Sign in with
Sign up | Sign in
Your question

Options for 50+ firewall deployment

Last response: in Networking
Share
Anonymous
July 8, 2004 10:56:47 AM

Archived from groups: comp.security.firewalls (More info?)

We will be installing 50 or more internal firewalls to protect critial
portions of our network. The hope is to manage them all centrally with
a very small team (ie 3 people or so). I've some experience with
Checkpoint and only grazed PIX. What firewalls lend themselves to
installation such as this? Obviously management and maintnance of the
firewalls is high on our list with scalability to large numbers of
devices being key. I know Checkpoint's management scheme maxes out
well below our number of firewalls (at least it did with CP 4.1/2000).
What of PIX device manager and Symantech's offerings?
Anonymous
July 8, 2004 4:07:45 PM

Archived from groups: comp.security.firewalls (More info?)

For reporting, log analysis and correlation of data from this number
of FW you should consider a dedicated security information management
event correlation solution. This class of product will also be able
to integrate data with your vulnerability scanners, IDS, AV etc.

Phil

tonesurfer@hotmail.com (tonesurfer) wrote in message news:<58915b8c.0407080556.21ae1656@posting.google.com>...
> We will be installing 50 or more internal firewalls to protect critial
> portions of our network. The hope is to manage them all centrally with
> a very small team (ie 3 people or so). I've some experience with
> Checkpoint and only grazed PIX. What firewalls lend themselves to
> installation such as this? Obviously management and maintnance of the
> firewalls is high on our list with scalability to large numbers of
> devices being key. I know Checkpoint's management scheme maxes out
> well below our number of firewalls (at least it did with CP 4.1/2000).
> What of PIX device manager and Symantech's offerings?
Anonymous
July 8, 2004 5:57:13 PM

Archived from groups: comp.security.firewalls (More info?)

In article <58915b8c.0407080556.21ae1656@posting.google.com>,
tonesurfer@hotmail.com says...
> We will be installing 50 or more internal firewalls to protect critial
> portions of our network. The hope is to manage them all centrally with
> a very small team (ie 3 people or so). I've some experience with
> Checkpoint and only grazed PIX. What firewalls lend themselves to
> installation such as this? Obviously management and maintnance of the
> firewalls is high on our list with scalability to large numbers of
> devices being key. I know Checkpoint's management scheme maxes out
> well below our number of firewalls (at least it did with CP 4.1/2000).
> What of PIX device manager and Symantech's offerings?

Take a look at WatchGuard - even the SOHO units can be managed remotely
and securely.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Related resources
July 8, 2004 7:04:32 PM

Archived from groups: comp.security.firewalls (More info?)

"tonesurfer" <tonesurfer@hotmail.com> wrote in message
news:58915b8c.0407080556.21ae1656@posting.google.com...
> We will be installing 50 or more internal firewalls to protect critial
> portions of our network. The hope is to manage them all centrally with
> a very small team (ie 3 people or so). I've some experience with
> Checkpoint and only grazed PIX. What firewalls lend themselves to
> installation such as this? Obviously management and maintnance of the
> firewalls is high on our list with scalability to large numbers of
> devices being key. I know Checkpoint's management scheme maxes out
> well below our number of firewalls (at least it did with CP 4.1/2000).
> What of PIX device manager and Symantech's offerings?

You might want to look at Juniper/NetScreen. They have a centralized
management platfom that can easily handle 50 firewalls (scales up to 1000 in
the current version). See:
<http://www.juniper.net/products/integrated/dsheet/ds_se...;.
It's not just for pushing out firewall rulesets either, you can perform
hardware device configuration (physical port assignments, security zone
assignments, routing table configuration, network screening options,
manageability options, etc.), you can configure VPN topologies
(hub-and-spoke, peer-to-peer, etc.), you can centralize your logging and
reporting, etc. The next release will also serve as a centralized management
platform for their Intrusion Detection and Prevention (IDP) product line.
July 8, 2004 7:57:43 PM

Archived from groups: comp.security.firewalls (More info?)

On 8 Jul 2004 06:56:47 -0700, tonesurfer@hotmail.com (tonesurfer)
wrote:

>We will be installing 50 or more internal firewalls to protect critial
>portions of our network. The hope is to manage them all centrally with
>a very small team (ie 3 people or so). I've some experience with
>Checkpoint and only grazed PIX. What firewalls lend themselves to
>installation such as this? Obviously management and maintnance of the
>firewalls is high on our list with scalability to large numbers of
>devices being key. I know Checkpoint's management scheme maxes out
>well below our number of firewalls (at least it did with CP 4.1/2000).
>What of PIX device manager and Symantech's offerings?


You might also look at the Zyxel Zywall line. They have served us
and our customers very well at our shop. Have a management software
package called CNM, Central Network Management. It even allows
you to configure VPN connections using drag and drop diagrams.

Dave
Anonymous
July 8, 2004 8:35:38 PM

Archived from groups: comp.security.firewalls (More info?)

On 8 Jul 2004 06:56:47 -0700, tonesurfer@hotmail.com (tonesurfer) wrote:

>I know Checkpoint's management scheme maxes out
>well below our number of firewalls (at least it did with CP 4.1/2000).

Yes, its also a PITA when it comes to change management with a single
objects database.


you looked at provider/sitemanager ?




greg

--
Konnt ihr mich horen?
Konnt ihr mich sehen?
Konnt ihr mich fuhlen?
Ich versteh euch nicht
Anonymous
July 8, 2004 8:58:23 PM

Archived from groups: comp.security.firewalls (More info?)

tonesurfer wrote:

> We will be installing 50 or more internal firewalls to protect critial
> portions of our network. The hope is to manage them all centrally with
> a very small team (ie 3 people or so). I've some experience with
> Checkpoint and only grazed PIX. What firewalls lend themselves to
> installation such as this? Obviously management and maintnance of the
> firewalls is high on our list with scalability to large numbers of
> devices being key. I know Checkpoint's management scheme maxes out
> well below our number of firewalls (at least it did with CP 4.1/2000).
> What of PIX device manager and Symantech's offerings?

Sonicwalls work pretty well. Their "GMS" (Global management system)
package allows cenbtralized administration.

--
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
May be copied freely without the express permission of T. Sean Weintz.
T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
Anonymous
July 8, 2004 11:58:02 PM

Archived from groups: comp.security.firewalls (More info?)

On 8 Jul 2004 06:56:47 -0700, tonesurfer@hotmail.com (tonesurfer)
wrote:
>
>We will be installing 50 or more internal firewalls to protect critial
>portions of our network. The hope is to manage them all centrally with
>a very small team (ie 3 people or so). I've some experience with
>Checkpoint and only grazed PIX. What firewalls lend themselves to
>installation such as this? Obviously management and maintnance of the
>firewalls is high on our list with scalability to large numbers of
>devices being key. I know Checkpoint's management scheme maxes out
>well below our number of firewalls (at least it did with CP 4.1/2000).
>What of PIX device manager and Symantech's offerings?
>

Have a look at the ZyXEL ZyWALL line of firewall appliances. ZyXEL has
a management system called Vantage CNM 2.0.

Here's additional info on Vantage:
http://www.us.zyxel.com/products/model.php?indexcate=10...

And info on the appliances themselves:
http://www.us.zyxel.com/products/categoryCompare.php?in...

My company, Nowthor Corporation, is a ZyXEL Premium Partner and will
be able to help you with the solution if you are in the US.
Anonymous
July 9, 2004 12:16:29 AM

Archived from groups: comp.security.firewalls (More info?)

In article <dh9re0tq24stm0kot346033j95kp0hvspc@4ax.com>,
nospam@shopping.nowthor.com says...
> Have a look at the ZyXEL ZyWALL line of firewall appliances. ZyXEL has
> a management system called Vantage CNM 2.0.
>
> Here's additional info on Vantage:
> http://www.us.zyxel.com/products/model.php?indexcate=10...
>
> And info on the appliances themselves:
> http://www.us.zyxel.com/products/categoryCompare.php?in...
>
> My company, Nowthor Corporation, is a ZyXEL Premium Partner and will
> be able to help you with the solution if you are in the US.

I know it doesn't mean anything, but I applaud the way you've change
your pitch. It's very refreshing to see you point to Zyxel's site while
also identifying yourself as a vendor. I may just have to consider your
company when I make my purchase of a Zyxel product this month.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
July 9, 2004 3:15:04 AM

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.com> wrote in news:MPG.1b571e3fcf21b62798a77f@news-
server.columbus.rr.com:

> In article <58915b8c.0407080556.21ae1656@posting.google.com>,
> tonesurfer@hotmail.com says...
>> We will be installing 50 or more internal firewalls to protect critial
>> portions of our network. The hope is to manage them all centrally with
>> a very small team (ie 3 people or so). I've some experience with
>> Checkpoint and only grazed PIX. What firewalls lend themselves to
>> installation such as this? Obviously management and maintnance of the
>> firewalls is high on our list with scalability to large numbers of
>> devices being key. I know Checkpoint's management scheme maxes out
>> well below our number of firewalls (at least it did with CP 4.1/2000).
>> What of PIX device manager and Symantech's offerings?
>

if youre used to checkpoint, look at provider-1. or, if you only have
minimal throughput at each remote location, consider the LSM plug in for
SmartDashboard to manage remote IP40 appliances running Checkpoint Safe@

netscreen are also a viable candidate for this requirement

pix management is an oxymoron.

SysAdm
Anonymous
July 9, 2004 6:04:02 AM

Archived from groups: comp.security.firewalls (More info?)

On Thu, 08 Jul 2004 20:16:29 GMT, Leythos <void@nowhere.com> wrote:
>
>I know it doesn't mean anything, but I applaud the way you've change
>your pitch. It's very refreshing to see you point to Zyxel's site while
>also identifying yourself as a vendor. I may just have to consider your
>company when I make my purchase of a Zyxel product this month.
>

Thanks for the kind words.

It was never my intention to cause animosity in this newsgroup. My
goal was always to alert people to a brand/product that, I believe,
deserves attention. And if people feel they are interested, of course,
I have an obvious interest in promoting the sale through my company.
No one would believe me if I said otherwsie! ;-)
Anonymous
July 9, 2004 6:36:26 AM

Archived from groups: comp.security.firewalls (More info?)

tonesurfer wrote:
> We will be installing 50 or more internal firewalls to protect critial
> portions of our network. The hope is to manage them all centrally with
> a very small team (ie 3 people or so). I've some experience with
> Checkpoint and only grazed PIX. What firewalls lend themselves to
> installation such as this? Obviously management and maintnance of the
> firewalls is high on our list with scalability to large numbers of
> devices being key. I know Checkpoint's management scheme maxes out
> well below our number of firewalls (at least it did with CP 4.1/2000).
> What of PIX device manager and Symantech's offerings?

We have a group of 3 managing more than 60 PIX's with only SSH & a Unix
server & couple of perl & shell scripts. We average about 100 or so ACL
entries per PIX, some have about 1000 entries. We have not had any
trouble keeping up with them. After we did the initial install, we
probably spend less than an hour per day on firewall management.

--Mike
July 9, 2004 11:50:22 AM

Archived from groups: comp.security.firewalls (More info?)

"tonesurfer" <tonesurfer@hotmail.com> wrote
> We will be installing 50 or more internal firewalls to protect critial
> portions of our network. The hope is to manage them all centrally with
> a very small team (ie 3 people or so).

Check out CiscoWorks VMS:

http://www.cisco.com/en/US/products/sw/cscowork/ps2330/...

In thier words, it:

Enables the large-scale deployment of Cisco firewalls. Smart Rules is an
innovative feature that allows a security policy to be consistently applied
to all firewalls. Smart Rules allows a user to define common rules once,
reducing configuration time and resulting in fewer administrative errors.
<end excerpt>

I've used it, and while it isn't the easiest software to learn (or cheap),
it does a very good job of managing multiple devices.

JT
Anonymous
July 10, 2004 6:51:07 AM

Archived from groups: comp.security.firewalls (More info?)

JT (.) wrote:
: "tonesurfer" <tonesurfer@hotmail.com> wrote
: > We will be installing 50 or more internal firewalls to protect critial
: > portions of our network. The hope is to manage them all centrally with
: > a very small team (ie 3 people or so).

: Check out CiscoWorks VMS:

: http://www.cisco.com/en/US/products/sw/cscowork/ps2330/...

: In thier words, it:

: Enables the large-scale deployment of Cisco firewalls. Smart Rules is an
: innovative feature that allows a security policy to be consistently applied
: to all firewalls. Smart Rules allows a user to define common rules once,
: reducing configuration time and resulting in fewer administrative errors.
: <end excerpt>

: I've used it, and while it isn't the easiest software to learn (or cheap),
: it does a very good job of managing multiple devices.

: JT

50+ firewalls will represent a major investment so I would offer the following

1) if you are not CISSP or have several years in the field, hire a consultant to
assist you in the evaluation. If there is a firm that VAR's several different
firewalls, give them a higher wait in the election. They will not be as biased
on one manufactor's produ t line.

2) Take a look at what is out there, collect the marketing information and select
2-4 vendors that might work for you. [And if your current firewall does have this
capability weight it higher in the selection process; current expertise by your staff
is important]

3) I would seriously consider writing a formal RFP to require each of your candidates
to respond in writing to whether they can even meet your requirements. If you have
the cycles, make it an open RFP;you might be surprised by a vendor you knew nothing
about. Makue sure the RFP specifies throughput, fault tolerance, support and maintenance.
It also should include training


4) The RFP should be used to cut it down 2-3 finalists. Eahc of them should provide
you with demonstration equipment to allow you to see how easy each of them is for
YOU. This should be at no cost to you.

Checkpoint especially with the Edge-1 and Provider-1 provides the most widely deployed
enterprise level distributed enforcement/central management. NG has removed some of
the limitations and it is very easy to write complex policies.

From what I have heard from other large scale firewall users is that Cisco still has
a bit of ground to make up in this type of environment. They are miles ahead of where
they were but still lag on some of the features other enterprise vendors now provide.


The bottom line is that given the size of your project, you have some leverage to try
before you buy;use it to make sure you and your staff are comfortable with the solution.
You all are the ones who have to make it work. All of us in the newsgroup simply provide
you with our advice, we are not responsble for making it work

Rick

Richard H. Miller, MCSE, CCSE+
Information Security Manager
Information Technology Security and Compliance
Information Technology - Baylor College of Medicine
Anonymous
July 20, 2004 8:11:08 PM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 10 Jul 2004 at 02:51 GMT, Richard H Miller <rick@bcm.tmc.edu> spewed
into the usenet group comp.security.firewalls:
> 50+ firewalls will represent a major investment so I would offer the following
>
> 1) if you are not CISSP or have several years in the field, hire a
> consultant to assist you in the evaluation. If there is a firm that
> VAR's several different firewalls, give them a higher wait in the
> election. They will not be as biased on one manufactor's produ t line.

This is a bit late, but a CISSP certification is not really useful when it
comes to product evaluation. CISSP is more of a management type
certification, and while useful, is not relevant to this particular case.

Also, I would not talk to a VAR for product help. In my admittedly limited
experience, most VARs have a strong interest in selling *something*
regardless of what best meets your needs.

>
> 2) Take a look at what is out there, collect the marketing information
> and select 2-4 vendors that might work for you. [And if your current
> firewall does have this capability weight it higher in the selection
> process; current expertise by your staff is important]

Again, If your staff know the *basic* points of firewalling, and they can
be given the time to learn, you would want to discount that information.
If there is not much time, then going with what you know would probably be
better.

As a Unix/Linux admin, I prefer to have my firewalls be small shell scripts.
Write them, check them into CVS, check out on the remote system. Makefiles
work very well for this sort of thing.

This needs a considerable amount of care while writing the rules, but that
has never been a bad idea.

Again, if you need a graphical frontend for rule management, your choices
will differ widely.

If management insists on hardware firewalls (no such beast exists), then
your choice range is limited.

If you need integration into third party products, your requirements will
change.

<snip>
> The bottom line is that given the size of your project, you have some
> leverage to try before you buy;use it to make sure you and your staff
> are comfortable with the solution.
> You all are the ones who have to make it work. All of us in the newsgroup
> simply provide you with our advice, we are not responsble for making it work
+5 insightful

I would recommend asking on the firewall-wizards mailing list as well.
There is a bunch of highly clued people on that list.

Devdas Bhagat
!