0
wildblue

Geeks: Enterprise Firewall opinions?

By wildblue, in The Bonfire

Recommended Posts

kevin922    0

kevin922
Quote

How about Zone Alarm? It's free and it's consistantly gotten good reviews from all the tech sites.



I think he is not referring to a personal firewall..

I can say I have some experience with Gauntlet 6.0 though I hear the EOL will be in about a year or so and those using G60 are looking to go to Sidewinder..

Share this post

Link to post
Share on other sites

wildblue    7

wildblue
Quote

How about Zone Alarm? It's free and it's consistantly gotten good reviews from all the tech sites.



Maybe I should edit the subject line :D I'm looking for enterprise level firewalls, not personal. Although, I'm sure i could get a raise if I just used that, and save my company $5-10,000 :P
it's like incest - you're substituting convenience for quality

Share this post

Link to post
Share on other sites

miked10270    0

miked10270
Firewalls & antivirus: The 2 computer things worth paying for.

Zone Alarm http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=pdb_za2 comes a a freeware version and a purchase version. The "pay" version is more up to date & effective. IMHO it's worth buying.

For antivirus, I personally go for Norton Antivirus http://www.symantecstore.com/dr/sat3/ec_MAIN.Entry17c?CID=74456&SID=27674&SP=10007&PN=5&PID=582926&DSP=&CUR=840&PGRP=0&CACHE_ID=74456 but remember to keep it up to date.

Finally, an oft neglected security issue is "spyware". This is everything from cookies that track your internet usage & surfing habits (which is where a lot of your spam comes from) right out to programs that can change your dial-up to a premium rate number (wanna pay $2 per minute to surf - without your knowledge?:(). Perversely the best anti spyware is a freebie:)http://www.safer-networking.org/index.php?lang=en&page=download is superb, and if you can spare a few bucks for Patrick, then all the better. Again, this does need to be updated regularly.

Hope this helps,

Mike.

Taking the piss out of the FrenchAmericans since before it was fashionable.

Prenait la pisse hors du FrançaisCanadiens méridionaux puisqu'avant lui à la mode.

Share this post

Link to post
Share on other sites

jfields    0

jfields
How much bandwidth are you trying to push through?

What sorts of complicating factors? (VPNs, etc.)

What type of filtering are you looking to do at the firewall level? Can you push some of the work off on the router?

What router(s) are you using?

How much would be in your DMZ, vs. how much inside?

Share this post

Link to post
Share on other sites

MarkF    0

MarkF
Quote

Pix? Checkpoint? Borderware? Firebox? Something else?

I'm leaning towards the PIX 515 right now. I can't even find a good comparison that's less than 2 years old though...



Pix. Although not by much. Checkpoint comes at a higher TCO and support, in Oz anyway, is less effective than Cisco. In my view they're the top two options.

You can work down the scale a bit and only reduce managability rather than effectivness.

An old Sun box with ipfilter and the appropriate patches could serve well although depending on the number of interfaces required going "too" old could be "interesting"..:)
Have a squint at Linux and iptables and whatever breed of BSD and ipfilter. Both good solutions although in the case of Linux choose your distro carefully - some are bloated beyond belief.

At the end of the day, though, the two top options are Pix and Checkpoint.

Whatever you do run an IDS on the hostile firewall interface(s) and make sure you keep its rules right up to date. Hopefully I'm preaching to the already converted...:)
Ooroo
Mark F...

Share this post

Link to post
Share on other sites

Gawain    0

Gawain
Used to sell solutions which incorporated Watchguard or Checkpoint. I used to work with some ultra-geek from Genuity (now part of LEvel 3) who had the opinion that anyone that used Cisco products of any type ... well never mind, but he didn't have any social inhibitions... :P
So I try and I scream and I beg and I sigh
Just to prove I'm alive, and it's alright
'Cause tonight there's a way I'll make light of my treacherous life
Make light!

Share this post

Link to post
Share on other sites

wildblue    7

wildblue
Right now this is basically going to be at a branch office (nothing in the dmz). I think something like Sidewinder might be a little over kill. Eventually, will probaby be setting up a VPN with the 'home office' Not overly concerned with bandwidth - only 20 to 30 users at branch office. Router in use - not yet decided.
it's like incest - you're substituting convenience for quality

Share this post

Link to post
Share on other sites

AndyMan    7

AndyMan
Pix is the gold standard, but quite frankly it's too hard to figure out. If you go Pix, you will need a consultant to set it up, and you won't be smart enough to do it yourself.

I like Borderware, myself.

_Am
__

You put the fun in "funnel" - craichead.

Share this post

Link to post
Share on other sites

flyingferret    0

flyingferret
Go PIX.
You can manage it via CLI or use a newer GUI from Cisco, part of the CiscoWorks suite.

We use Checkpoint, and it has been nothing but a pain in the ARSE. I work for an unnamed financial firm that process about 5% of the daily trades on the NYSE market. The amount of data is insane, and the topology of our network, makes a lot of vender engineers, look at the whiteboard and go...hmmm. So in a simpler setting, maybe checkpoint. But I am with 15 feet of 3 security admins that would gladly be rid of it. We use Checkpoint NG.
--
All the flaming and trolls of wreck dot with a pretty GUI.

Share this post

Link to post
Share on other sites

kingbunky    3

kingbunky
i don't know what to reccommend, but i know i wouldn't reccommend symantec enterprise firewall. we have 4 of them and it's a pain in the ass to administer. part of the reason is having 7 different interfaces on each of them, and then load balancing on top of that. :S
"Hang on a sec, the young'uns are throwin' beer cans at a golf cart."
MB4252 TDS699
killing threads since 2001

Share this post

Link to post
Share on other sites

flyingferret    0

flyingferret
Dude, I feel you. We run a dedundant load balancing 'sandwich' with our checkpoints. For the main connection anyway, also have a few DMZes. Bottom line, load balancing complicates things greatly. The device has to be able to sort on a session level by one method or another, otherwise, you kill SSL connections to secure sites.
--
All the flaming and trolls of wreck dot with a pretty GUI.

Share this post

Link to post
Share on other sites

flyingferret    0

flyingferret
Well, after seeing the responses, I guess you may have to clarify 'enterprise' a bit more. I think responding from the point of a very complicated topology, for which I say go PIX, even though we are getting it done without PIX. For simpler stuff, that may not be required. If you have the right staff, you can also just harden a linux distro and run IP tables, for simple stuff.
--
All the flaming and trolls of wreck dot with a pretty GUI.

Share this post

Link to post
Share on other sites

PhreeZone    20

PhreeZone
If you have experience with setting up a Cisco router the PIX is a fairly simple step up. The only issue is all the command inface logic is completely backwards compared to the routers. In the routers you put source, transport, destination. In the Pix its Destination, transport, Source and a lot of entry Cisco people screw it up and have totally screwed up config files.

Something thats a tad harder to do on PIX is doing NAT translation and forcing static mapping for certian NAT's. You basically have to do manual NAT'ing of an IP to itself and then use the NAT'ed address to to the transporting. Not a big deal once you learn the PIX environment.
Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

Share this post

Link to post
Share on other sites

SonnyChiba    0

SonnyChiba
Of the firewalls mentioned and the environment you described, I would probably go with the Cisco PIX. Although the Cisco PIX is "only" a stateful packet filtering firewall, it is not any less secure than an application proxy firewall such as Gauntlet or Sidewinder. (Marketing guys and sales reps will try to have you believe stateful packet filtering firewalls are less secure, but don't buy into the hype!)

The Cisco PIX is one of the very few appliance firewalls that's not over priced. As far as configuration goes, if you are familiar with Cisco routers and somewhat knowledgeable of acl's, you could probably make the PIX do what you want it to do with minimal training. The PIX also uses conduits, which are, without going into technical details, backwards from acl's. There is also a big push nowadays to run splt DNS. The Cisco PIX can now support a true split DNS configuration.

Another major reason I recommend the PIX is because other firewalls such as Gauntlet and Cyberguard sit on a Unix platform, Solaris, BSDI, and in the case of the Cyberguard, SCO (although they claim to have locked it down and made their own proprietary flavor). Unix based firewalls, although I love Gauntlet to death, require a higher learning curve whenever new personnel/security engineers are brought in.

If VPNs are required the PIX can support all the things you would need, except, and someone correct me if I am wrong, they cannot use DoD certs for authentication????? This may have changed though....if DoD certs are required (which I doubt they are) then you probably wanna contact Cisco to find out if they can support them.

Hope this helps, and no I don't work for Cisco!!:)
Leon


----------------------------
"Insert witty quote here."

Share this post

Link to post
Share on other sites

PhreeZone    20

PhreeZone
Side note... if any one is Looking to get some Cyberguard KnightStars or a StarLord let me know... I've got two of them sitting in our Test lab that we are not able to use. We went with larger PIX's instead. Cheap too! :ph34r:

The Conduit logic is fairly straightfoward from a security and audit standpoint too.
Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

Share this post

Link to post
Share on other sites

Clownburner    0

Clownburner
PIX software has gotten way too bloated and convoluted in the past few releases, and we've seen all kinds of wacky problems with the configurations.

I'd recommend the Netscreen firewalls; they're much easier to configure and perform very well.

CCIE#2006
7CP#1 | BTR#2 | Payaso en fuego Rodriguez
"I want hot chicks in my boobies!"- McBeth

Share this post

Link to post
Share on other sites

DaMan    0

DaMan
I've a pair of PIX and I'm happy with them, but you may want to read this article on SOAP/XML content filtering before making any decisions...

If you need some help with the configs on a PIX, I can be bought at a priceB|
Z-Flock 8
Discotec Rodriguez

Too bad weapons grade stupidity doesn't lead to sterility.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
0
Go To Topic Listing