Sorry for making you upset.
Of course you must know this stuff, since CheckPoint and FW-1 is one of
your largest products. I'm so sorry.
On Wed, 13 Oct 1999, P. Capelli wrote:
> Lars Kronf�lt wrote:
>
> >
> > IMHO the PIX beats FW-1 in remote admin to. You can use the VPN client,
> > tunnel in to the box, telnet to the box and start doing you stuff. FW-1
> > needs a third party program like PCAnywhere (or something familiar) to get
> > tunneled, encrypted comunication.
>
> Um, this is *not* true. Remote encrypted admin has been a part of the
> product since 2.1c for windows clients. You can also send X over a securemote
> connection if you have a UNIX machine you want to use the GUI on. SSH tunneling
> also works.
The time I worked with FW-1, on daily base ( sometime ago ) the
remote "encrypted" admin was nothing you wanted to work with because it
didn't work well enough. Some update problems when changing configuration.
When I took a look at FW-1 version 4, a few month ago, I ran into a
similuar problem . Of course, if you use it on UNIX then you can have
remote admin. But, IMHO, FW-1 is a NT FW. (remember IMHO, stessing the H).
If you spend money on more expensive hardware, than the reguluar PC stuff,
then I think that you should spend some time taking a look at an
Application Gateway. Statfull Inspection might be good enough, but I
(IMHO!!!) would leen over towards a proxybased solution and a good proxy
(application gateway) is Gauntlet. OK, version 5 was buggy, but the new
release, version 5.5 is really good. ( maybe exept for the -pdk plug, it
might eat memory, nothing dangerous but still a problem [but you don't
HAVE to use -pdk])
>
> This functionality *just* became available for PIX, while Checkpoint has had
> it since 1996. Which do you think will be more stable?
>
> Additionally, ever try to administer 100 remote PIX boxes? Easily done with
> Checkpoint. Not so with PIX.
>
I am sad to say that we disagree again. ( I might be the problem, yes I
know, You are the guru! ).
Cisco has got a new program, I think it's called Cisco Secure Access
Control (I'm not sure, you can phone Cisco and check) with that you can
have remote admin of a lot of PIX. BTW the name is not PIX anymore, it's
Cisco Secure Firewall (all a part of their new approch). Next version of
The Manager (I will call it the manager and hope that you understand what
I talk about) will have remote admin for Cisco routers, and soon for most
of Ciscos products. And it's all in a nice ( well working, as far as I
have tryed it ) GUI. In the manager, you might have some pre configured
security policies, and when you buy a new router or Cisco FW then you just
have to add the new machine to the list and enforce the policy.
How hard is that?
> >
> > BUT, If you are interested in high end solutions, take a look att RADGuard
> > ( for VPN ) and Gauntlet ( for FW ).
>
> Yikes!
Pardon me for making you sick. But they are, no matter what you think, my
number one! Please convince me, if I'm totally wrong.
>
> >
> > Lars Kronf�lt
> >
> > ( remember, it's my opinion, not to be confused with that of my company )
>
> --
> Pete Capelli [EMAIL PROTECTED]
> http://home.adelphia.net/~capelli PGP Key ID:0x829263B6
> "Those who would give up essential liberty for temporary safety deserve neither
> liberty nor safety" - Benjamin Franklin, 1759
Lars Kronf�lt
"happily awaiting another lession in ... what ever comes to your mind"
( remember, it's my personal opinion )
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
