From: Ian N. <ia...@tw...> - 2004-12-07 18:38:12
|
Thanks for your reply Heiko. Answers inline... On Friday 03 December 2004 03:13 pm, Heiko Zuerker wrote: > Hi, > > my first questions are which kind of functionality do you need and how big > is your environment? > If you only look for firewalling, then we can serve you very well. > VPN is also no problem, since Openswan is included in DL. > Currently I run two separate firewalls, one for the LAN and one for the DMZ. The LAN firewall has VPN support so that road warriors can get into the LAN, and through the LAN to the other firewall and into the DMZ. I'd like to convert that to two HA firewalls serving the DMZ and LAN together. I believe that this can be done with heartbeat and Devil Linux? As for features, they are just running as firewalls (and NATing on the LAN), I've already converted the rule sets. So functionally moving to Linux shouldn't be too tough. And I can't stand upgrading the Checkpoint boxes, so i don't do it very often. With Devil Linux I can just burn a new iso and reboot! I'm only somewhat concerned that Linux as a firewall isn't as secure as a proprietary product like Checkpoint (who has huge market share and lots of people working on it). My bosses are more concerned about this point than I, but it is valid. Specificly there is a feature in Checkpoint that verifies that TCP checksums are valid. Does Linux do that? Is that even important? > Enterprise environments are most likely better supported by Checkpoint. > But are they really? With Linux you can also setup an Enterprise > environment, you just have to write a couple of scripts. Hell, we can even > do that for you.... > > We now also have 24x7 commercial support available if you're located in > North America. So this shouldn't be a showstopper either. > I'll have to check that out. Thank you. > My story I have to share: > We actually had to move from Devil-Linux firewalls to Checkpoint on Nokia > boxes (since my company got bought and the security policies didn't leave > us a choice). When I helped migrating the old (iptables) rules to > Checkpoint, I was quite disappointed. We actually had to remove a few > rules, because CP didn't have the functionality... > > As I said, we need to know what you're looking for, then we can give you a > much better answer. > > And if you donate 10% if the money you save every year to the DL project, > you even ensure the continous development... ;-) That certainly is something that we could do. I've been trying to get my company to allocate money to the projects that we depend on, and have been successful in the past. -- ....................... Ian Neubert Director of IS TWAcomm.com, Inc. http://www.TWAcomm.com/ v: 714.845.1203 |