"SPLAT can do RIP-2, OSPF and BGP via zebra just as good as IPSO."
This is the only point I'm not completely in agreement with. Having
myself been testing OSPF on SPLAT, I've found a few problems. It works
well enough, until you try to add in multipath routes. Apparently the
linux kernel in SPLAT was not compiled with multipath support.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
cisco4ng
Sent: Monday, March 28, 2005 9:28 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Please help: Checkpoint on Nokia IP platform or SPLAT?
All,
I am helping out a former colleague of mine who is a security consultant
(I used to be a former security consultant myself) with a dilemma.
This security consultant is in charged of designing and implementing
firewall solutions for an enterprise customer (about 2,000 end-users)
spanning between the US, Europe and Asia, with the US is the headquarter
and remote offices in Europe and Asia. The customer has already
decided to go with Checkpoint Firewall-1 as its choice of firewall over
other vendors such as Netscreen and Cisco Pix.
The customer now as the security consultant for the recommendation
of the hardware platform that will run Checkpoint Firewall-1. To make
this thing a little more complicated, the customer will have VPNs from
these remote offices back to the US and with each other. They have
SIP and VoIP applications that will traverse the VPN tunnels. Firewalls
at each locations will functions both as VPNs and Perimeter firewall.
The headquarter has two DS-3 (45Mbps) pipes while each remote offices
has dedicate T-1 and ISDN backup.
The customer would like to be able to do this in September/October 2005
timeframe. Currently, they have Pix firewalls and watchguard at various
locations. They like checkpoint for centralize logging and management.
The security consultant can recommend the customer the option of running
Checkpoint Firewall-1/VPN on either Nokia IP platforms or Checkpoint
Secureplatform. He is more familiar with Nokia IP platform but the
customer
would like to be able to take advantage of the of next release of
Checkpoint
(dallas) for their implementation in October.
The problem the security consultant runs into is that the next IPSO that
will
support "dallas" will not be ready until the end of this year and
"dallas" will
be officially released in June (he thinks). If he decides to go with
Nokia
IP platform, he will not be able to meet the target date. He needs time
to test
"dallas" on IPSO prior to implementing it.
The security consultant asks for my advice. I told him to go with
Checkpoint
SPLAT for the following:
1) They can use existing hardware currently available in the
inventory to build
the enforcement module. SPLAT runs great on both IBM and Compaq
hardware.
Furthermore, you can perform RAID 1 on the hardware to provide
redundancies
at the hardware level. Originally, they are looking at Nokia
IP350/IP380 which does
not have built-in harddrive RAID redundancy. The customer has bulk load
of IBM
and Compaq DL380 Servers.
2) Dual CPU supports on SPLAT which doesn't yet support on Nokia
IP platforms
(may be with the exception of IP1260 or IP2250).
3) Hardware Inventories readily available on-site. The
Enforcement Modules can be
rebuit in less than 10 minutes.
4) Checkpoint ClusterXL can provide Active/Standby or
Active/Active Solution at
headquarter. I know Nokia VRRP and IPSO Clustering is FREE but the
ClusterXL cost
can be offset with the hardware (i.e. IBM or Compaq Servers) that the
customer already owns.
5) When running Checkpoint on Nokia IP platform, Nokia is always a
few revisions
behind checkpoint. There will always be "blame game" going on when
things are not
working right. When running SPLAT, checkpoint will be responsible for
everything
with the exception of the hardware. There will not be any finger
pointing other than
Checkpoint.
6) SPLAT can do RIP-2, OSPF and BGP via zebra just as good as
IPSO.
Can anyone share his/her experiences, good or bad, with firewalls
deployment on
both Nokia IP platforms and/or SPLAT? My past and current experiences
with Nokia,
obviously, are not very pretty. Each time I call them with an issue,
their typical response usally
is "upgrade" or "it's a checkpoint issue".
Please share your knowledge.
Thanks.
cisco4ng
---------------------------------
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
