General discussion

Locked

Firewall decision

By DBchicago ·
I am currently looking at either a PIX or a Cybergurad firewall installation to protect my private network & DMZ> We have approx. 100 hosts, an internal Mail Server, 2 internal Web Servers & a VPN & some fairly complex security req's.. PIX is definitely the more cost-effective solution, but Cyberguard boasts superior technology & protection. any opinion on this? Has anyone installed the PIX firewall in an environment similiar to this? How is it working?

Thanks.

DB

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

We use a PIX

by davidpmartin In reply to Firewall decision

I maintain a PIX firewall for our ourganization (PIX 525) and I wouldn't be without it. Setting it up to run from inside to outside is pretty easy - you can get it up with about 8-10 commands (Cisco claims 6 but that would be absolute bare bones).The tricky part about setting up a PIX is not the inside to outside configuration - but more work has to be done if you have connections that start from remote locations to you. I do everything at the command line (using version 5.2 of the PIX software), but I understand that Cisco has a GUI included for its latest version. I'm so sold on the PIX I use the PIX 501 for my home network.

With your configuration I would recommend the PIX 515. Also make sure that all your fix-up protocol statements are put in - make sure the version you by supports the DMZ (it should, but the older PIX models had inside, outside only).
You have granularity on the PIX down to the source IP and port, and destination IP and port so you can set up some VERY complex security rules. The biggest task with a PIX is planning - if you plan your rules right - setting up the PIX config file is not that hard - and once you set it up - you can forget it. I might spend 1-2 hours a month making configuration changes - sometimes less than that if I don't need computers to be 'seen' on the outside.

Collapse -

stay away from PIX

by TNINO210 In reply to Firewall decision

I have 200 host, exchange 2000 server and 4 web servers and 100 vpn connections. Stay away from PIX- it is very hard to configure unless you have plenty of time to do it. I am using Checkpoint firewall which takes sometime to configure but it doesa good job. If you do not have time available I would go with the Sonicwall - Very easy to configure and does the job. I do not know anything about cybergaurd.

Collapse -

Go with PIX

by wgraver In reply to Firewall decision

DB,
I'm a network consultant who works for a major consulting firm in the Chicago area.

We almost exclusively use PIX firewalls for both our own NOC/network/hosting site and our customers. Over the last several years, we have had no problems with any of the PIX, nor have we experienced any security breaches.

While there is some credence to the statement that "pix is hard to set up," it really isn't if you're familiar with Cisco IOS. At any rate, you could either use the Cisco documentation or employ the services of a reputable and experienced consultant.

I have to admit that I'm not familiar with Cyberguard.... but at least it isn't a software firewall. Every company in the world, though, claims that their product has "superior technology & protection," so I'm a bit pessimistic.

At any rate, I'd recommend going with PIX for a few reasons:
1. It works and is secure when set up properly
2. It has wide acceptance in the industry
3. It has broad industry support.... you can find people/consultants who actually know how to set it up & use it
4. You mentioned that it was less expensive than the Cyberguard.

One other consideration:
Security should be addressed in a layered manner -- firewall, hardened routers, isolated subnets, etc. This can be difficult to do properly if you don't have the right equipment or experience. Have you considered hosting your web/mail/other services with a hosting company? We provide these services to many of our clients and it seems to work well for their businesses. Perhaps it might make sense for you too.

If you'd like to discuss these matters further, let me know and we could talk.

Bill
wgraver@ciber.com

Collapse -

Only Check Point + Kavado

by alon In reply to Firewall decision

I would recomend that you use Check Point NG FW-1 as this is the most flexible and robust and easy to handle fw available. Pix is limited when you want to grow and supports 3 nic's. I would also advise the use of InterDo from Kavado to protect your web sites.

Alon Moritz,
Moozatech IT Systems Ltd.
alon@moozatech.com

Collapse -

by lyle148806 In reply to Firewall decision

All firewalls have their good and bad points.

We use PIX as the base "packet filter level" as it can easily handle the through put.

CyberGuard, for its proxies, to provide a level of control well above the packet filter level. For the same reasons we all so use Gauntlet. I have found that the CyberGuard is a little bit easier to configure, but is not as adaptable as the Gauntlet.

CheckPoint, is usually the easiest to configure and the easiest to fault find, there new NG builds using Linux are easy to build up, but the base appears to be missing some things that "I" like to have, but it is not hard to added them latter.

All up, I prefer CheckPoint, BUT it is a "horses for courses" thing, and you should look at the initial costand ongoing cost of each.

It is a case of they all ‘suck” just some suck less then others.

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums