One of our groups manages a clustered, 12 interface Checkpoint setup for our network business. That box alone keeps about 1.5 full time employees busy. Add the VPN concentrators to the mix (they have 4-6, IIRC) and that's easily 2 FTEs total. And they're busy.
------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Aaron Brasslett [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 20, 2002 10:15 AM > To: NT 2000 Discussions > Subject: RE: Minimum VPN req's > > > All good points Roger. I can now see pros and cons to each method. > > Aaron > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 20, 2002 10:13 AM > To: NT 2000 Discussions > Subject: RE: Minimum VPN req's > > > Clustered fiewalls bring their own set of issues, not the > least of which is > cost, as you mention. > > Second, separate firewall and VPN access points make good > sense in that the > net result is less chance of configuration error, which can be very > difficult in a single box strategy. And seeing as > misconfiguration is the > number one cause of firewall vulnerabilities, I'd say that > risk of having > multiple connect points is less than that of misconfiguring a > monolithic > ingress/egress point. > > And you really don't want to know about the third > ingress/egress point we > just ordered for our location, either. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Aaron Brasslett [mailto:[EMAIL PROTECTED]] > > Sent: Friday, December 20, 2002 9:57 AM > > To: NT 2000 Discussions > > Subject: RE: Minimum VPN req's > > > > > > You now have another point of attack on your network. Two > > boxes to support, > > upgrade, and patch for the latest security vulnerabilities. > > > > If budget isn't a problem, install a clustered firewall. > > > > You could also place the VPN box behind your primary > > firewall. In short, > > there are a lot of options beyond paralleling firewalls. > > > > Aaron > > > > -----Original Message----- > > From: Robert Gonzaga (306) [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, December 18, 2002 5:22 PM > > To: NT 2000 Discussions > > Subject: RE: Minimum VPN req's > > > > > > Explain why it doesn't make sense. > > > > -----Original Message----- > > From: Aaron Brasslett [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, December 18, 2002 2:12 PM > > To: NT 2000 Discussions > > Subject: RE: Minimum VPN req's > > > > Why would you put your VPN box in parallel with the PIX? Why > > wouldn't you > > support the VPN on one of the existing PIXs? Parallel > > firewalls don't make > > a lot of sense. > > > > Aaron > > > > -----Original Message----- > > From: Robert Gonzaga (306) [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, December 18, 2002 5:03 PM > > To: NT 2000 Discussions > > Subject: RE: Minimum VPN req's > > > > > > I setup our VPN box in parallel with our 2 PIXs. You need a > > public IP for > > the outside and a private IP on the inside. Pop in you PDC > > info, WINS and > > pool of address for that clients and that's basically it. > > It's fast. You > > can use your existing windows client but I'd recommend the > > Cisco software > > that comes with the concentrator. The client is a free > > downloadable from > > cisco if you have a CCO login. > > > > -----Original Message----- > > From: Lum, David [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, December 18, 2002 2:00 PM > > To: NT 2000 Discussions > > Subject: Minimum VPN req's > > > > All this talk of VPN...what's the absolute minimum equipment > > to VPN if both > > sides already have fast internet? Software/hardware. I > > currently dial in via > > PCAnywhere to one site, but I'd love to utilize my DSL and > > their broadband > > connection to connect. > > > > Dave Lum - [EMAIL PROTECTED] > > Sr. Network Specialist - Textron Financial > > 503-675-5510 > > > > > > > > ------ > > You are subscribed as [EMAIL PROTECTED] > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe send a blank email to %%email.unsub%% > > > > ------ > > You are subscribed as [EMAIL PROTECTED] > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe send a blank email to %%email.unsub%% > > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
