Greetings!
Ivan Fox wrote:
> We are using (5) FW-1/VPN-1 with unlimited user licenses at a few sites.
> There will be a few more sites requiring firewalls. Management starts asking
> if there are "cheaper and better" alternatives than Check Point.
cheaper: yes (e.g. ACLs on the router, maybe IPFilter with *BSD on an old
PC)
and: yes* (not easy, but doable - will need a number of really good
admins/programmers)
better: yes* faster:
only ACLs on the (load-balanced) router - nothing else
(except cache proxy)
(security: OUCH!)
safer:
(e.g. multiple defense line outside-in: screening
router/ACL,
stateful packet filter FW, bastion proxy, proxy
FW, URL/virus
filtering bastion proxy, stateful packet filter FW,
internal proxy/server, no
default route to external net - application level
"routing" only)
ease of use (for user):
see faster - default route to internet, maybe even
legal, official IP addresses
in the internal network, routed directly (security:
OUCH!)
* = all depending on your requirements as listed below:
Security: How sensitive is your network/data?
Traffic: What is the network throughput you need?
Services: Do you need/want additional services like URL/MIME blocking or
virus
scanning on the FW?
Support: How many SysOps do you have to admin the FWs? Do they need vendor
support/hotline?
Availability: How critical are network outages?
Bye
Volker
begin:vcard
n:Tanger;Volker
tel;fax:+49 - 69 - 92901-213
tel;work:+49 - 69 - 92901-570
x-mozilla-html:FALSE
url:http://www.res.globalone.net/
org:Global One;Global Project Engineering
version:2.1
email;internet:[EMAIL PROTECTED]
title:Sr. Security Engineer
adr;quoted-printable:;;Stiftstrasse 23=0D=0A;Frankfurt;;60313;Germany
note;quoted-printable:Room 608=0D=0A
fn:Volker Tanger
end:vcard
