Looking for the "perfect" FW VPN Enterprise Solution

[spacyfreak]

My favourite at the moment is Juniper Netscreen 5400 Cluster as "all-in-one"-Solution, distributed over different Locations with centralized Management.
Other option would be Cisco ASA or Cisco Router for IPSEC and Checkpoint as FW.
Users about 50.000 / FW Rulez 1500 / IPSEC Peers about 150

I need:´
- minimal Downtimes, also when doing Upgrade of FW / VPN Device
- good Support
- centralized Management of FW / VPN Cluster / Ease of use
- good troubleshooting tools and understandable logging / reporting
- high compatibility with other IPSEC vendors for site-to-site vpn (no remote access)
- "all-in-one"-Solution with future-option to distribute services (fw / vpn) over different hardware-nodes but using centralized unified management

Why would YOU recommend to use Checkpoint as FW / VPN Solution?

[chillyjim]

**Disclaimer -- I do work for Check Point, but I try to be as honest as I can be. I am also a Cisco CCSP and former Gold Partner **

Quote:

Originally Posted by spacyfreak

Users about 50.000 / FW Rulez 1500 / IPSEC Peers about 150

This should not be a problem for Juniper nor Check Point. ASA is a little more limited on the lower end models. I would have to question why you need 1500 rules though.

Quote:

I need:´
- minimal Downtimes, also when doing Upgrade of FW / VPN Device
- good Support
- centralized Management of FW / VPN Cluster / Ease of use
- good troubleshooting tools and understandable logging / reporting

These are the VPN-1 strong points. Check Point is consistently rated the best management (SmartCenter & Provider-1). There are a good number of troubleshooting tools, though some of them do hide a little.

Quote:

- high compatibility with other IPSEC vendors for site-to-site vpn (no remote access)

This is the Cisco strong point, but in general you should not have issues with current Check Point code and current code from the other major vendors. There are a lot of posts on CPUG about VPN issues and most of them come down to Check Point's "suppernetting" of IPs in a given IPSec SA. This is now an option that can easily be turned off for compatibility. Use it though when connecting to another Check Point. It can really lower memory and CPU usage for a large VPN network

[quote]- "all-in-one"-Solution with future-option to distribute services (fw / vpn) over different hardware-nodes but using centralized unified management [/qoute]

This is what Check Point does. If you want an all-in-one to start out, the UTM-1's are your answer, but with the size you are talking about, the Power-1's with external management is probably a better option.

Quote:

Why would YOU recommend to use Checkpoint as FW / VPN Solution?

1. Ease of use -- Less mistakes in the configuration
2. Scalability -- More so of the Management Scalability as all the major vendors can push more traffic than most Internet connections can handle
3. The option to deploy on my hardware as well as on the custom built hardware from Check Point, as appropriate for a given site.