Thanks to all who responded. I'll summarize the responses: The Contivity is a pretty good VPN, and the firewall is OK. But it doesn't match a "real" firewall (very few people offered specifics as to why). Besides, it's always best to keep separate functions on separate hosts. Nortel's support got mixed reviews -- at best.
A source of external authentication, such as Radius, was also suggested. My thoughts: - These comments pretty much agree with my early assessment -- in particular, the fact that combining VPN and firewall eliminates a line of defense. - I was curious about the oft-mentioned difference between this firewall and a "real" firewall. The only difference actually noted was the Contivity's lack of Intrusion Detection Signatures. - I have some concern about the throughput of the box -- but that's on general principles, not on any data. I'm suspect that our DMZ will eventually outstrip the box's capabilities -- but by then we'll probably have added a separate firewall anyway. Thanks again for your responses. At 12:26 PM 12/19/01 -0600, HOULE, FRANCIS wrote: >Monday, December 17, 2001, 7:52:16 PM, you wrote: > >It ain't that bad. The contivity Firewall is based on the shasta wich >was created by 2 ex-employees of Checkpoint. The way to proceed is >alike checkpoint. > >pros: Statefull firewall, pretty good for vpn(DES, 3DES, l2tp, pptp) >can apply rules on inbound vpn., in the contivity 600 you can had an >other ethernet adapter and have a DMZ. So the box doesn't cost that >much and represent a pretty good vpn box. > >cons: No ids, No good support from nortel. Nortel has a bad web site. > >I have implemented many contivity 100/600/1600. I would tell you: if >your main issue is vpn and you want a firewall by the way, I would >suggest the contivity. > >If you need a firewall as your main issue, and vpn is not major, use >something else (Cisco PIX, Netscreen, CheckPoint). > >It's only my opinion, you can do what you want with it! > >-- >Francis