[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Licensing
Hi, The CheckPoint Licence was interpreted in different ways over the years..... PhoneBoy's book has a paragraph from the new license, which is now clear that is applies to _all_ IP hosts behind the firewall, whether they go through them or not.... Here is a pretty good analysis, its old and does not apply to the new licence, but still worth a read (Netrex sold CheckPoint so their version is going to be tight, more money and the spirit of this doc is reflective of the new tighter license). http://netrex.actionwebservices.com/technical_support_private/pdfs/licensing.pdf Even with this new tight licence one can architect things so that you are in full compliance with the licence....Clearly as the licence says you can't NAT are do routing stuff to avoid the licence....but you can do the following....if possible.... Lets say one has a B2B type situation: External Firewall (unlimited) because more than 250 users surf through..... | | |======Internal B2B firewall (CheckPoint FW-1 25 node Lic.) ----- less than 25 nodes behind internal B2B firewall.... | | Internal network w/users more than 250.... In the above, the internal B2B firewall has a single interface that mediates access. This set-up can present some security issues (with DMZ, mail/web) as you effectively lose the second firewall as a layer (single Firewall tech, or not: single above for illustration purposes...) This is about all you can do with the new tight licence, and while you can use 3 or 4 quad NIC's on the up fron unlimited firewall, along with layer 3-switches, to isolate traffic to B2B....this approach can increase complexity and reduce security (loose the B2B layer, as a wall, internal packets go through....) It just makes sense to pay the cash, and not try and design around the license.... Technical non-Unlimited Licensing issues: ==================================== In the end the: "Too Many Internal Hosts" issue is a pain, just pay the cash for unlimited Keep in mind, if you run Solaris 2.7, with StoneBeat and less than Unlimited FW-1 LIcs, FullCluster will not work......and you will have loads of issues.....it will half work...then not work... work with temp StoneBeat Lics....then not....again, worth it to just pay for the full unlimited Lic.... Given, the above my experience has been, just go for the unlimited Lic, if you feel, or think you need it....saves loads of hassle in the end.... [Taking the Lic to a lawyer is always the best solution........however....] -Bye Joe McGean Technical Security Architect Allianz, Ireland www.allianz.ie Don <[email protected]> on 18/04/2002 16:05:34 Please respond to Mailing list for discussion of Firewall-1 <[email protected]> To: [email protected] cc: (bcc: Joe McGean/AGFIL/AGF) Subject: Re: [FW-1] Licensing > The last time I purchased fw-1, I was quoted a price based on number of > public IP addresses (ie, not the number of clients or dmz hosts). This was absolutely wrong. > I've got 3 quotes at the moment, one of which using the above licensing > model, the others using the reverse (ie. number of LAN clients). CheckPoint is licensed based on the number of hosts that it protects, that is all hosts not on the external interface. This includes VPN connects, hosts on other networks that might go out through this firewall etc. -Don ******************************************************************** Please Note: Our e-mail address is now 'allianz.ie' Visit our website at http://www.allianz.ie Disclaimer : The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of the company. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance. ******************************************************************** ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|