SecurityFocus

Re: Enterprise Gigabit Firewall Mar 23 2006 08:25AM
harsh_verma sify com (1 replies)

RE: Enterprise Gigabit Firewall Mar 25 2006 03:38AM
Arunodhay Koul (arunodhay logixworld com)

You can also have a look at www.securecomputing.com
<http://www.securecomputing.com/> and the product is sidewinder G2. It is
UTM product with all the facilities what a Enterprise firewall should have.
Hope this helps.

Regards

Arunodhay.

_____

From: harsh_verma (at) sify (dot) com [email concealed] [mailto:harsh_verma (at) sify (dot) com [email concealed]]
Sent: Thursday, March 23, 2006 1:56 PM
To: VolkerTanger
Cc: firewalls (at) securityfocus (dot) com [email concealed]
Subject: Re: Enterprise Gigabit Firewall

Before going for any other product make sure you checkout this link

:

http://www.watchguard.com/products/x2500.asp

It can cater up to

following requirements :

1) upto 500 Users
2) IPS
3) upto 400

Branch office VPN
4) Mobile User VPN tunnels 1,000 also PPTP with

IPSEC
5)spamBlocker
6) WebBlocker URL Filtering

AND many

more...simple GUI ...Higher capabilites..Also I dont think you need a

Dedicated Firewall Guy for this ...A good network Guy with little

training can manage this.

vtlists (at) wyae (dot) de [email concealed]:

> Greetings!

On

Wed, 22 Mar 2006 15:34:24 +0530
"3 shool"

<3shool (at) gmail (dot) com [email concealed]>wrote:
>
> We are planning to purchase an Enterprise Firewall for our

Head
> Quarters. I have been doing some research recently on various

possible
> options. I do have budget restrictions and that is one

important
> factor which is going to influence management's

decision.

Use the firewall brand you or your staff know inside-out.

If you do not
have a knowledgeable firewall man, get one first.

>

1. Establish site-to-site VPN between our 4 branch locations
> 2.

Establish client-to-site VPN for roaming users
> 3. Should support 500

Internet users at HO

...which probably can be managed by nearly any

firewall appliance
above DSL-router level.

"500 users" is quite a

bit variable. There are worlds between 500 people
just receiving a few

text mails and occasionally surfing after office
hours - and 500 people

doing high-turnover photo/audio/video editing and
-sharing via the web.

The type of usage and speed of your uplink is at
least as interesting

as the pure number of users.

> 4. Has a Gateway Antivirus, IPS

and Content Filtering

Well, here we are - meet THE area of sales fog

throwing and THE
performance bump. There are BIG differences in

technique used,
effectivity and performance impact.

Gateway-AV

sometimes is just a small daemon checking wether the client
has a

current AV system installed and running (like Sonicwall did in the
past

and probably still is doing) - and no virus filtering at all on the
FW

itself. Or it could be a complete AV intercepting all common
protocols

and unpacking/scanning/repacking all.

Similar the IPS: ranging from a

few trivial attack schemes (smurf
attack, ping of death, syn-flooding -

SonicWall is listing 22
"signatures") to a fully-blown in-line IDS. The

first is comparatively
cheap, the latter (Snort-Inline with all

signatures enabled) nearly is
impossible to scale to scan a saturated

1Gbit/s line without missing
packets.

Content filtering is similar

in range: from just blocking a few IPs/URLs
up to weighed keyword scan

and image classification. Thus similar range
on impact.

Especially

for email you'll usually be much better off with a separate
email gate

with RBL/AV/spamfilter than with trying to cover it with an
all-in-one

FW/AV/Email/IDS/VPN/ContentFilter/Proxy/CoffeeCooking/...
appliance.

Similar for HTTP - especially as content filter usually call for

a
separate system anyway.

> Optionally, we also plan to move our

SAP servers on this firewall in a
> new zone. We would opt this only if

the firewall provides us gigabit
> throughput for our SAP

servers.

*Please* *DO* leave your key ERP systems in the back of your

LAN -
better protect it by a separate firewall. Do not push them into

the
front lines of your defense. That would be a Bad Idea(TM).

On

an internet firewall AV/content filtering can make sense and will eat
a

lot of performance - but you usually have a very limited

uplink
(usually single-digit Mbit/s) anyway. For a backend firewall you

just
need a stateful packet filter - but one that can can handle Gbit/s

and
many simultaneous connections.

> For this solution I have

been thinking of ISS, SonicWALL, Checkpoint
> and Netscreen. It would

be great if the list could put their thoughts
> on what would be ideal

for our scenario.

Choose whatever you are familiar with. If you are

not familiar with
firewalling and designing secure networks, hire a

colleague who is.
Buying a system without someone capable of handling

it and incidents
around it will give you just a dead iron. A firewall

is a (key)point of
network control - but useless if noone is (capable

of) controlling it.

> I have also heard that
> SonicWALL has a

gigabit firewall model, Pro 5060. The price seems to
> be really low

compared to Checkpoint+Nokia, but would SonicWALL 5060
> be a good

option?

None will, unless you have the man and knowledge to handle

it. Comparing
such FW systems without knowing their inner workings is

nearly
impossible, even if the sales brochures are boasting similar

technical
terms.

One example just highlighting anti virus

measures - that of course are
all included in the FW according to

brochures: CheckPoint only has
INTERFACES for transparently hooking up

HTTP/SMTP AV systems - but
usually none installed on the machine.

SonicWall has (had?) just a check
wether an AV system is installed on

the client wanting to access the
internet, no AV installed on the FW

box itself.
In contrast to this Astaro has full transparent proxies

(e.g. the HTTP
one is squid based) with ClamAV and Kaspersky AV running

on the box,
in parallel to Cobion URL filtering plus a complete Snort

IDS. Sound
great, doesn't it? Similar is the dramatic drop in

throughput. I've
seen boxes capable of multi-100Mbit/s firewalling

breaking down to
effective few-kbit/s rates because of such

setups...

And all those nice AV/URL/Content/SPAM filtering

meachanisms will be
useless on a firewall if you are using encrypted

protocols.

First clearly define your needs - only after that start

looking into
possible solutions. With asking (only) for a (all-in-one)

firewall you
deprived yourself e.g. of a three-box-solution (http proxy

+ email gate
+ packet filter). Maybe you even already have such a

system running.

Open source is an option - again, if you have the

knowledge in your
staff to do so.

Again:
You FIRST need the man

- the system choice will follow automatically.

If you do not have

(and do not intend to hire) the knowledge you need to
properly run a

gate, outsourcing the internet gate to a managed security
service might

be another option. But have a close look at the SLAs -
especially at

response AND solution times as well as

on
responsibilities/fines.

Good luck!

Volker

--

Volker

Tanger

http://www.wyae.de/volker.tanger/
-------------------------------------

-------------
vtlists (at) wyae (dot) de [email concealed] PGP Fingerprint
378A

7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB

<http://ads.sify.com/RealMedia/ads/click_nx.ads/mail.sify.com/sentmail@B
otto
m>

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="City"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>

<style>

</style>

</head>

<body lang=EN-US link=blue vlink=blue>

<div class=Section1>

You can also have a look at <a
href="http://www.securecomputing.com/">www.securecomputing.com</a> and the
product is sidewinder G2. It is UTM product with all the facilities what a <st1:City
w:st="on"><st1:place w:st="on">Enterprise</st1:place></st1:City> firewall
should have. Hope this helps.<o:p></o:p>

<o:p> </o:p>

Regards<o:p></o:p>

<o:p> </o:p>

Arunodhay.<o:p></o:p>


<o:p> </o:p>

<div>

<div class=MsoNormal align=center style='text-align:center'>

<hr size=2 width="100%" align=center tabindex=-1>

</div>

From:
harsh_verma (at) sify (dot) com [email concealed] [mailto:harsh_verma (at) sify (dot) com [email concealed]] 
Sent: Thursday, March 23, 2006
1:56 PM 
To: VolkerTanger 
Cc: firewalls (at) securityfocus (dot) com [email concealed] 
Subject: Re: <st1:City w:st="on"><st1:place
w:st="on">Enterprise</st1:place></st1:City> Gigabit Firewall<o:p></o:p>

</div>

<o:p> </o:p>

<pre>Before going for any other product make sure you checkout this link 
:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>http://www.watchguard.com/products/x2500.asp<o:
p></o:p></pre><pre><o:p> </o:p></pre><pre>It can cater up to 
following requirements :<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>1) upto 500 Users <o:p></o:p></pre><pre>2) IPS <o:p></o:p></pre><pre>3) upto 400 
Branch office VPN <o:p></o:p></pre><pre>4) Mobile User VPN tunnels 1,000 also PPTP with 
IPSEC<o:p></o:p></pre><pre>5)spamBlocker<o:p></o:p></pre><pr
e>6) WebBlocker URL Filtering<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>AND many 
more...simple GUI ...Higher capabilites..Also I dont think you need a 
Dedicated Firewall Guy for this ...A good network Guy with little 
training can manage this.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre> vtlists (at) wyae (dot) de [email concealed]:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>> Greetings!<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>On 
Wed, 22 Mar 2006 15:34:24 +0530<o:p></o:p></pre><pre>"3 shool" 
<3shool (at) gmail (dot) com [email concealed]>wrote:<o:p></o:p></pre><pre>><o:p> </o:p></pre><pre>> We are planning to purchase an Enterprise Firewall for our 
Head<o:p></o:p></pre><pre>> Quarters. I have been doing some research recently on various 
possible<o:p></o:p></pre><pre>> options. I do have budget restrictions and that is one 
important<o:p></o:p></pre><pre>> factor which is going to influence management's 
decision.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Use the firewall brand you or your staff know inside-out. 
If you do not<o:p></o:p></pre><pre>have a knowledgeable firewall man, get one first. <o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>> 
1. Establish site-to-site VPN between our 4 branch locations<o:p></o:p></pre><pre>> 2. 
Establish client-to-site VPN for roaming users<o:p></o:p></pre><pre>> 3. Should support 500 
Internet users at HO<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>...which probably can be managed by nearly any 
firewall appliance<o:p></o:p></pre><pre>above DSL-router level. <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>"500 users" is quite a 
bit variable. There are worlds between 500 people<o:p></o:p></pre><pre>just receiving a few 
text mails and occasionally surfing after office<o:p></o:p></pre><pre>hours - and 500 people 
doing high-turnover photo/audio/video editing and<o:p></o:p></pre><pre>-sharing via the web. 
The type of usage and speed of your uplink is at<o:p></o:p></pre><pre>least as interesting 
as the pure number of users.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>> 4. Has a Gateway Antivirus, IPS 
and Content Filtering<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Well, here we are - meet THE area of sales fog 
throwing and THE<o:p></o:p></pre><pre>performance bump. There are BIG differences in 
technique used,<o:p></o:p></pre><pre>effectivity and performance impact.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Gateway-AV 
sometimes is just a small daemon checking wether the client<o:p></o:p></pre><pre>has a 
current AV system installed and running (like Sonicwall did in the<o:p></o:p></pre><pre>past 
and probably still is doing) - and no virus filtering at all on the<o:p></o:p></pre><pre>FW 
itself. Or it could be a complete AV intercepting all common<o:p></o:p></pre><pre>protocols 
and unpacking/scanning/repacking all.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Similar the IPS: ranging from a 
few trivial attack schemes (smurf<o:p></o:p></pre><pre>attack, ping of death, syn-flooding - 
SonicWall is listing 22<o:p></o:p></pre><pre>"signatures") to a fully-blown in-line IDS. The 
first is comparatively<o:p></o:p></pre><pre>cheap, the latter (Snort-Inline with all 
signatures enabled) nearly is<o:p></o:p></pre><pre>impossible to scale to scan a saturated 
1Gbit/s line without missing<o:p></o:p></pre><pre>packets.<o:p></o:p></pre><pre><fo
nt
size=2 face="Courier New"><o:p> </o:p></pre><pre>Content filtering is similar 
in range: from just blocking a few IPs/URLs<o:p></o:p></pre><pre>up to weighed keyword scan 
and image classification. Thus similar range<o:p></o:p></pre><pre>on impact.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>Especially 
for email you'll usually be much better off with a separate<o:p></o:p></pre><pre>email gate 
with RBL/AV/spamfilter than with trying to cover it with an<o:p></o:p></pre><pre>all-in-one 
FW/AV/Email/IDS/VPN/ContentFilter/Proxy/CoffeeCooking/...<o:p></o:p></sp
an></pre><pre>appliance.<o:p></o:p></pre><pre> 
 
<o:p></o:p></pre><pre>Similar for HTTP - especially as content filter usually call for 
a<o:p></o:p></pre><pre>separate system anyway. <o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>> Optionally, we also plan to move our 
SAP servers on this firewall in a<o:p></o:p></pre><pre>> new zone. We would opt this only if 
the firewall provides us gigabit<o:p></o:p></pre><pre>> throughput for our SAP 
servers.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>*Please* *DO* leave your key ERP systems in the back of your 
LAN -<o:p></o:p></pre><pre>better protect it by a separate firewall. Do not push them into 
the <o:p></o:p></pre><pre>front lines of your defense. That would be a Bad Idea(TM).<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>On 
an internet firewall AV/content filtering can make sense and will eat<o:p></o:p></pre><pre>a 
lot of performance - but you usually have a very limited 
uplink<o:p></o:p></pre><pre>(usually single-digit Mbit/s) anyway. For a backend firewall you 
just<o:p></o:p></pre><pre>need a stateful packet filter - but one that can can handle Gbit/s 
and<o:p></o:p></pre><pre>many simultaneous connections. <o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>> For this solution I have 
been thinking of ISS, SonicWALL, Checkpoint<o:p></o:p></pre><pre>> and Netscreen. It would 
be great if the list could put their thoughts<o:p></o:p></pre><pre>> on what would be ideal 
for our scenario. <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Choose whatever you are familiar with. If you are 
not familiar with<o:p></o:p></pre><pre>firewalling and designing secure networks, hire a 
colleague who is.<o:p></o:p></pre><pre>Buying a system without someone capable of handling 
it and incidents<o:p></o:p></pre><pre>around it will give you just a dead iron. A firewall 
is a (key)point of<o:p></o:p></pre><pre>network control - but useless if noone is (capable 
of) controlling it.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>> I have also heard that<o:p></o:p></pre><pre>> SonicWALL has a 
gigabit firewall model, Pro 5060. The price seems to<o:p></o:p></pre><pre>> be really low 
compared to Checkpoint+Nokia, but would SonicWALL 5060<o:p></o:p></pre><pre>> be a good 
option?<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>None will, unless you have the man and knowledge to handle 
it. Comparing<o:p></o:p></pre><pre>such FW systems without knowing their inner workings is 
nearly<o:p></o:p></pre><pre>impossible, even if the sales brochures are boasting similar 
technical<o:p></o:p></pre><pre>terms. <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>One example just highlighting anti virus 
measures - that of course are<o:p></o:p></pre><pre>all included in the FW according to 
brochures: CheckPoint only has<o:p></o:p></pre><pre>INTERFACES for transparently hooking up 
HTTP/SMTP AV systems - but<o:p></o:p></pre><pre>usually none installed on the machine. 
SonicWall has (had?) just a check<o:p></o:p></pre><pre>wether an AV system is installed on 
the client wanting to access the<o:p></o:p></pre><pre>internet, no AV installed on the FW 
box itself. <o:p></o:p></pre><pre>In contrast to this Astaro has full transparent proxies 
(e.g. the HTTP<o:p></o:p></pre><pre>one is squid based) with ClamAV and Kaspersky AV running 
on the box,<o:p></o:p></pre><pre>in parallel to Cobion URL filtering plus a complete Snort 
IDS. Sound <o:p></o:p></pre><pre>great, doesn't it? Similar is the dramatic drop in 
throughput. I've <o:p></o:p></pre><pre>seen boxes capable of multi-100Mbit/s firewalling 
breaking down to <o:p></o:p></pre><pre>effective few-kbit/s rates because of such 
setups...<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>And all those nice AV/URL/Content/SPAM filtering 
meachanisms will be <o:p></o:p></pre><pre>useless on a firewall if you are using encrypted 
protocols. <o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>First clearly define your needs - only after that start 
looking into<o:p></o:p></pre><pre>possible solutions. With asking (only) for a (all-in-one) 
firewall you<o:p></o:p></pre><pre>deprived yourself e.g. of a three-box-solution (http proxy 
+ email gate<o:p></o:p></pre><pre>+ packet filter). Maybe you even already have such a 
system running.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Open source is an option - again, if you have the 
knowledge in your<o:p></o:p></pre><pre>staff to do so. <o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>Again: <o:p></o:p></pre><pre>You FIRST need the man 
- the system choice will follow automatically. <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>If you do not have 
(and do not intend to hire) the knowledge you need to<o:p></o:p></pre><pre>properly run a 
gate, outsourcing the internet gate to a managed security<o:p></o:p></pre><pre>service might 
be another option. But have a close look at the SLAs -<o:p></o:p></pre><pre>especially at 
response AND solution times as well as 
on<o:p></o:p></pre><pre>responsibilities/fines.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Good luck!<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Volker<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>-- <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Volker 
Tanger 
http://www.wyae.de/volker.tanger/<o:p></o:p></pre><pre><fo
nt
size=2 face="Courier New">------------------------------------- 
-------------<o:p></o:p></pre><pre>vtlists (at) wyae (dot) de [email concealed] &n
bsp; &n
bsp; PGP Fingerprint<o:p></o:p></pre><pre>378A 
7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB<o:p></o:p></pre><pre><o:p> </o:p></pre>

<a
href="http://ads.sify.com/RealMedia/ads/click_nx.ads/mail.sify.com/sentm
ail@Bottom"
target="_new"><img border=0 width=300
height=40 id="_x0000_i1025"
src="http://ads.sify.com/RealMedia/ads/adstream_nx.ads/mail.sify.com/sen
tmail@Bottom"></a><o:p></o:p>

</div>

</body>

</html>

[ reply ]