I am looking to buy 2 hardware based firewall for my corporate network. We have 2 T1's and host a bunch of websites. Can some one recommed any appliances that they have worked with and done some penentration testing against. Thanks, DMK
DMK pounded out on the keyboard on or about 21-Dec-04 16:20:
We use CheckPoint FW-1 with Application Intelligence on Nokia IP530s for our 10,000+ folks and it accomplish this with ease. Of course there are smaller Nokia IP systems that work well, too. We have deployed IP130s for remote Offices with need for public access to local servers at their site and back to the main office and that works fine. We have IP330s in use for protection inside the wan against non-authoritive access. Also doing a new install at a department of a IP330 for them to separate themselves from the internal wan. Seems to be the way folks are going. Best way to approach this is to decide the parameters you require of the firewall, allowing for grown and flexibility, and write yourself up a Request for Proposal and submit that out to bid. Then judge the bids on the parameters you defined and select the best fit for yourself. Do some research and go from there.
I use PPTP for VPN directly to the Firewall and have rules for users access there. I also use the VPN Client with some clients, but not as many as using PPTP.
I have web content filtering in place at every location, and I have it setup by default with users at fixed IP or users that authenticate to the firewall being less/more restricted as needed.
I have the SMTP Proxy setup to remove all types of virus attachments from inbound email.
I run Symantec Mail Security on all Exchange Servers to filter email.
For spam, I don't use the firewall, but I do block MANY foreign subnets, which blocks some. I use SMS (symantec) for spam detection and blocking by RBL.
A number of our clients are utility companies, they have passed Homeland Security Network Security Audits with some of the highest marks in the country - specifically we were told that our networks were more secure than any facility that had reviewed and that we passed all tests.
Can't comment about the Watchguard as I've never used it, but I can comment on some bits based on my Netscreen/Sonicwall/Fortinet experiences:
Beware, most GW AV is an "in the wild" subset. Some FW vendors use in house AV development which makes me suspect they're using freeware AV lists (Sonicwall & Fortinet). On the Netscreen the full blown engine they use has a performance hit.
Most are based on a 3rd part service, which usually means its good. If its not a known 3rd party (ie Netscreen's is Surf Patrol , can't remember who Sonicwall uses) stay away.
Looks pretty crappy on most platforms. Its usually based on IP blacklists and simple word/phrase matching. Nothing like the dedicated anti-spam platforms.
When you don't properly quote part of what you are replying to, people have no idea what you are talking about. This is not email, it's public, like going into the train station and shouting and hoping that someone shouts back without ever seeing who/where.
I've been around the security field for awhile. A lot of what's been mentioned may work, but Sidewinder is the way to go for complete security. Nobody that's worked with it can deny it, truthfully. Check out Secure computing dot com. Peace.