Advice urgently needed

[dav_y2k]

Hi all,
I need help concerning the following issues:
I have a VPN server running Windows Routing and Remote Access Service using PPTP. Users use Windows built-in VPN client to connect it from home. Remote site network also maintains a persistent VPN connection to this server. The traffic to this remote site network is also routed through server using permanent routes on client machine. There are some other routes too maintained on this machine.
I also have a Firewall server running Checkpoint Firewall 1 and maintain the zone separation between Intranet, DMZ and Internet. It also manages many IP mappings through persistent routes.
I have 2 options which are:
1) replace these two servers with a single hardware firewall appliance e.g Nokia IP260/265 or UTM-1.
OR
2) install Checkpoint firewall software on a new server (since the Windows hardware is a bit old) since we already have a valid Checkpoint firewall license till 2008.
We would also like to continue using Windows Active Directory to enable or disable VPN connections.
My questions are:
1) What would you advice as per the best options.
2) What are the licensing options
3) What are pros and cons of choosing these.
I wanted to choose the UTM but wasn’t sure about the licensing issues pertaining to the software. Any advice or link to a comprehensive details about each product’s performance issues will be very much appreciated.

[MarioL]

Here is what I would consider:

Install Secure Platform on a new server
Get a nice 1U server or something, optionally get mirrored drives and you are off. (mind that the RAID controller is supported by SPLAT)

Pros:
- Cheap (no extra licenses, only server hardware)
- Good performance (SPLAT runs very fast, you don't need a super server)
- Single supplier for OS and Firewall (easier patching, etc)

Cons:
- Requires more technical knowledge
- New hardware sometimes not supported (not usually a big issue)


Check Point on Nokia
The 26x series isn't that fast, but they are alright I guess. Get the disk one, unless you want to run the management on a separate box. Flash is cool, but only if you don't need logs.

Pros:
- Good support from Nokia
- Tried and tested platform

Cons:
- Expensive for what it is
- Must learn the Voyager interface and a bit of IPSO

Regarding UTM-1, it is SPLAT on a box, with some added features, like AV (CA engine) and web filtering (SurfControl I think, from R65). The hardware isn't that hot (the one I tested was a Celeron 1.5GHz with 1GB RAM).

So it comes down to the size of your organization, what you want to do with the firewall, your technical knowledge and what price you can get on changing your license from a "normal" firewall one to a UTM-1, should you want to go down that route.

Costs and all that depend on what license you have now, etc.
Performance shouldn't be a big issue, since the Internet line tends to be the main bottleneck, but I'd guess SPLAT > UTM-1 > Nokia (for the stuff you are mentioning).

[cpsundar]

Hi ,

I am in a similar situation. we are planning for a SPLAT with redundany and we are yet to procure the list of line items. Can some one tell me what all required for the same in term of licenses and hardware. It is a bit urgent .

I have a list with me now, please go through the details below...


QTY SKU Description
1 CPMP-MEDIA-IS Internet Security Product Suite CD ROM
1 CPPWR-CKP-5-U Check Point Power - Mgmt and Gateway Bundle for 5 Sites & Unlimited Users (VPN-1 and SmartCentre bundle)
1 CPMP-CXLS-U Check Point ClusterXL for Load Sharing Add-on for VPN-1 Cluster Unlimited Users
2 CPOS-SPRO-1 Check Point SecurePlatform PRO for 1 Gateway
1 CPPWR-VPG-HA-U Secondary VPN-1 Power Gateway Unlimited Users for High Availability


let me know, if every line item above mentioned is necessary.


Thanks in advance

[chillyjim]

Yes this is all that is needed for a two-node VPN load sharing cluster with the advanced routing suite. When deploying, please remember that with a cluster, your SmartCenter (Management server) must be run on a different server than the gateways.

[cpsundar]

Thanks for the post.

But I am not sure, why we need a CPPWR-CKP-5-U license when I am planning to install on a single site.

[MarioL]

The "5" in the license refers to the ability to manage 5 different firewalls. That bundle includes a management module for up to 5 fws and 1 unlimited firewall module (with vpn).

[dav_y2k]

Hi all,
Thanks for your help. I have another question regarding licensing, which is this, If I purchase vpn gateway licenses for a Windows 2003 server platform do I still need to pay for SecureRemote/SecureClient license?

thanks in advance

[chillyjim]

I would reccomend not using windows as your firewall platform, but to answer your question, SecuRemote is free, SecureClient costs and you can use PPTP if you really want to.

Note --> The UTM-1 appliance includes 5 SecureClient/SNX licenses