[ale] OT: Firewall purchase

[Jonathan Rickman]

> I'm cirtanly interested in a PIX if it does ospf and costs around 
> $500.

They start less than that, but read further...I have some other questions.

> > Number of remote VPN sessions?
> Fifty VPN sessions would be plenty.  But I'd like to use IPSEC for 
> both workstation to network and network to network VPNs.

How many are clients and how many are VPN peers (site to site)?

> I allways pick 3DES but I can't really say it is necessary.  
> Most of the sessions will be ICA anyway.  So it's not quite as 
> crackable as telnet or some of the other.

If you're using Citrix, why not just use Secure Gateway and toss the
hardware VPN altogether? If CSG bothers you, you could just turn up the
session encryption on all the published applications to 128 bit. I run a
setup that looks like this:

Internet-->PIX-->CSG
Server-->Checkpoint-->Metaframe_servers-->IPTables-->STA_server
(using CSG to secure traffic)

And another that looks like this:

Internet-->Checkpoint-->Citrix Web Interface-->PIX-->Metaframe_servers 
(using alternate addressing and 128bit encryption to secure traffic)

I am very comfortable with both of them.

The PIX 501 unlimited bundle will handle your setup if you go this route,
provided you have no more than 10 VPN peers. This package (Cisco
P/N:PIX-501-UL-BUN-K9) gives you unlimited users, 56-bit (DES), 168-bit
(3DES), or up to 256-bit (AES) encryption, and built in IDS at layer 4-7.
Total price for this is currently $702.45 from my supplier. CDW has it
listed at $749.31. There are other bundles that have per-user licensing that
are less expensive, but having the unlimited bundle has benefits when it
comes to dealing with growth. If you want to, you can pick up a 501 chassis
off eBay and purchase the software/licenses individually. You might be able
to cut it under $500 that way. If it were me, based on what you've stated so
far, I'd pick up the 501 mentioned above, add a year of 24x7NBD support and
use CSG. YMMV.

--
Jonathan