1. Home
  2. Networking Firewalls
  3. Should I go for a firewall

Should I go for a firewall

Hi all,

I am part of the IT team for a SW Company. We develop/maintain SW for a few customers around the globe. There are abt 1000 employees in the org.

For security we are using a Checkpoint firewall on the perimeter.

Now to improve security, we are thinking of going for internal firewall also.

I plan to subnet the network into different projects. My requirements for the internal firewall is that different project teams should not access each other network. Also there will be a subnet where common servers will be located and this should be accessible. (VPNs for the client networks are handled by checkpoint)

My boss says a L3 switch with ACL should be sufficient for the internal firewall whereas I feel we should go for a Netscreen / Cisco PIX as the internal firewall.

Can I get the views of the people here as to the advantages or disadvantages of these 2 options. If there is any other suitable option that I am missing pls give that too.

Thnx in advance.

Venky

Reply to
dvraghavan1
Loading thread data ...

snipped-for-privacy@yahoo.com wrote: internal firewall.

Not going to give my opinions on the 2 options, but we use Netsreen's and Pix Firewalls here, and given the choice I'd take netscreens any day of the week. All our other hardware is Cisco.

Cisco FWSM's could be a good option if you have the right hardware in place. (Cisco 6500's)

Kinda depends what you have already. With the right equipment you could probably do what you want for free which is always a good benefit from a management / bean counter pov.

Reply to
Chris

The new software for the PIX, version 7.0, has a feature called Layer 2 Tranparent, which can help you a lot if you don't want to re-address your network.

Reply to
Wayne

We segment the project teams networks using simple NAT routers so that they can get OUT to the company services but no-one can get into their networks - at this time we have 8 different internal project networks with teams working in those networks.

If you wan the teams to be cable to VPN into their internal networks from home/hotel, then you need to setup the teams on a VPN router and let them work that way. The advantage is cost - $100 for a simple NAT/VPN router per network.

Reply to
Leythos

In general that is a good idea.

Correct approach.

CP offers VLAN possibilities.

I'd not recommend using another platform for the internal filters. You say that you use Checkpoint, so you are probably used to it. You can manage a lot of firewall modules from a single central Checkpoint management server. Why do you want to introduce another platform besides Checkpoint?

Stick to what you are used to. Introducing another platform will mean more costs for adminstration, training, log analysis etc.

Wolfgang

Reply to
Wolfgang Kueter

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.