Firewalls and VPNs

[EvanBlackwood]

Hey team,

Looking for some input. When it comes to enterprise wise security policies, what do you think is better, a software solution like Symantec Enterprise and Check Point Software, or a hardware solution, like Cisco? Just curious. If you have any input of middle-tier companies that might help as well. Thanks again!

Regards,

EB

 

[FireDragon]

well as most things it usually comes down to money... software is good and all... in fact I?m currently using checkpoint; however, I much prefer hardware security solution. remember when all else is equal, hardware is always faster (and usually better). actually, I prefer a combination of both hardware and software,it's all about layers!.

think about the hardware v. software issue this way. ok for software you have the software running on someone else's software i.e. the OS, that is running on someone else?s hardware. not to mention what ever else I running on that box, could present a different risk, say IIS for example. however hardware, it's plain simple, only the manufacture?s software running on it's hardware. not much to go wrong.

same holds true with routers and layer 3 switches etc... final example: NT supports RIP and OSPF, but do you know anyone that uses a NT box to route? probably not, because a $150 router dose a better faster job.

 

[spidey07]

which one is better?

They both have their strengths and weaknesses. In general a hardware device out performs software, especially wintel. Checkpoint is an awesome firewall, I've used if for a long time. Pix is an awesome firewall. They each have features the other one doesn't. Heck, I love the little nokia checkpoint appliances. cheap and easy.

Just FYI, I'm ripping out our 8 checkpoint firewalls and putting in some PIX. Too frustrated with checkpoint support and the underlying solaris OS. Our firewall configurations are very complex and get hard to manage when I have to control routing on Solaris with 8 interfaces and throw lots of VPN at it.

between the two...well the network answer is "it depends"

 

[Garion]

Only catch with PIXes - Management sucks, unless it's gotten better in the last year or so.

The Nokia boxes are supposed to be excellent firewalls. They run checkpoint on a dedicated hardware platform. They were the first to provided gigabit throughput via a firewall. Might be worth checking out.

Skip the Symantec stuff. Checkpoint and Pixes are the dominant firewalls out there and are, by far, the most commonly used in the enterprise.

For a true enterprise security policy, why choose? To do it right you should have at least two layers of firewalls - Stick PIX out in front of your DMZ and directly connected to the internet. Pixes are rock solid and high performing and you don't need many rules out there. Between your DMZ and internal network put in a Nokia. Flexible to manage your outbound policies and very stable and secure. Much better security, as a hacker has to get through BOTH layers of security, something that's much more difficult to do than just one layer.

I work for a bank and we have, believe it or not, four layers of firewalls. Not my design, don't have to manage it, thank god..

Depends on your budget tho.. Can't go wrong with a Nokia running Checkpoint or just a Pix.

- G