For Check Point, and assumes all firewalls are Check Point:
If all firewalls are Check Point products, it's supremely easy to manage all
of them. CP uses a concept they call a "VPN community" where all of the VPN
setup is done once. As firewalls are added to the community, they are
configured for all of the IPSec and NAT settings in one place and use
certificate authentication. You can still control traffic flow between
individual firewalls independently if desired.
You can use hub-and-spoke or full-mesh in a community.
If you use Check Point's small disk-less SOHO box for smaller offices,
called the "Edge", all configuration is stored in a text file. If you have a
device failure, you can simply plug in a new box and remotely import the
text file into the new device and it's up and running. The Edge's can also
run in an HA configuration if you install two of them.
Check Point can handle a remote firewall that gets its IP address via DHCP
from the ISP. It uses certificate authentication, so effectively the DHCP
remote firewall is treated the same as a remote access laptop. Only the
primary firewall needs a static IP address.
If you use Nokia for the firewall, it can store at least two copies of the
operating system on the firewall. When you need to upgrade the OS, called
IPSO (a BSD variant), you install the new IPSO image to the firewall while
it's still running the previous version. Sometime later, you can click "Test
Reboot" and the firewall will reboot into the new IPSO image. If you fail to
login to the firewall within five minutes and click the button to keep the
new IPSO version, the firewall will automatically reboot back into the
previous version. This is a real worry-free method of upgrading or
rebuilding remote firewalls. If you have a device failure, you can rebuild a
firewall remotely from scratch in about an hour from when the drop-shipped
unit arrives.
Multiple firewalls use a "distributed' configuration. Virtually all of the
Check Point configuration (rules, user database, object definitions, etc.)
are stored on a separate server known as the SmartCenter. You can rebuild a
firewall remotely and then push the Check Point configuration to it from the
SmartCenter. This greatly simplifies disaster recovery requirements since
there is very little that needs to be backed up from the firewall itself
(proxy ARP, interface configration, routing table, etc.). I keep the backup
information from the firewalls themselves stored on the SmartCenter (running
Server 2003). I then export its configuration weekly and also create Ghost
images of it for DR purposes. The Ghost images then contain all of the
configuration backups for the SmartCenter and for each firewall. Burn it to
a DVD and send it off-site.
The SmartCenter can be set up in a high-availablity configuration by buying
a second one so if one is down, the firewalls can still be managed. If you
only have one SmartCenter, all of the firewalls keep on doing their thing
and they begin logging locally instead of sending the logs to the
SmartCenter. The CRL and user database are cached on the enforecment
modules, which is why everything can work while the SmartCenter is
unavailable. I think the cache period is seven days for the CRL.
All firewalls send their logs to the SmartCenter for easy, integrated review
and monitoring. We also use Eventia Reporter which takes all of the logs
from the SmartCenter and combines them into a MySQL database and provides a
report generator.
SmartView Monitor lets you look at each firewall and evaluate how it's
performing, bandwidth in use, historical performance, etc.
If you're going to be using it for remote access, SecureClient has a feature
called Visitor Mode. Visitor Mode encapsulates all of the IPSec protocols
and traffic in a single HTTPS connection. If you have a lousy home router or
a hotel where only web browsing is allowed, Visitor Mode still allows full
remote access capability. We have a JV partner that uses Cisco. Our execs
have commented that they will be sitting side-by-side with the JV employees
in a hotel or airport and they can connect using Visitor Mode, but the JV
employees cannot get their Cisco VPN connections to work.
SecureClient has a remotely configurable and manageable personal firewall to
protect the laptops.
SecureClient can send its logs to SmartCenter for integrated monitoring, the
same as a firewall.
HTH,
Ray
From: The Security Freak <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: [FW-1] Site to Site VPN roundup ?
Date: Sun, 23 Jul 2006 16:22:44 +0300
I`m currently managing a large project that covers around 50 sites (10 Big
ones / NOC / SOC) and 40 small ones for VPN Site 2 site
The company I`m working for has issued an RFP on the subject and we are
down
to 4 VPN vendors
I got to admit that I have a complete picture but still would like to learn
from you VPN (and Firewall) gurus what are the pros and cons fo the 3 major
vendors
(Check Point / CIsco / Juniper)
Min you guys I`m looking for bullets and not the whole 9 yards
Thx
Tsecfreak
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
