Asking for some suggestions to optimize my gateway

[SingChung]

My existing environments as follows:
1. Checkpoint NG, as default gateway for all corporate clients. The gateway sits between the router that connects to our ISP, and the corporate LAN. The product code is CPCES-CO-STANDARD, annual recurring charges of S$4,915.
2. A Packet Shaper 300 device sitting between the Checkpoint Firewall and the corporate LAN, for packetting shaping, for example blocking P2P traffic, video and radio traffic, and cap 60% for HTTP use, 20% for MSN use, etc. The device has a yearly recurring cost of S$1,880.
3. Windows 2000 RAS server for VPN access for roaming users. RAS servers also sits between the router that connect to our ISP, and the corporate LAN.

I am looking for a solution that would integrate all the 3 above and also antispy and antivirus, and network-to-network VPN to my offices in Shanghai and Dubai. On top of that I need a fault-tolerance solution, in that 2 boxes are being used as gateway but do the same things so that if one box is down, the other continue to serve, no impact on the service. The problem that I have experienced with Checkpoint is the lack of support, whenever I need to ask question, I don't know who to look for, there is also very little information on the Internet. Those vendors who supposedly provide support for Checkpoint have little knowledge on the subject, and when I asked for technical support directly from Checkpoint, there is a subscription of 4,000 per year. I am sure there are cheaper solution and yet support is readily available.

[MarioL]

Sounds like you need a cluster of UTM-1 boxes. But management must be on a separate box (like a linux server or something).

There are cheaper options from other vendors, like NetScreen and the likes, but you need to check if you want to keep Check Point.

[chillyjim]

I agree UTM-1 looks right for you, but some other questions for you:

- How many users do you have protected by the firewall?
- What is your Internet Connection speed?
- Are you looking for firewalls in the other locations as well?
- If yes, what is the connection speeds & number of users at these sites?
- In the case of a systems failure of the firewall, do you require the connections to transparently failover to the backup box or can the connections be dropped and reestablished? **This makes a BIG difference in cost**

Beside the UTM-1 and the VPN-1 UTM platform there is the VPN-1 UTM Edge (Soon to be renamed praise the appropriate deity) as options for sites requiring less than 30Mbps VPN throughput. These are the products comparable with Netscreen, Fortinet and the other SOHO acting as enterprise class gateways.

From a support standpoint, you are showing the SKU for collaborative standard support which gives you 24/7 backline support with Check Point. If you are having support problems PLEASE let your Check Point account rep know.

[SingChung]

Quote:

Originally Posted by chillyjim

I agree UTM-1 looks right for you, but some other questions for you:

- How many users do you have protected by the firewall?
- What is your Internet Connection speed?
- Are you looking for firewalls in the other locations as well?
- If yes, what is the connection speeds & number of users at these sites?
- In the case of a systems failure of the firewall, do you require the connections to transparently failover to the backup box or can the connections be dropped and reestablished? **This makes a BIG difference in cost**

Beside the UTM-1 and the VPN-1 UTM platform there is the VPN-1 UTM Edge (Soon to be renamed praise the appropriate deity) as options for sites requiring less than 30Mbps VPN throughput. These are the products comparable with Netscreen, Fortinet and the other SOHO acting as enterprise class gateways.

From a support standpoint, you are showing the SKU for collaborative standard support which gives you 24/7 backline support with Check Point. If you are having support problems PLEASE let your Check Point account rep know.

Sorry, I don't know what is UTM-1.
1. There are 70 users being protected by the Checkpoint Firewall.
2. Internet connection at 4Mbps.
3. No, other locations are too small, Shanghai has 3 users, Dubai 2. The network-to-network requirement from Shanghai and Dubai is due to users needing to access UNIX application and printing from UNIX to local pinters.
4. Manual switchover, such as bringing one box down for maitenance purpose don't affect the users.
Can you elaborate what is 24/7 backline support with Checkpoint? I don't even know who my Checkpoint Account Rep is. Is it the vendor?
Is Microsoft ISA worth looking at?

[MarioL]

ISA can do a lot... opinions vary, I personally don't like it. I doubt anyone here will recommend it too.

Your user counts and bandwidth is quite low, you can probably use small/cheap boxes all around.

The most important thing to consider, besides the solution fitting the requirements, is how confortable will you be managing it. Make sure you get proper training included in the project, also that you get a good reseller that knows what they are doing.

Many security devices are badly deployed/configured and that is a major issue.

[pointcheck]

Item #2 can be accomplished by Checkpoint Floodgate/QoS add-on to the firewall. It's managed by the same GUI as the module.

One big difference than the Packeteer, is that Floodgate does not do auto-classification for you. You need to define each policy yourself. Other than that it seems to work just fine.

[SingChung]

Quote:

Originally Posted by MarioL

ISA can do a lot... opinions vary, I personally don't like it. I doubt anyone here will recommend it too.

Your user counts and bandwidth is quite low, you can probably use small/cheap boxes all around.

The most important thing to consider, besides the solution fitting the requirements, is how confortable will you be managing it. Make sure you get proper training included in the project, also that you get a good reseller that knows what they are doing.

Many security devices are badly deployed/configured and that is a major issue.

Can I know why many people don't recommend ISA?
Any small/cheap boxes that you can recommend?
The most important thing part is what I concerned most, we have been using Checkpoint since 1999 but with bad experiences, not because of the product but the support that comes with it, those 'Checkpoint experts' are just not competent enough. I find that people need to play with the technology in a LIVE environment to be skillful and competence, playing and learning in the lab or classroom can't go far.

[SingChung]

Quote:

Originally Posted by pointcheck

Item #2 can be accomplished by Checkpoint Floodgate/QoS add-on to the firewall. It's managed by the same GUI as the module.

One big difference than the Packeteer, is that Floodgate does not do auto-classification for you. You need to define each policy yourself. Other than that it seems to work just fine.

Are you able to tell if using an add-on module in this case to the Checkpoint is cheaper than paying for the Packeteer itself? or is it possible to make the Packeteer work as a firewall?

[chillyjim]

Based on what you described, a Sofaware Safe@Office 500 would be the right box (See http://www.sofaware.com/overview.asp...=140&objId=100)

With it you can get subscriptions for Anti-virus, Anti-spam, content filtering and Application Intelligence (SmartDefense).

List price on the website is US$999.99 (Unlimited users). The 5 user version goes for about US$225.

This is the same hardware/software that the VPN-1 Edge box uses, it just cannot be managed from SmartCenter.

As for ISA, outside of MS I don't think you will find any reputable company recommending it as a primary security device. MS's track record should be enough to dissuade anyone from that.

[pointcheck]

Quote:

Originally Posted by SingChung

Are you able to tell if using an add-on module in this case to the Checkpoint is cheaper than paying for the Packeteer itself? or is it possible to make the Packeteer work as a firewall?

I think the Floodgate module will be cheaper. Only a couple thousand dollars (depending on how many user license you get), plus support. The Packetshaper was in the 10's of thousands or more last time I checked, depending on the model, plus support.

The Packetshaper can be a crude firewall that allows you to deny all bandwith to a particular port, but it would be difficult to manage that way for a large deployment.

Good luck.

[chillyjim]

Quote:

Originally Posted by pointcheck

I think the Floodgate module will be cheaper.

From the pricelist today (27 June 2007)...

Check Point FloodGate-1 Add-on for VPN-1 UTM Gateway - 1 Site CPUTM-QOS-1 I $1,500
Check Point FloodGate-1 Add-on for VPN-1 UTM Gateway - 3 Sites CPUTM-QOS-3 I $3,000
Check Point FloodGate-1 Add-on for VPN-1 UTM Gateway - 5 Sites CPUTM-QOS-5 I $4,500