safieradam wrote:
> Ben makes good points about centralized management.
>
> At some point you don't want to be uploading ACL's to 70+ boxes one at a
> time. A script might do it but that brings up the issue of passwords. Are
> you managing in the clear or turning on and supporting SSH?
We are currently 'behind' the firewalls when we manage them. We'll
likely have to use ssh for these. 'Expect' works. I'm really reluctant
to light off mass changes anyway. I'd hate to break 70 firewalls at
once, all across the state. That would be a bad day.
>
> I think that Check Point's relationship with Nokia is headed south since
> Nokia came out with their own VPN product. However, CP is jumping on the
> partnership wagon with other vendors. http://www.intrusion.com makes less
> expensive hardware for CP - $2-$3K per box if you don't need lots of
> interfaces and under $1K for smaller sites. Just make sure you are not
> looking at the SOHO versions. Last time I checked they were still working
> on HA for their larger boxes but I would look at CP's own HA solution or/and
> multi-entry point features instead. Just try to use a dedicated or at least
> a high speed internal interface for the update packet path.
Which brings up hardware support issues. Hmmm...
>
> You should not be spending $10K per license unless you are including VPN in
> the cost and paying list. Make sure you are buying a central management
> station and only the gateway licenses for the remote sites. If you can go
> with cold spares they should discount the cold spare license or simply
> configure the cold spare with the same IP address and license - Errr.....
> that may NOT be OK - check the license agreement carefully. I've been
> spoiled with hot spares or survived with none. Definitely do some price
> negotiating - Pull out your PIX discount book, hit the CP rep with it and
> get the same or better rate. With a possible 140 licenses CP corporate may
> help you beat up a distributor that won't negotiate. True, CP has never
> been cheap but there is some room for arm twisting.
>
That should happen this week. The CP rep has NOT given us prices other
than the standard 50% off list for .edu's. For >255 IP's that is $18K or
so, les 50%. They are acting like used car salesmen. 'For you, Mike, we
have a special deal...' then weeks go by with no quotes. We also want
campuses to be able to look at & modify their own firewalls. CP says I
need a management station for each college. More $$$. VPN is only $1000
per license.
I can't see how we can manage 70 devices, each with different policys
(campus autonomy) from one Checkpoint console. We'd have probably 1000
or so unique policys. Too much scrolling. We'd have to have Provider One
just so we can manange them. Plus campuses could use our Provider
console instead of their own, so they'ed not have to dedicate an NT box
to FW management.
I think that CP is trying to impress me with how expensive they are.
They haven't figured out what a cheapo I am.
> Do a quick survey of postings asking for help on PIX vs. Check Point. A few
> years ago PIX seemed to have more problems needing patches and more people
> having problems. On the other hand CP users had so many "how do I..."
> problems early on that D. Welch created http://www.phoneboy.com , now THE
> site to check for CP issues. He even wrote a book about it.
>
Four PIX's, two years, no problems, no help calls, no setup help,
haven't even had to search google. We have simple installations.
> Finally, get your support from CP directly rather than a reseller (unless it
> Mr. Welch!). Their 1st level support is OK for simple stuff only but then,
> I've rarely seen great support from anyone unless you have your own SE. Once
> you escalate you can get decent support but having your own SE is best.
>
Checkpoint says the same thing.
> Anyway, I'm still a CP fan though I have to admit there are an awful lot of
> good products out there, especially if you are only doing a few sites. For
> medium or large scale I have yet to see a really usable, simple and quick to
> deploy management system other than CP's. (I admit I still have lots of
> management products to check out - Nortel's Shasta sounds comprehensive from
> the literature. And I reserve the right to change my mind tomorrow.)
>
> Adam
>
I'd be too, if they'ed just tell me what the damned things cost.
I'm looking at Shasta for the Internet access point(s). Maybe.
--
-----------------------------------------
Michael Janke
Director, Network Services
Minnesota State Colleges and Universities
-----------------------------------------
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
