All,
I am helping out a former colleague of mine who is a security consultant
(I used to be a former security consultant myself) with a dilemma.
This security consultant is in charged of designing and implementing
firewall solutions for an enterprise customer (about 2,000 end-users)
spanning between the US, Europe and Asia, with the US is the headquarter
and remote offices in Europe and Asia. The customer has already
decided to go with Checkpoint Firewall-1 as its choice of firewall over
other vendors such as Netscreen and Cisco Pix.
The customer now as the security consultant for the recommendation
of the hardware platform that will run Checkpoint Firewall-1. To make
this thing a little more complicated, the customer will have VPNs from
these remote offices back to the US and with each other. They have
SIP and VoIP applications that will traverse the VPN tunnels. Firewalls
at each locations will functions both as VPNs and Perimeter firewall.
The headquarter has two DS-3 (45Mbps) pipes while each remote offices
has dedicate T-1 and ISDN backup.
The customer would like to be able to do this in September/October 2005
timeframe. Currently, they have Pix firewalls and watchguard at various
locations. They like checkpoint for centralize logging and management.
The security consultant can recommend the customer the option of running
Checkpoint Firewall-1/VPN on either Nokia IP platforms or Checkpoint
Secureplatform. He is more familiar with Nokia IP platform but the customer
would like to be able to take advantage of the of next release of Checkpoint
(dallas) for their implementation in October.
The problem the security consultant runs into is that the next IPSO that will
support ?dallas? will not be ready until the end of this year and ?dallas? will
be officially released in June (he thinks). If he decides to go with Nokia
IP platform, he will not be able to meet the target date. He needs time to test
?dallas? on IPSO prior to implementing it.
The security consultant asks for my advice. I told him to go with Checkpoint
SPLAT for the following:
1) They can use existing hardware currently available in the inventory to
build
the enforcement module. SPLAT runs great on both IBM and Compaq hardware.
Furthermore, you can perform RAID 1 on the hardware to provide redundancies
at the hardware level. Originally, they are looking at Nokia IP350/IP380 which
does
not have built-in harddrive RAID redundancy. The customer has bulk load of IBM
and Compaq DL380 Servers.
2) Dual CPU supports on SPLAT which doesn?t yet support on Nokia IP
platforms
(may be with the exception of IP1260 or IP2250).
3) Hardware Inventories readily available on-site. The Enforcement
Modules can be
rebuit in less than 10 minutes.
4) Checkpoint ClusterXL can provide Active/Standby or Active/Active
Solution at
headquarter. I know Nokia VRRP and IPSO Clustering is FREE but the ClusterXL
cost
can be offset with the hardware (i.e. IBM or Compaq Servers) that the customer
already owns.
5) When running Checkpoint on Nokia IP platform, Nokia is always a few
revisions
behind checkpoint. There will always be ?blame game? going on when things are
not
working right. When running SPLAT, checkpoint will be responsible for
everything
with the exception of the hardware. There will not be any finger pointing
other than
Checkpoint.
6) SPLAT can do RIP-2, OSPF and BGP via zebra just as good as IPSO.
Can anyone share his/her experiences, good or bad, with firewalls deployment on
both Nokia IP platforms and/or SPLAT? My past and current experiences with
Nokia,
obviously, are not very pretty. Each time I call them with an issue, their
typical response usally
is "upgrade" or "it's a checkpoint issue".
Please share your knowledge.
Thanks.
cisco4ng
---------------------------------
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
