002
- Posts
- 1,714
I know, I suggested them earlier
Only problem with them is that the licences are tied to the box.
You don't get the licences separately (we've put SPLAT boxes in temporarily when a customer has outgrown thier current Nokia device and we've needed to keep them up and running, which is easy when you can just put the licence on any hardware). So at the end of the support life cycle of the box (looks like it's going to be 5 years) you effectively have to trade the entire box in to get new hardware.
Leased Line is far too expensive
The ADSL connections are managed by someone else and backed by their SLA so we don't really need to worry about that if you see what I mean, the connections do also have ISDN backup
This is a totally different network segment to our current network so extending what we currently have is not the way we want to go right now, we just want to get this implemented according to the standards that have been set
I understand the solution is not going to be cheap and we are willing to spend the money but I just want to make sure we don't buy a solution that is totally overkill
The ADSL connections are managed by someone else and backed by their SLA so we don't really need to worry about that if you see what I mean, the connections do also have ISDN backup
This is a totally different network segment to our current network so extending what we currently have is not the way we want to go right now, we just want to get this implemented according to the standards that have been set
I understand the solution is not going to be cheap and we are willing to spend the money but I just want to make sure we don't buy a solution that is totally overkill