Having work with all three vendors for the past six years, this is my personal opinion regarding these vendors: 1) Checkpoint: The product is an excellent product. In term of managibility, checkpoint is second to none. The cost of supporting it is relatively low. The license is very expensive. In term of configuration VPN on checkpoint, it is very user-friendly. Until NGx, you can not use Virtual Tunel Interface (VTI) and checkpoint by itself, does not support GRE/IPSec (even though you can do GRE on Nokia but it is not something that Checkpoint recommended). Therefore, if you're looking at routing dynamic protocol inside the IPSec tunnel, you're basically F! yourself. I am not sure that NGx is stable enough to do VTI either. The downside of using checkpoint is that checkpoint TAC support is absolutely horrible. Checkpoint TAC is absolutely clueless. Their reponse is always "upgrade". They will not jump through hoops in helping the customers. The turn around time for Checkpoint TACs (in a majority of cases that I opened with them) is about six months. You do not have to take my words for it, just ask around and see in this forum for yourself. I'll give you an example, I opened a TAC case with CP regarding RSA SecurID and Provider-1 authentication. Well, the case was opened for five months and CP came back and told me that this is a bug in the code and wait until R61 (may be). What the F!. 2) Cisco: For your complex environment, Cisco Dynamic MultiPoint VPN (DMVPN) is probabaly to go. You can also use VTI or GRE/IPSec to accomplish the same thing. The downside with going to Cisco is that in term of managibility, cisco is not as good as Checkpoint. That being said, you can choose either VPN concentrator or Cisco IOS devices to do what you described in your request. The biggest upside I can see in going with Cisco is the TAC support. Cisco TAC support is second to none. Cisco TAC will throw all the resources to tackle your issues until they are resolved. That, to me, is probably the reason you should go with Cisco. 3) NetScreen/Juniper: Juniper OS, NOT NetScreen, can also accomplish what you described. that being said, Juniper router running JUNOS, is much more expensive than both Cisco and Checkpoint. Netscreen TAC support sucks big time but Juniper with JUNOS TAC engineers are excellent. Juniper routers running JUNOS with firewall/VPN feature set can blow away both Checkpoint/Cisco in term of performance; however, if cost is your main concern, you should go with Cisco. Juniper TAC (NOT netscreen TAC) is just as good, if not better, than Cisco. It seems to me that you have a tough choice to make. Just choose the platform that you're most comfortable with but also keep in mind that reliable support from the vendors is also very crucial. That's my 2c. HTH cisco4ng CCIE Security, CCSE-NG Juniper JNCIS (Next task: CCIE Voice and/or JNCIP)
Ray <[EMAIL PROTECTED]> wrote: For Check Point, and assumes all firewalls are Check Point: If all firewalls are Check Point products, it's supremely easy to manage all of them. CP uses a concept they call a "VPN community" where all of the VPN setup is done once. As firewalls are added to the community, they are configured for all of the IPSec and NAT settings in one place and use certificate authentication. You can still control traffic flow between individual firewalls independently if desired. You can use hub-and-spoke or full-mesh in a community. If you use Check Point's small disk-less SOHO box for smaller offices, called the "Edge", all configuration is stored in a text file. If you have a device failure, you can simply plug in a new box and remotely import the text file into the new device and it's up and running. The Edge's can also run in an HA configuration if you install two of them. Check Point can handle a remote firewall that gets its IP address via DHCP from the ISP. It uses certificate authentication, so effectively the DHCP remote firewall is treated the same as a remote access laptop. Only the primary firewall needs a static IP address. If you use Nokia for the firewall, it can store at least two copies of the operating system on the firewall. When you need to upgrade the OS, called IPSO (a BSD variant), you install the new IPSO image to the firewall while it's still running the previous version. Sometime later, you can click "Test Reboot" and the firewall will reboot into the new IPSO image. If you fail to login to the firewall within five minutes and click the button to keep the new IPSO version, the firewall will automatically reboot back into the previous version. This is a real worry-free method of upgrading or rebuilding remote firewalls. If you have a device failure, you can rebuild a firewall remotely from scratch in about an hour from when the drop-shipped unit arrives. Multiple firewalls use a "distributed' configuration. Virtually all of the Check Point configuration (rules, user database, object definitions, etc.) are stored on a separate server known as the SmartCenter. You can rebuild a firewall remotely and then push the Check Point configuration to it from the SmartCenter. This greatly simplifies disaster recovery requirements since there is very little that needs to be backed up from the firewall itself (proxy ARP, interface configration, routing table, etc.). I keep the backup information from the firewalls themselves stored on the SmartCenter (running Server 2003). I then export its configuration weekly and also create Ghost images of it for DR purposes. The Ghost images then contain all of the configuration backups for the SmartCenter and for each firewall. Burn it to a DVD and send it off-site. The SmartCenter can be set up in a high-availablity configuration by buying a second one so if one is down, the firewalls can still be managed. If you only have one SmartCenter, all of the firewalls keep on doing their thing and they begin logging locally instead of sending the logs to the SmartCenter. The CRL and user database are cached on the enforecment modules, which is why everything can work while the SmartCenter is unavailable. I think the cache period is seven days for the CRL. All firewalls send their logs to the SmartCenter for easy, integrated review and monitoring. We also use Eventia Reporter which takes all of the logs from the SmartCenter and combines them into a MySQL database and provides a report generator. SmartView Monitor lets you look at each firewall and evaluate how it's performing, bandwidth in use, historical performance, etc. If you're going to be using it for remote access, SecureClient has a feature called Visitor Mode. Visitor Mode encapsulates all of the IPSec protocols and traffic in a single HTTPS connection. If you have a lousy home router or a hotel where only web browsing is allowed, Visitor Mode still allows full remote access capability. We have a JV partner that uses Cisco. Our execs have commented that they will be sitting side-by-side with the JV employees in a hotel or airport and they can connect using Visitor Mode, but the JV employees cannot get their Cisco VPN connections to work. SecureClient has a remotely configurable and manageable personal firewall to protect the laptops. SecureClient can send its logs to SmartCenter for integrated monitoring, the same as a firewall. HTH, Ray >From: The Security Freak >Reply-To: Mailing list for discussion of Firewall-1 > >To: [email protected] >Subject: [FW-1] Site to Site VPN roundup ? >Date: Sun, 23 Jul 2006 16:22:44 +0300 > >I`m currently managing a large project that covers around 50 sites (10 Big >ones / NOC / SOC) and 40 small ones for VPN Site 2 site > >The company I`m working for has issued an RFP on the subject and we are >down >to 4 VPN vendors > >I got to admit that I have a complete picture but still would like to learn >from you VPN (and Firewall) gurus what are the pros and cons fo the 3 major >vendors > >(Check Point / CIsco / Juniper) > >Min you guys I`m looking for bullets and not the whole 9 yards > > >Thx > >Tsecfreak > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
