Enterprise Firewalls
Page 1 of 6 123 ... LastLast
Results 1 to 10 of 60

Thread: Enterprise Firewalls

  1. #1
    Junior Member
    Join Date
    Dec 2001
    Posts
    11

    Unhappy Enterprise Firewalls

    Before choice words are posted in my direction with regards to information and diatribes on firewalls being previously posted, I shall admit, a host of information is available in this forum with respect to personal firewalls, however I am interested (and most likely others) in some good information which compares and contrasts Enterprise firewalls. I am looking for the good, the bad and the ugly so I don't have to work primarily off my bias (those that I have worked with and/or know how to set up) or information provided from vendor sponsored/advertising-driven magazines where the propoganda flows like 1943 Germany.

    So, if you know of any good links, research papers or honest articles that involve Cisco PIX, Checkpoint, Raptor and the other big boys, please post them.

    zac

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    Well, this is an interesting question.

    I have not had the opportunity(yet) to work with Checkpoint's Firewall1, though I have been trying, and continue to try to get my company to purchase at least one FW-1 system to help us set up our DMZ with different firewall technology at each level.

    I have, however, had quite a lot of experience with the Raptor Firewall( now known as Symor antec Enterprise Firewall).

    As it is time for me to get some sleep, I will save most of my raves and rants about Raptor Firewall for posting here tomorow, but I will say two things, one good, one bad.

    The application proxies that are implemented in Raptor Firewall V 6.5 have kind of astounded me. When Code Red came out, and then other similar pieces of malevelent code, such as nimda, the http proxy used in the raptor firewall prevented the compromise of a couple of our vulnerable machines, running unpatched versions of IIS 4 and IIS 5. These machines were hosting web sites which were available to anyone on the net, and were administered by people who did not monitor vulnerabilities or patches at all. Using the service Redirection and application proxies of the raptor firewall however, seemed to prevent any of the traffic from affecting those boxes at all. Partly it was because the http application proxy denies access to any request which violates rfc prescribed standards, and partly it was because of some other, less obvious or describable reasons. If I can come up with enough time to go back over my notes and conclusions about this, I will post more info on this tomorow, or the next day.

    On the bad side, Raptor Firewall V 6.5(at least this one, and probably other versions as well) has some issues with running a DNS service or passing the port 53 UDP of TCP traffic in order to run a dns server behind the raptor firewall. Perhaps I am just missing something, but everytime I attempt to set the firewall up to pass DNS request traffic from the outside to DNS servers in our DMZ, the firewall becomes extremely sluggish, or simply hangs itself and needs to be rebooted, or even, disconnected from the network, restarted, change the rules, and then reconnected to the network. This happens to me, regardless of whether or not I am running the DNS daemon which comes packaged as part of the Raptor Firewall.

    Anyway, it is time for me to get some sleep.

    Maybe someone here has seen this behavior before and has an idea for me, or perhaps I am just totally missing something, or, at the very least, someone else will be forewarned about a potential issue with running the raptor firewall.

    Bottom line for me though, is. I LOVE it. Raptor Firewall 6.5 has, overall, been nothing but a good thing for us. Though we did have one other issue, while trying to set up a VPN with another site, which happened to be running checkpoint FW-1. We did manage to get it working, but it took a great deal of work and communication between myself and the checkpoint admin on the other end to make it work. Because of each of our familiarity with the different systems, it was almost as if we were speaking different languages some times. We did manage to figure out what setting names corresponded with which other setting names, though, and also, which settings were completely incompatible for a working VPN.

    Good Luck,

    IchNiSan

  3. #3
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628

    Sunscreen

    Checkpoint FW-1 is the most used firewall. It also however has more exploits than I've had bowel movements.

    The only enterprise firewall that I put my trust in is Sunscreen. However there are some caveats.


    One- It costs a bundle and the hardware it runs on costs some serious moolah.

    Two- You really need to know your stuff about Solaris and networking tog et the most out of it.

    and Three- Don't... but don't harden the OS until you're absolutely sure you're done configuring the system.. you can't go back once you harden the OS.

    On the other hand the new IOS of PIX is supposed to be pretty good. So if you're gonna go for the low-end I'd say get a couple of PIXs.

    Just my two cents!
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    any opinions on watchguard fireboxes...the 700 got some good press in price/protection

  5. #5
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193

    Question

    One question is - does anyone know how good a cisco 3300 vpnc works with ckpw FW1? considering that vs rsa vpn ..


    thks
    Trappedagainbyperfectlogic.

  6. #6
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628

    doh!

    start a new thread for that question. It's kinda hidden here...
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    218
    Has anyone ever had any negative experiences with SonicWall Firewalls? I had to install and configure one for a company once because it was what they insisted on using. So I got it up and running for them but I really did not know if that was their best choice or not. It seems secure from what I can tell. Kind of nice that it is a dedicated external piece of hardware as well.
    \"Computer games don\'t affect kids; I mean if Pac-Man affected us as kids, we\'d all be running around in darkened rooms munching magic pills and listening to repetitive electronic music.\" Kristian Wilson, Nintendo, Inc. 1989

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    371

    Firewalls

    Thought that I would put my 2 cents worth....

    I am familiar with Checkpoint, as well as the intrusion appliance firewalls.

    I have never set up from scratch a Checkpoint firewall, although I do administrer the rules, and if you are expecting a large ruleset, it can be difficult to locate specific rules. The logs are excellent for troubleshooting. I believe that CP NG does have a lot more features than it previous version.

    The appliance firewalls are quite easy to set up, and are for about 50 or so users with a T1 connection.

    I have heard that Sonic firewalls do not have remote administration, is that true?
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    First of all, lets get this straight...50 users with a T-1 is NOT an enterprise network.

    Checkpoint however is a very good firewall. I am currently working for a client that has over 150 Checkpoint firewalls enterprise wide throughout the world. They are currently using ver 4.1 on Nokia IP 650 appliances and Solaris management console.

    Checkpoint has a much "prettier" interface than the Cisco PIX, and it is much easier to use for most people.

    So i guess it really depends on the application. If it is a smaller network (less than 1000 nodes) and there is no need to manage multiple firewalls or firewall domains, and there will not be an extrememely large rulebase, I would definately recommend a Cisco PIX, otherwise if you can afford it of course, go Checkpoint. Both will do the job, the PIX will be cheaper. Symantec (Raptor) is also a very nice firewall. It has one feature that the others don't. It can proxy. This may or may not be a good thing, depends on the situation. One thing to be careful of is that Raptor (Raptor is shorter than Symantec Enterprise Firewall in case u are wondering) cannot do failover/load balancing without a third party product.

    Hope this helps.

  10. #10
    Member
    Join Date
    Dec 2001
    Posts
    68
    Hello all from what i can gather Checkpoints fw-1 has security holes like any other product ,because its the most common ,just like ("gulp") Microsoft.Usually the most popular products get the most scrutiny so thats that . A good place for info on firewall 1 is www.phoneboy.com. As far as other products I personally like the watch gaurd firebox 2 I think it does an excellent job of nat and dynamic packet filtering, Cisco pix has an awesome statefull inspection engine. I am partial to hardware based firewalls because of there , great encryption acceleration .

    well thats my one and one half cents.



    E.W. Pacheco
    Ee

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •