|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Managing a lot of firewalls
The idea is to "get all the darned Internet traffic off our WAN backbone". We are just embarking on VPN (site-to-site, client-to-site/secureremote) and I don't know it well enough to contemplate the consequences of placing VPN access points "all over the place". The plan, until I know enough to change my mind, is to keep VPN traffic coming in at as few points as possible. So I would imagine that it will be just FW brick's and not VPN. As far as fail-over goes we aren't after anything fancy. Since we will still have a private WAN backbone in place, the fail-over will be some creative default routing changes to get the Internet bound traffic aimed away from a dead firewall and towards one of our other FW's that is still breathing (not HA, stonebeat, rainwall, etc.). ---------------------------------------------------------------------------------------- Greg Winkler Systems Manager, IT&S Huntsman Corporation Internet Mail: [email protected] Voice:Fax:"Paul Secrest" <[email protected]> To: "Fw-1-Mailinglist" <[email protected]> Sent by: cc: [email protected] Subject: RE: [FW1] Managing a lot of firewalls kpoint.com 04/26/2001 06:50 PM Please respond to psecrest Greg, Sumit is correct, the official you'll-see-it-on-the-test answer is 50 firewall modules. However... Are you going to be managing just FW-1 or will you also, as most instances entail, also managing VPN-1, maybe Floodgate, with the occasional RealSecure management software thrown on the same machine for good measure! Will you be putting up one or two "bricks" per site, I typically am seeing two with a crossover cable for state info and either high availability software(ugggh) or an OPSEC approved layer 4 type load sharing solution(Yeahh). As an aside, I like the Alteon 184 as it is the only box I've seen that does load sharing, allows selectable 10/100/1000 ports, and supports rmon, port mirroring for IDS along with EtherChannel port output to a Cisco router/switch. Two per site adds up quickly, and with the number of sites you are talking you might want to look into Provider-1. If your are under 50 bricks, your deciding factor might be how much processing capability exists or you are willing buy to put into your Management Station(s), and the speed of its NIC and network connection if you will be hitting them over the net using a GUI client. hope this helps. Good luck, Paul Secrest, RCDD CCSE CTO World I.T. Solutions, LLC Washington, D.C. [email protected] [email protected]http://World-IT-Solutions.com ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
