Firewall recommendations...

[KorpDeath]

Originally posted here by nebulus200
I have messed around with SunScreen before (about 2 years ago) and was appalled with it. Clunky interface and relatively difficult to configure versus the other products we were looking at. I personally would avoid it.

/nebulus

EDIT: The IPtables firewall was Astaro.

Wow, you messed around with it two years ago and that makes you an authority? Do you have any idea how far firewall technology has come in the past two years, not to mention Sunscreen from just one version back? Personally I'd appreciate a "clunky" interface if it provides me more security, but that's just me. I could be way off base here.

BTW- If you like Checkpoint, then you'd love Sunscreen. They are both cut from the same cloth.

[nebulus200]

Wow, you messed around with it two years ago and that makes you an authority? Do you have any idea how far firewall technology has come in the past two years, not to mention Sunscreen from just one version back? Personally I'd appreciate a "clunky" interface if it provides me more security, but that's just me. I could be way off base here.

BTW- If you like Checkpoint, then you'd love Sunscreen. They are both cut from the same cloth.

I don't even know where to start on that one. No kid, firewalls have changed in the last couple years with a general trend towards hybrid firewalls (incorporating both stateful packet inspection and some psuedo-proxy capabilities), but I am sorry, when I looked at SunScreen between 2-3 years ago, that had to be one of the worst put together pieces of software I have ever seen. Even after being sent to training on it, we still wound up making do with NAI Gauntlet of all things over it because it was so clunky (I was trying to be nice by saying clunky), that was the least of its problems (although I will say it had decent performance when compared to something like a full proxy firewall like gauntlet). And when you compare something like sunscreen to market leaders like PIX and Firewall-1, I am sorry man, IMHO, there is no comparison...

Out of curiousity, after talking to some industry reps while we were doing our research, one of them mentioned that they had discontinued Sunscreen (or maybe it was SPF) because of customer complaints about the very things I had been citing. I seem to recall that was a Sun Microsystems rep that said that, if I am getting the products mixed up please correct me, but I am pretty sure that the Sunscreen product was what we looked at and that it was produced by Sun and later included in with their Solaris 2.8 OS...

If I do remember right (which is a somewhat rare occasion these days), Sun told us they were dropping Sunscreen entirely and going to a firewall-1 product running on their LX-50 lines...

/nebulus200

[R0n1n]

I`d go with a nokia using Checkpoint, its well supported and failry easy to get up to speed on. The VRRP feature (supplied by Nokia) is also useful. NetScreen are also good, aren`t they the guys who worked on checkpoint? Sure I heard that somewhere. F5 also make some decent appliance firewalls, and if you can get an appliance with Cyberguard on it then that would be the way to go.

The new version of Checkpoint (due out in August) has some nice new features due to Checkpoint acquiring Okena. The only concern with checkpoint is the licensing can work out to be very expensive and there are yearly suibscription dues as well. Netscreen has a better pricing policy, but CP is the leader and the Nokia appliances are very good.

Oh, and Cisco PIX is also good, but as someone said the support is somewhat lacking these days.

Nebulus, I also heard that sunscreen was being dropped, and I remember it being a little clunky too.

[KorpDeath]

Originally posted here by nebulus200


I don't even know where to start on that one. No kid, firewalls have changed in the last couple years with a general trend towards hybrid firewalls (incorporating both stateful packet inspection and some psuedo-proxy capabilities), but I am sorry, when I looked at SunScreen between 2-3 years ago, that had to be one of the worst put together pieces of software I have ever seen. Even after being sent to training on it, we still wound up making do with NAI Gauntlet of all things over it because it was so clunky (I was trying to be nice by saying clunky), that was the least of its problems (although I will say it had decent performance when compared to something like a full proxy firewall like gauntlet). And when you compare something like sunscreen to market leaders like PIX and Firewall-1, I am sorry man, IMHO, there is no comparison...

Out of curiousity, after talking to some industry reps while we were doing our research, one of them mentioned that they had discontinued Sunscreen (or maybe it was SPF) because of customer complaints about the very things I had been citing. I seem to recall that was a Sun Microsystems rep that said that, if I am getting the products mixed up please correct me, but I am pretty sure that the Sunscreen product was what we looked at and that it was produced by Sun and later included in with their Solaris 2.8 OS...

If I do remember right (which is a somewhat rare occasion these days), Sun told us they were dropping Sunscreen entirely and going to a firewall-1 product running on their LX-50 lines...

/nebulus200

They haven't discontinued Sunscreen. A quick check on their site would tell you that.
They have included a "personal" type in Sol9, although it doens't have the same capabilities as the full blown version, like being able to run in switched mode. (BTW- I was told the same thing about two years ago.)

We are definitely not talking about the same firewall here, obviously. You're talking about Sunscreen pre version 3.1 and I'm talking about that version and on.

The interface of the version of Sunscreen I have is identical to that of Checkpoint/Pix/etc. etc. So if Sunscreen is clunky then so to is Checkpoint. In fact the only thing I don't like about it is the fact that the interface is written in java. (It's from Sun, go figure.) Which means every once in a while I get a dumb browser lockup.

And like I've stated before "no one ever got fired for buying Cisco." They are cheap and fast, especially if you're not dealing with allot of bandwidth.

[nebulus200]

Just a quick clarification, we talked to Sun Microsystems last week and that is when they told us they were dropping SunScreen due to poor sales, this was not two years ago but rather last week; however, I think he meant from the perspective of making it a standalone firewall, not sure what their plans are for keeping it in the OS.

If you have any contacts with Sun (we have very good ones because of the massive amount of Sun equipment we buy (anywhere from serengeti (bad spelling) SANS, to sunfire 10000's, to countless sparcs (x1, t1, v120's, 280r's 480r's, etc))), I would recommend talking to them. They are really pushing Firewall-1 on their new LX50 platform (intel, not sparc based) hard.

/nebulus

[KorpDeath]

They may have very well said that. But like I said, they said the same thing to me when I worked for a company that spends millions on support contracts, not to mention a buttload of hardware.

I've been browsing the Sun site and cannot find any such announcement, can you point me in the right direction?

http://wwws.sun.com/software/securenet/index.html

[nebulus200]

Originally posted here by KorpDeath
They may have very well said that. But like I said, they said the same thing to me when I worked for a company that spends millions on support contracts, not to mention a buttload of hardware.

I've been browsing the Sun site and cannot any announcement, can you point in the right direction?

http://wwws.sun.com/software/securenet/index.html

I don't know if it has been officially announced or not. They had some engineers, sales, and a few other company people down for a nice little dinner after they demo'd/installed their product for testing (the LX50 stuff), and while we were at dinner we were discussing what products we had used in the past and Sunscreen came up, which is when they mentioned that it was going away. I will look around their site and see if I see it mentioned anywhere, but I wouldn't be suprised if you don't hear about it for a little while (a couple of months). I think this move has alot to do with Sun working on re-inventing itself after having had its rear handed to it in the last couple of years in the server market (IMHO, kinda shocked how low their stock price is now)...Think the biggest thing they are moving towards is starting to use Intel chips more and trying to get their prices down...nonetheless, that is why i suggested talking to your reps...

/nebulus

EDIT: This is an exact quote from the very page you just cited:

For customers who require more features than SunScreen 3.2 offers, Sun also announced a limited-time promotion in conjunction with Check Point Software Technologies, Inc. From February 6, 2002, until June 6, 2002, Check Point will offer existing SunScreen software customers a 50% discount on the purchase of particular Solaris software-based firewall and VPN products. Customers will be asked to purchase a software subscription and complete an End User Declaration form.

For complete details on this promotion, please see the Check Point SunScreen Promotion page.

Please note: The offer has been extended until December 31 2002.

[NoTx]

Originally posted here by dynosys
I have 4 rack mounted (web,backup,data,email) servers...i wanted to implement a appliance firewall...i have reasonable amount of traffic and a dedicated 2.5 mb/s.....possibly compared to the traffic that hits this website....i am curerntly looking at servgate, cisco pix, sonicwall and maybe checkpoint firewall-1...anyone have any recommendations on these or have used these before....

Ok. You have probably already made your choice, but I figured I would give you some info. Just in case.

You requirement of 2.5 mbps is just about the top capability in 3DES of the Sonicwall SOHO3 series. If you are looking for pure throughput however, and not needing the VPN capabilities, then they are an extremely cheap way to go. And if you grow, they have upgrade (read trade in) style programs. In fact, you would be looking in the neighborhood of $380 for a SOHO3, that could handle up to ten servers. You can upgrade it easily. Reliability? Awesome. Setup? Easy. Reporting? Too much information (with VPN going you could give yourself 50K emails a day if your not careful). Wanna go cheap, but like the SonicWALL, and wanna save for something better later? Get a WebRAMP 700s, new, off ebay. You are looking at like $80, and it will handle your throughput. Barely. Just not in 3DES. It just happens to be 10BaseT.

What I am looking at is the 3com Embedded Firewalls. Similar situation, but would be closer to $1500. Also, I need a lot higher throughput (have gigabit capable, but tiered costs, so am trying to get as close to 100 mbps as possible). If anyone can comment on them it would be appreciated.

Checkpoint. Beware. While great firewalls, they can be an absolute money pit.

Pix. Great firewalls, atrocious interface. I am currently looking at a 515 for a client. You could do with a 501.

Just remember: what you have does not require an enterprise grade switch. With your listed requirements, a Firebox at Frys’ would work. I would suggest being careful, and not over spending on it. Save now, to help later expansions, or keep accounting happy.

Hell, if you are buying for a company, you might throw Checkpoint and Watchgaurd to them. And then find a “radical solution”, and show the pix of soho. With plans to increase capacity later on as requirements increase. It shows you are thinking of today, but you are also thinking of tomorrow.

Hope that helps.

[accessisgranted]

i've used the sonicwall and the cisco pix....both of them work really well depending on what you are using them for....i prefer the cisco though if that helps

[]D_][_][v][_]D]

I need a free firewall because i um.... am fund challenged at the moment and was wondering if there were any free firewalls