[ale] OT: Firewall purchase

David Hamm ale at spinnerdog.com
Fri Jul 9 07:27:07 EDT 2004 

On Thursday 08 July 2004 11:48 am, Jonathan Rickman wrote:
>
> How many are clients and how many are VPN peers (site to site)?
Not that many.  We have a few people who want to work from home.

> If you're using Citrix, why not just use Secure Gateway and toss the
> hardware VPN altogether? If CSG bothers you, you could just turn up the
> session encryption on all the published applications to 128 bit. I run a
> setup that looks like this:
>
> Internet-->PIX-->CSG
> Server-->Checkpoint-->Metaframe_servers-->IPTables-->STA_server
> (using CSG to secure traffic)
>
> And another that looks like this:
>
> Internet-->Checkpoint-->Citrix Web Interface-->PIX-->Metaframe_servers
> (using alternate addressing and 128bit encryption to secure traffic)
>
> I am very comfortable with both of them.
I've never been comfortable with port forwarding.  I know a lot of people do 
it but I'd rather stay away from it if possible.  

I've also experienced problems with local printer assumption in Citrix.  One 
way I stabilized a problematic accounting system was eliminating local 
printer assumption and using only networked printers.  Doing this had a 
significant  positive impact on Citrix server stability.  

> The PIX 501 unlimited bundle will handle your setup if you go this route,
> provided you have no more than 10 VPN peers. This package (Cisco
> P/N:PIX-501-UL-BUN-K9) gives you unlimited users, 56-bit (DES), 168-bit
> (3DES), or up to 256-bit (AES) encryption, and built in IDS at layer 4-7.
> Total price for this is currently $702.45 from my supplier. CDW has it
> listed at $749.31. There are other bundles that have per-user licensing
> that are less expensive, but having the unlimited bundle has benefits when
> it comes to dealing with growth. If you want to, you can pick up a 501
> chassis off eBay and purchase the software/licenses individually. You might
> be able to cut it under $500 that way. If it were me, based on what you've
> stated so far, I'd pick up the 501 mentioned above, add a year of 24x7NBD
> support and use CSG. YMMV.

Thanks Jonathan.  You mentioned licensing above.  I really do have an aversion 
to licensing with this type of equipment.  

Another reason I liked the NetGear is it simplifies things a but.  The more 
expensive units will connect to the less expensive units so the plan was to 
purchase a more expensive unit for the "data center" and distribute the 
inexpensive units  to the remote locations and home users.   There are no 
road warriors in this company and providing an inexpensive firewall to home 
users is attractive to me.   It yields a little bit more protection.  This 
also fits in with only using networked printers in Citrix.

Thanks again for your help.  The Cisco solution has some appeal especially if 
it will talk to the $100 NetGears ( another source says it will ).

> --
> Jonathan
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list