Re: OT: vendors please respond

[Devdas Bhagat <devdas () dvb homelinux org>]

On 26/09/03 13:56 -0000, admin security Mehta wrote:
(Following Paul's reply, I will try to make a few generic points for the
archives).

>   My company is looking for security devices for its network of 
> branches.
> I posted this mail here because I need experts choice.
> I was in doubt whether my earlier mail is posted or not so I 
> subscribed for this mailing list to post my query.
>
> We are looking into the following features:
>     -stateful inspection firewall
>     - support most used applications( ALGs)
>     - Powerful attack detection engine
>     - VPN
>       a) IPSec/IKE
>       b) L2TP over IPSec to use WIN XP VPN client
>       c) LDAP,SCEP
>       d) Hub and spoke support
A few questions:

1> Exactly what is this firewall supposed to be protecting?
Eg: Windows users from email borne malware, Web browsers from Javascript
based attacks, database servers from direct Internet access....

2> What are the skill sets available in your organization?

3> Are you willing to hire new personnel if needed to expand the
available skillset?

4> Are you looking for a single device to do all this? Or will you be
willing to deal with multiple devices? Or perhaps multiple boxes with
command line management?

5> Are you looking for a single vendor to provide everything, or is mix
and match acceptable?

6> Do you need these at each location? Or one central location? Or
packet filters everywhere while all connections to the Internet go
through the main office which has ALGs available?

7> Do you need an IDS integrated with the firewall? A separate IDS? Do
you have a team of people who can deal with IDS reports? Do you need it
to be an inline IDS?

8> Do you need failover? Redundancy? Can you deal with downtime if a
system fails?

10> Do you need centralized management? Can each unit have its own
management interface?

9> Is a management GUI a must, or can command line controls work?

> NOTE: My company prefers Indian based products.
Indian based or locally supported? Right now, I know of very few
companies which make firewall products for all your requirements, though
I know a whole bunch of consultants who can mix and match a *BSD and/or
Linux solution to suit your requirements.

There are probably more questions you should be asking, but a basic sort
order would be:
1> Features you MUST have.
2> Features you SHOULD have, but you can do without if needed without
compromising on functionality.
3> Features it would be nice to have, but are really not needed for core
functionality.

Devdas Bhagat

[ My choice, as I have often stated previously would be a packet filter
in front, with ALGs for a few chosen protocols behind it. Branches have
simple SPFs, which VPN into the head office, and then allow further
access from there onwards. ]
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards