Hmmm, is this friend of your doing consulting for my job? :-) Almost the
same scenario except about a year behind, right down to the Watchguard
boxes.
The problem the security consultant runs into is that the next IPSO that
will
support ?dallas? will not be ready until the end of this year and ?dallas?
will
be officially released in June (he thinks). If he decides to go with Nokia
IP platform, he will not be able to meet the target date. He needs time to
test
?dallas? on IPSO prior to implementing it.
Six months of delay for IPSO is a probably a bit of a stretch. I think R55
was released in Sept 2003 and the IPSO version was released in the second
half of Dec. 2003. From friends in the industry, "dallas" allegedly was
supposed to be released in January 2005 and then March and now who knows
when. I do see it has made it into the public beta stage, so that's good
news. I would think the delay, if it really exists, would actually move the
IPSO date closer to the SPLAT release. IPSO patches for R55 are right there
when SPLAT HFA's are, released.
Pushing a deployment just to take advantage of a new release is rarely a
good idea unless you are sure the features of the new version are a
show-stopper if you don't have them. And that you're sure they're going to
work and nothing else is going to break. :-)
1) They can use existing hardware currently available in the
inventory to build
the enforcement module. SPLAT runs great on both IBM and Compaq hardware.
Furthermore, you can perform RAID 1 on the hardware to provide redundancies
at the hardware level. Originally, they are looking at Nokia IP350/IP380
which does
not have built-in harddrive RAID redundancy. The customer has bulk load of
IBM
and Compaq DL380 Servers.
All valid points. I bought an IP530 solely for the mirrored hard drives.
Nokia now has a disk-less version which should relieve hard drive failure
concerns.
I prefer two drives because of the redundancy it gives me during patches and
updates. I simply break the software mirror and patch/upgrade the primary.
If it blows up (and it never has yet), I can simply swap the drives and away
I go.
I also prefer IPSO because of its "test boot" feature. If an upgrade of IPSO
on a remote gateway goes bad, the box simply reboots itself into the
previous version of IPSO and I'm back up. Only one of my remote sites has
any kind of IT staff on hand.
2) Dual CPU supports on SPLAT which doesn?t yet support on Nokia IP
platforms
(may be with the exception of IP1260 or IP2250).
May be a consideration at the main site, but certainly not at the remote
sites because their pipes are too small even with SmartDefense.
3) Hardware Inventories readily available on-site. The Enforcement
Modules can be
rebuilt in less than 10 minutes.
Is there somebody there that can do it securely? I've rebuilt remote IPSO
boxes from "factory fresh" installs without any local support. I've never
tried with SPLAT, so I don't know how that goes. I don't know about ten
minutes, though. Closer to 30 is probably better. SPLAT needs HFAs whereas
IPSO just needs the current version installed.
4) Checkpoint ClusterXL can provide Active/Standby or Active/Active
Solution at
headquarter. I know Nokia VRRP and IPSO Clustering is FREE but the
ClusterXL cost
can be offset with the hardware (i.e. IBM or Compaq Servers) that the
customer already owns.
Check out the price on the Nokia disk-less boxes. They were a lot cheaper.
5) When running Checkpoint on Nokia IP platform, Nokia is always a
few revisions
behind checkpoint. There will always be ?blame game? going on when things
are not
working right. When running SPLAT, checkpoint will be responsible for
everything
with the exception of the hardware. There will not be any finger pointing
other than
Checkpoint.
I have never, repeat never, experienced this. Nokia is a bit behind on the
initial release and sometimes that's a good thing because the pioneers
already took a few arrows in the back for you. I have my Check Point support
through Nokia, so they're my first point of contact and are cheaper than
Check Point. If they have to escalate an issue to Check Point, it doesn't
cost me a dime.
6) SPLAT can do RIP-2, OSPF and BGP via zebra just as good as IPSO.
I guess that's a tie, then. :-)
I'm sure you have already recommended a separate management server to him,
so that's a moot point. This one is going to be a tough decision because
both choices are good, although your discussion is focused on the initial
deployment date and costs. Do you have any thoughts on what it takes to keep
either option running, time-wise and cost-wise? That's where the real money
will be spent, particularly in the cost of downtime.
I do know my company isn't going to try "dallas" for at least three months
after its released. There are just too many things going on with a firewall
running site-to-site and remote access VPN s to risk it so fast.
If you can, please let us know what they decided and why. Their reasoning
will be a good learning point.
Take care,
Ray
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
| 