> I am specifically looking for firewalls which would handle a
> load of approx.
> 500 - 1000 computers (Enterprise Level ? )- some of which
> would access the
> 'outside world' fairly often (email, web e.t.c.)
There are arguably three decent firewall products that fit this
bill well - well, two and a wannabe... Mind you, when you start
asking product-based questions, you start a religous argument.
Here's one man's (my) side of that argument:
1) Axent Raptor: The fastest of the three I will mention, despite
that it is an application level gateway with full proxy for
everything, including transparent proxy for UDP. Available for
Sparc/Solaris, Intel/WinNT and (kinda-sorta) PA-RISC/HP-UX.
Lots of authentication options, good VPN. Installs secure, and
hardens the OS on the way in. Clustering options on both platforms,
cross-platform management, integration with intrusion detection.
Very secure, very fast, very flexible, my personal choice.
2) TIS (not Network Associates) Gauntlett Firewall. I'm not 100%
up to speed on platforms, etc. I believe it is available for
Intel/BSDI, Intel/WinNT and Sparc/Solaris. Again, an application
level gateway - the oldest, most respected firewall around.
Not as flexible as the Raptor, I don't know performance
figures. My second choice.
Those two are proper, real-world, serious firewalls. Both quite
secure (when properly configured of course). I have heard some
noises of late that are concerned about how committed Network
Associates are to the Gauntlett product, and whether they will
continue support as TIS did - only time will tell there, but I
have no qualms with either of those two.
Both perfectly capable of handling your performance requirement.
3) Checkpoint Fireball-1. Not a proper firewall, despite what
the marketeers would have you think. Available for just
about every platform you can think of, including obscure
things like Nokia routers. It is a statefull packet filter, with
a bit of application level filtering thrown in as an
afterthought. Much slower than the Axent Raptor in any
apples-for-apples comparison, despite that on theoretical
grounds, it should far outperform the Raptor. The Checkpoint
does have market share, but that's more a result of marketing
success than technology. It is very good at network address
translation, particularly if you have complex NAT requirements.
It contradicts itself somewhat by having a very nice 'firewall
for dummies' user interface, but at the same time a few hidden
traps for young players. Ships and installs insecure, and
requires detailed attention to put it right. Not bad in the
hands of a skilled security professional, but pretty damn
dangerous in the hands of a new player. I wouldn't piss on
it if it was on fire... Well, maybe I would... :-)
In a nutshell, that's the product space I think you should be
considering. As another poster has already mentioned, there is a
lot more to this argument - I've only presented a little bit.
HTH,
Geoff
--
CREDIT | FIRST Geoff Breach, [EMAIL PROTECTED], +61293944040
SUISSE | BOSTON Global Network Services - Asia Pacific Engineering
Opinions expressed herein are mine, not my employer's
This message is for the named person's use only. It may contain confidential,
proprietary or legally privileged information. No confidentiality or privilege is
waived or lost by any mistransmission. If you receive this message in error, please
immediately delete it and all copies of it from your system, destroy any hard copies
of it and notify the sender. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended
recipient. CREDIT SUISSE GROUP, CREDIT SUISSE FIRST BOSTON, and each of their
subsidiaries each reserve the right to monitor all e-mail communications through its
networks. Any views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorised to state them
to be the views of any such entity.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
