Enterprise Firewalls

[zac_90265]

Before choice words are posted in my direction with regards to information and diatribes on firewalls being previously posted, I shall admit, a host of information is available in this forum with respect to personal firewalls, however I am interested (and most likely others) in some good information which compares and contrasts Enterprise firewalls. I am looking for the good, the bad and the ugly so I don't have to work primarily off my bias (those that I have worked with and/or know how to set up) or information provided from vendor sponsored/advertising-driven magazines where the propoganda flows like 1943 Germany.

So, if you know of any good links, research papers or honest articles that involve Cisco PIX, Checkpoint, Raptor and the other big boys, please post them.

zac

[IchNiSan]

Well, this is an interesting question.

I have not had the opportunity(yet) to work with Checkpoint's Firewall1, though I have been trying, and continue to try to get my company to purchase at least one FW-1 system to help us set up our DMZ with different firewall technology at each level.

I have, however, had quite a lot of experience with the Raptor Firewall( now known as Symor antec Enterprise Firewall).

As it is time for me to get some sleep, I will save most of my raves and rants about Raptor Firewall for posting here tomorow, but I will say two things, one good, one bad.

The application proxies that are implemented in Raptor Firewall V 6.5 have kind of astounded me. When Code Red came out, and then other similar pieces of malevelent code, such as nimda, the http proxy used in the raptor firewall prevented the compromise of a couple of our vulnerable machines, running unpatched versions of IIS 4 and IIS 5. These machines were hosting web sites which were available to anyone on the net, and were administered by people who did not monitor vulnerabilities or patches at all. Using the service Redirection and application proxies of the raptor firewall however, seemed to prevent any of the traffic from affecting those boxes at all. Partly it was because the http application proxy denies access to any request which violates rfc prescribed standards, and partly it was because of some other, less obvious or describable reasons. If I can come up with enough time to go back over my notes and conclusions about this, I will post more info on this tomorow, or the next day.

On the bad side, Raptor Firewall V 6.5(at least this one, and probably other versions as well) has some issues with running a DNS service or passing the port 53 UDP of TCP traffic in order to run a dns server behind the raptor firewall. Perhaps I am just missing something, but everytime I attempt to set the firewall up to pass DNS request traffic from the outside to DNS servers in our DMZ, the firewall becomes extremely sluggish, or simply hangs itself and needs to be rebooted, or even, disconnected from the network, restarted, change the rules, and then reconnected to the network. This happens to me, regardless of whether or not I am running the DNS daemon which comes packaged as part of the Raptor Firewall.

Anyway, it is time for me to get some sleep.

Maybe someone here has seen this behavior before and has an idea for me, or perhaps I am just totally missing something, or, at the very least, someone else will be forewarned about a potential issue with running the raptor firewall.

Bottom line for me though, is. I LOVE it. Raptor Firewall 6.5 has, overall, been nothing but a good thing for us. Though we did have one other issue, while trying to set up a VPN with another site, which happened to be running checkpoint FW-1. We did manage to get it working, but it took a great deal of work and communication between myself and the checkpoint admin on the other end to make it work. Because of each of our familiarity with the different systems, it was almost as if we were speaking different languages some times. We did manage to figure out what setting names corresponded with which other setting names, though, and also, which settings were completely incompatible for a working VPN.

Good Luck,

IchNiSan

[KorpDeath]

Checkpoint FW-1 is the most used firewall. It also however has more exploits than I've had bowel movements.

The only enterprise firewall that I put my trust in is Sunscreen. However there are some caveats.


One- It costs a bundle and the hardware it runs on costs some serious moolah.

Two- You really need to know your stuff about Solaris and networking tog et the most out of it.

and Three- Don't... but don't harden the OS until you're absolutely sure you're done configuring the system.. you can't go back once you harden the OS.

On the other hand the new IOS of PIX is supposed to be pretty good. So if you're gonna go for the low-end I'd say get a couple of PIXs.

Just my two cents!

[zigar]

any opinions on watchguard fireboxes...the 700 got some good press in price/protection

[gold eagle]

One question is - does anyone know how good a cisco 3300 vpnc works with ckpw FW1? considering that vs rsa vpn ..


thks

[KorpDeath]

start a new thread for that question. It's kinda hidden here...

[VanEck]

Has anyone ever had any negative experiences with SonicWall Firewalls? I had to install and configure one for a company once because it was what they insisted on using. So I got it up and running for them but I really did not know if that was their best choice or not. It seems secure from what I can tell. Kind of nice that it is a dedicated external piece of hardware as well.

[SoggyBottom]

Thought that I would put my 2 cents worth....

I am familiar with Checkpoint, as well as the intrusion appliance firewalls.

I have never set up from scratch a Checkpoint firewall, although I do administrer the rules, and if you are expecting a large ruleset, it can be difficult to locate specific rules. The logs are excellent for troubleshooting. I believe that CP NG does have a lot more features than it previous version.

The appliance firewalls are quite easy to set up, and are for about 50 or so users with a T1 connection.

I have heard that Sonic firewalls do not have remote administration, is that true?

[iNViCTuS]

First of all, lets get this straight...50 users with a T-1 is NOT an enterprise network.

Checkpoint however is a very good firewall. I am currently working for a client that has over 150 Checkpoint firewalls enterprise wide throughout the world. They are currently using ver 4.1 on Nokia IP 650 appliances and Solaris management console.

Checkpoint has a much "prettier" interface than the Cisco PIX, and it is much easier to use for most people.

So i guess it really depends on the application. If it is a smaller network (less than 1000 nodes) and there is no need to manage multiple firewalls or firewall domains, and there will not be an extrememely large rulebase, I would definately recommend a Cisco PIX, otherwise if you can afford it of course, go Checkpoint. Both will do the job, the PIX will be cheaper. Symantec (Raptor) is also a very nice firewall. It has one feature that the others don't. It can proxy. This may or may not be a good thing, depends on the situation. One thing to be careful of is that Raptor (Raptor is shorter than Symantec Enterprise Firewall in case u are wondering) cannot do failover/load balancing without a third party product.

Hope this helps.

[EvIl eLf]

Hello all from what i can gather Checkpoints fw-1 has security holes like any other product ,because its the most common ,just like ("gulp") Microsoft.Usually the most popular products get the most scrutiny so thats that . A good place for info on firewall 1 is www.phoneboy.com. As far as other products I personally like the watch gaurd firebox 2 I think it does an excellent job of nat and dynamic packet filtering, Cisco pix has an awesome statefull inspection engine. I am partial to hardware based firewalls because of there , great encryption acceleration .

well thats my one and one half cents.



E.W. Pacheco