Hmmm, is this friend of your doing consulting for my job? :-) Almost the same scenario except about a year behind, right down to the Watchguard boxes.
The problem the security consultant runs into is that the next IPSO that will support �dallas� will not be ready until the end of this year and �dallas� will be officially released in June (he thinks). If he decides to go with Nokia IP platform, he will not be able to meet the target date. He needs time to test �dallas� on IPSO prior to implementing it.
Six months of delay for IPSO is a probably a bit of a stretch. I think R55 was released in Sept 2003 and the IPSO version was released in the second half of Dec. 2003. From friends in the industry, "dallas" allegedly was supposed to be released in January 2005 and then March and now who knows when. I do see it has made it into the public beta stage, so that's good news. I would think the delay, if it really exists, would actually move the IPSO date closer to the SPLAT release. IPSO patches for R55 are right there when SPLAT HFA's are, released.
Pushing a deployment just to take advantage of a new release is rarely a good idea unless you are sure the features of the new version are a show-stopper if you don't have them. And that you're sure they're going to work and nothing else is going to break. :-)
1) They can use existing hardware currently available in the inventory to build the enforcement module. SPLAT runs great on both IBM and Compaq hardware. Furthermore, you can perform RAID 1 on the hardware to provide redundancies at the hardware level. Originally, they are looking at Nokia IP350/IP380 which does not have built-in harddrive RAID redundancy. The customer has bulk load of IBM and Compaq DL380 Servers.
All valid points. I bought an IP530 solely for the mirrored hard drives. Nokia now has a disk-less version which should relieve hard drive failure concerns.
I prefer two drives because of the redundancy it gives me during patches and updates. I simply break the software mirror and patch/upgrade the primary. If it blows up (and it never has yet), I can simply swap the drives and away I go.
I also prefer IPSO because of its "test boot" feature. If an upgrade of IPSO on a remote gateway goes bad, the box simply reboots itself into the previous version of IPSO and I'm back up. Only one of my remote sites has any kind of IT staff on hand.
2) Dual CPU supports on SPLAT which doesn�t yet support on Nokia IP platforms (may be with the exception of IP1260 or IP2250).
May be a consideration at the main site, but certainly not at the remote sites because their pipes are too small even with SmartDefense.
3) Hardware Inventories readily available on-site. The Enforcement Modules can be rebuilt in less than 10 minutes.
Is there somebody there that can do it securely? I've rebuilt remote IPSO boxes from "factory fresh" installs without any local support. I've never tried with SPLAT, so I don't know how that goes. I don't know about ten minutes, though. Closer to 30 is probably better. SPLAT needs HFAs whereas IPSO just needs the current version installed.
4) Checkpoint ClusterXL can provide Active/Standby or Active/Active Solution at headquarter. I know Nokia VRRP and IPSO Clustering is FREE but the ClusterXL cost can be offset with the hardware (i.e. IBM or Compaq Servers) that the customer already owns.
Check out the price on the Nokia disk-less boxes. They were a lot cheaper.
5) When running Checkpoint on Nokia IP platform, Nokia is always a few revisions behind checkpoint. There will always be �blame game� going on when things are not working right. When running SPLAT, checkpoint will be responsible for everything with the exception of the hardware. There will not be any finger pointing other than Checkpoint.
I have never, repeat never, experienced this. Nokia is a bit behind on the initial release and sometimes that's a good thing because the pioneers already took a few arrows in the back for you. I have my Check Point support through Nokia, so they're my first point of contact and are cheaper than Check Point. If they have to escalate an issue to Check Point, it doesn't cost me a dime.
6) SPLAT can do RIP-2, OSPF and BGP via zebra just as good as IPSO.
I guess that's a tie, then. :-)
I'm sure you have already recommended a separate management server to him, so that's a moot point. This one is going to be a tough decision because both choices are good, although your discussion is focused on the initial deployment date and costs. Do you have any thoughts on what it takes to keep either option running, time-wise and cost-wise? That's where the real money will be spent, particularly in the cost of downtime.
I do know my company isn't going to try "dallas" for at least three months after its released. There are just too many things going on with a firewall running site-to-site and remote access VPN s to risk it so fast.
If you can, please let us know what they decided and why. Their reasoning will be a good learning point.
Take care,
Ray
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
