Options for 50+ firewall deployment

Archived from groups: comp.security.firewalls (More info?)

We will be installing 50 or more internal firewalls to protect critial
portions of our network. The hope is to manage them all centrally with
a very small team (ie 3 people or so). I've some experience with
Checkpoint and only grazed PIX. What firewalls lend themselves to
installation such as this? Obviously management and maintnance of the
firewalls is high on our list with scalability to large numbers of
devices being key. I know Checkpoint's management scheme maxes out
well below our number of firewalls (at least it did with CP 4.1/2000).
What of PIX device manager and Symantech's offerings?
14 answers Last reply
More about options firewall deployment
  1. Archived from groups: comp.security.firewalls (More info?)

    For reporting, log analysis and correlation of data from this number
    of FW you should consider a dedicated security information management
    event correlation solution. This class of product will also be able
    to integrate data with your vulnerability scanners, IDS, AV etc.

    Phil

    tonesurfer@hotmail.com (tonesurfer) wrote in message news:<58915b8c.0407080556.21ae1656@posting.google.com>...
    > We will be installing 50 or more internal firewalls to protect critial
    > portions of our network. The hope is to manage them all centrally with
    > a very small team (ie 3 people or so). I've some experience with
    > Checkpoint and only grazed PIX. What firewalls lend themselves to
    > installation such as this? Obviously management and maintnance of the
    > firewalls is high on our list with scalability to large numbers of
    > devices being key. I know Checkpoint's management scheme maxes out
    > well below our number of firewalls (at least it did with CP 4.1/2000).
    > What of PIX device manager and Symantech's offerings?
  2. Archived from groups: comp.security.firewalls (More info?)

    In article <58915b8c.0407080556.21ae1656@posting.google.com>,
    tonesurfer@hotmail.com says...
    > We will be installing 50 or more internal firewalls to protect critial
    > portions of our network. The hope is to manage them all centrally with
    > a very small team (ie 3 people or so). I've some experience with
    > Checkpoint and only grazed PIX. What firewalls lend themselves to
    > installation such as this? Obviously management and maintnance of the
    > firewalls is high on our list with scalability to large numbers of
    > devices being key. I know Checkpoint's management scheme maxes out
    > well below our number of firewalls (at least it did with CP 4.1/2000).
    > What of PIX device manager and Symantech's offerings?

    Take a look at WatchGuard - even the SOHO units can be managed remotely
    and securely.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  3. Archived from groups: comp.security.firewalls (More info?)

    "tonesurfer" <tonesurfer@hotmail.com> wrote in message
    news:58915b8c.0407080556.21ae1656@posting.google.com...
    > We will be installing 50 or more internal firewalls to protect critial
    > portions of our network. The hope is to manage them all centrally with
    > a very small team (ie 3 people or so). I've some experience with
    > Checkpoint and only grazed PIX. What firewalls lend themselves to
    > installation such as this? Obviously management and maintnance of the
    > firewalls is high on our list with scalability to large numbers of
    > devices being key. I know Checkpoint's management scheme maxes out
    > well below our number of firewalls (at least it did with CP 4.1/2000).
    > What of PIX device manager and Symantech's offerings?

    You might want to look at Juniper/NetScreen. They have a centralized
    management platfom that can easily handle 50 firewalls (scales up to 1000 in
    the current version). See:
    <http://www.juniper.net/products/integrated/dsheet/ds_security_manager.pdf>.
    It's not just for pushing out firewall rulesets either, you can perform
    hardware device configuration (physical port assignments, security zone
    assignments, routing table configuration, network screening options,
    manageability options, etc.), you can configure VPN topologies
    (hub-and-spoke, peer-to-peer, etc.), you can centralize your logging and
    reporting, etc. The next release will also serve as a centralized management
    platform for their Intrusion Detection and Prevention (IDP) product line.
  4. Archived from groups: comp.security.firewalls (More info?)

    On 8 Jul 2004 06:56:47 -0700, tonesurfer@hotmail.com (tonesurfer)
    wrote:

    >We will be installing 50 or more internal firewalls to protect critial
    >portions of our network. The hope is to manage them all centrally with
    >a very small team (ie 3 people or so). I've some experience with
    >Checkpoint and only grazed PIX. What firewalls lend themselves to
    >installation such as this? Obviously management and maintnance of the
    >firewalls is high on our list with scalability to large numbers of
    >devices being key. I know Checkpoint's management scheme maxes out
    >well below our number of firewalls (at least it did with CP 4.1/2000).
    >What of PIX device manager and Symantech's offerings?


    You might also look at the Zyxel Zywall line. They have served us
    and our customers very well at our shop. Have a management software
    package called CNM, Central Network Management. It even allows
    you to configure VPN connections using drag and drop diagrams.

    Dave
  5. Archived from groups: comp.security.firewalls (More info?)

    On 8 Jul 2004 06:56:47 -0700, tonesurfer@hotmail.com (tonesurfer) wrote:

    >I know Checkpoint's management scheme maxes out
    >well below our number of firewalls (at least it did with CP 4.1/2000).

    Yes, its also a PITA when it comes to change management with a single
    objects database.


    you looked at provider/sitemanager ?


    greg

    --
    Konnt ihr mich horen?
    Konnt ihr mich sehen?
    Konnt ihr mich fuhlen?
    Ich versteh euch nicht
  6. Archived from groups: comp.security.firewalls (More info?)

    tonesurfer wrote:

    > We will be installing 50 or more internal firewalls to protect critial
    > portions of our network. The hope is to manage them all centrally with
    > a very small team (ie 3 people or so). I've some experience with
    > Checkpoint and only grazed PIX. What firewalls lend themselves to
    > installation such as this? Obviously management and maintnance of the
    > firewalls is high on our list with scalability to large numbers of
    > devices being key. I know Checkpoint's management scheme maxes out
    > well below our number of firewalls (at least it did with CP 4.1/2000).
    > What of PIX device manager and Symantech's offerings?

    Sonicwalls work pretty well. Their "GMS" (Global management system)
    package allows cenbtralized administration.

    --
    T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
    May be copied freely without the express permission of T. Sean Weintz.
    T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
    T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
  7. Archived from groups: comp.security.firewalls (More info?)

    On 8 Jul 2004 06:56:47 -0700, tonesurfer@hotmail.com (tonesurfer)
    wrote:
    >
    >We will be installing 50 or more internal firewalls to protect critial
    >portions of our network. The hope is to manage them all centrally with
    >a very small team (ie 3 people or so). I've some experience with
    >Checkpoint and only grazed PIX. What firewalls lend themselves to
    >installation such as this? Obviously management and maintnance of the
    >firewalls is high on our list with scalability to large numbers of
    >devices being key. I know Checkpoint's management scheme maxes out
    >well below our number of firewalls (at least it did with CP 4.1/2000).
    >What of PIX device manager and Symantech's offerings?
    >

    Have a look at the ZyXEL ZyWALL line of firewall appliances. ZyXEL has
    a management system called Vantage CNM 2.0.

    Here's additional info on Vantage:
    http://www.us.zyxel.com/products/model.php?indexcate=1082944628&indexFlagvalue=1088462876

    And info on the appliances themselves:
    http://www.us.zyxel.com/products/categoryCompare.php?indexFlagvalue=1021873683

    My company, Nowthor Corporation, is a ZyXEL Premium Partner and will
    be able to help you with the solution if you are in the US.
  8. Archived from groups: comp.security.firewalls (More info?)

    In article <dh9re0tq24stm0kot346033j95kp0hvspc@4ax.com>,
    nospam@shopping.nowthor.com says...
    > Have a look at the ZyXEL ZyWALL line of firewall appliances. ZyXEL has
    > a management system called Vantage CNM 2.0.
    >
    > Here's additional info on Vantage:
    > http://www.us.zyxel.com/products/model.php?indexcate=1082944628&indexFlagvalue=1088462876
    >
    > And info on the appliances themselves:
    > http://www.us.zyxel.com/products/categoryCompare.php?indexFlagvalue=1021873683
    >
    > My company, Nowthor Corporation, is a ZyXEL Premium Partner and will
    > be able to help you with the solution if you are in the US.

    I know it doesn't mean anything, but I applaud the way you've change
    your pitch. It's very refreshing to see you point to Zyxel's site while
    also identifying yourself as a vendor. I may just have to consider your
    company when I make my purchase of a Zyxel product this month.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  9. Archived from groups: comp.security.firewalls (More info?)

    Leythos <void@nowhere.com> wrote in news:MPG.1b571e3fcf21b62798a77f@news-
    server.columbus.rr.com:

    > In article <58915b8c.0407080556.21ae1656@posting.google.com>,
    > tonesurfer@hotmail.com says...
    >> We will be installing 50 or more internal firewalls to protect critial
    >> portions of our network. The hope is to manage them all centrally with
    >> a very small team (ie 3 people or so). I've some experience with
    >> Checkpoint and only grazed PIX. What firewalls lend themselves to
    >> installation such as this? Obviously management and maintnance of the
    >> firewalls is high on our list with scalability to large numbers of
    >> devices being key. I know Checkpoint's management scheme maxes out
    >> well below our number of firewalls (at least it did with CP 4.1/2000).
    >> What of PIX device manager and Symantech's offerings?
    >

    if youre used to checkpoint, look at provider-1. or, if you only have
    minimal throughput at each remote location, consider the LSM plug in for
    SmartDashboard to manage remote IP40 appliances running Checkpoint Safe@

    netscreen are also a viable candidate for this requirement

    pix management is an oxymoron.

    SysAdm
  10. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 08 Jul 2004 20:16:29 GMT, Leythos <void@nowhere.com> wrote:
    >
    >I know it doesn't mean anything, but I applaud the way you've change
    >your pitch. It's very refreshing to see you point to Zyxel's site while
    >also identifying yourself as a vendor. I may just have to consider your
    >company when I make my purchase of a Zyxel product this month.
    >

    Thanks for the kind words.

    It was never my intention to cause animosity in this newsgroup. My
    goal was always to alert people to a brand/product that, I believe,
    deserves attention. And if people feel they are interested, of course,
    I have an obvious interest in promoting the sale through my company.
    No one would believe me if I said otherwsie! ;-)
  11. Archived from groups: comp.security.firewalls (More info?)

    tonesurfer wrote:
    > We will be installing 50 or more internal firewalls to protect critial
    > portions of our network. The hope is to manage them all centrally with
    > a very small team (ie 3 people or so). I've some experience with
    > Checkpoint and only grazed PIX. What firewalls lend themselves to
    > installation such as this? Obviously management and maintnance of the
    > firewalls is high on our list with scalability to large numbers of
    > devices being key. I know Checkpoint's management scheme maxes out
    > well below our number of firewalls (at least it did with CP 4.1/2000).
    > What of PIX device manager and Symantech's offerings?

    We have a group of 3 managing more than 60 PIX's with only SSH & a Unix
    server & couple of perl & shell scripts. We average about 100 or so ACL
    entries per PIX, some have about 1000 entries. We have not had any
    trouble keeping up with them. After we did the initial install, we
    probably spend less than an hour per day on firewall management.

    --Mike
  12. Archived from groups: comp.security.firewalls (More info?)

    "tonesurfer" <tonesurfer@hotmail.com> wrote
    > We will be installing 50 or more internal firewalls to protect critial
    > portions of our network. The hope is to manage them all centrally with
    > a very small team (ie 3 people or so).

    Check out CiscoWorks VMS:

    http://www.cisco.com/en/US/products/sw/cscowork/ps2330/index.html

    In thier words, it:

    Enables the large-scale deployment of Cisco firewalls. Smart Rules is an
    innovative feature that allows a security policy to be consistently applied
    to all firewalls. Smart Rules allows a user to define common rules once,
    reducing configuration time and resulting in fewer administrative errors.
    <end excerpt>

    I've used it, and while it isn't the easiest software to learn (or cheap),
    it does a very good job of managing multiple devices.

    JT
  13. Archived from groups: comp.security.firewalls (More info?)

    JT (.) wrote:
    : "tonesurfer" <tonesurfer@hotmail.com> wrote
    : > We will be installing 50 or more internal firewalls to protect critial
    : > portions of our network. The hope is to manage them all centrally with
    : > a very small team (ie 3 people or so).

    : Check out CiscoWorks VMS:

    : http://www.cisco.com/en/US/products/sw/cscowork/ps2330/index.html

    : In thier words, it:

    : Enables the large-scale deployment of Cisco firewalls. Smart Rules is an
    : innovative feature that allows a security policy to be consistently applied
    : to all firewalls. Smart Rules allows a user to define common rules once,
    : reducing configuration time and resulting in fewer administrative errors.
    : <end excerpt>

    : I've used it, and while it isn't the easiest software to learn (or cheap),
    : it does a very good job of managing multiple devices.

    : JT

    50+ firewalls will represent a major investment so I would offer the following

    1) if you are not CISSP or have several years in the field, hire a consultant to
    assist you in the evaluation. If there is a firm that VAR's several different
    firewalls, give them a higher wait in the election. They will not be as biased
    on one manufactor's produ t line.

    2) Take a look at what is out there, collect the marketing information and select
    2-4 vendors that might work for you. [And if your current firewall does have this
    capability weight it higher in the selection process; current expertise by your staff
    is important]

    3) I would seriously consider writing a formal RFP to require each of your candidates
    to respond in writing to whether they can even meet your requirements. If you have
    the cycles, make it an open RFP;you might be surprised by a vendor you knew nothing
    about. Makue sure the RFP specifies throughput, fault tolerance, support and maintenance.
    It also should include training


    4) The RFP should be used to cut it down 2-3 finalists. Eahc of them should provide
    you with demonstration equipment to allow you to see how easy each of them is for
    YOU. This should be at no cost to you.

    Checkpoint especially with the Edge-1 and Provider-1 provides the most widely deployed
    enterprise level distributed enforcement/central management. NG has removed some of
    the limitations and it is very easy to write complex policies.

    From what I have heard from other large scale firewall users is that Cisco still has
    a bit of ground to make up in this type of environment. They are miles ahead of where
    they were but still lag on some of the features other enterprise vendors now provide.


    The bottom line is that given the size of your project, you have some leverage to try
    before you buy;use it to make sure you and your staff are comfortable with the solution.
    You all are the ones who have to make it work. All of us in the newsgroup simply provide
    you with our advice, we are not responsble for making it work

    Rick

    Richard H. Miller, MCSE, CCSE+
    Information Security Manager
    Information Technology Security and Compliance
    Information Technology - Baylor College of Medicine
  14. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 10 Jul 2004 at 02:51 GMT, Richard H Miller <rick@bcm.tmc.edu> spewed
    into the usenet group comp.security.firewalls:
    > 50+ firewalls will represent a major investment so I would offer the following
    >
    > 1) if you are not CISSP or have several years in the field, hire a
    > consultant to assist you in the evaluation. If there is a firm that
    > VAR's several different firewalls, give them a higher wait in the
    > election. They will not be as biased on one manufactor's produ t line.

    This is a bit late, but a CISSP certification is not really useful when it
    comes to product evaluation. CISSP is more of a management type
    certification, and while useful, is not relevant to this particular case.

    Also, I would not talk to a VAR for product help. In my admittedly limited
    experience, most VARs have a strong interest in selling *something*
    regardless of what best meets your needs.

    >
    > 2) Take a look at what is out there, collect the marketing information
    > and select 2-4 vendors that might work for you. [And if your current
    > firewall does have this capability weight it higher in the selection
    > process; current expertise by your staff is important]

    Again, If your staff know the *basic* points of firewalling, and they can
    be given the time to learn, you would want to discount that information.
    If there is not much time, then going with what you know would probably be
    better.

    As a Unix/Linux admin, I prefer to have my firewalls be small shell scripts.
    Write them, check them into CVS, check out on the remote system. Makefiles
    work very well for this sort of thing.

    This needs a considerable amount of care while writing the rules, but that
    has never been a bad idea.

    Again, if you need a graphical frontend for rule management, your choices
    will differ widely.

    If management insists on hardware firewalls (no such beast exists), then
    your choice range is limited.

    If you need integration into third party products, your requirements will
    change.

    <snip>
    > The bottom line is that given the size of your project, you have some
    > leverage to try before you buy;use it to make sure you and your staff
    > are comfortable with the solution.
    > You all are the ones who have to make it work. All of us in the newsgroup
    > simply provide you with our advice, we are not responsble for making it work
    +5 insightful

    I would recommend asking on the firewall-wizards mailing list as well.
    There is a bunch of highly clued people on that list.

    Devdas Bhagat
Ask a new question

Read More

Firewalls Internet Explorer Management Networking