Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: Re: all-in-one vs one-on-each (feat. Comercial vs FOSS)

Re: all-in-one vs one-on-each (feat. Comercial vs FOSS)

From: John Jasen <jjasen_at_realityfailure.org>
Date: Wed, 28 May 2008 09:44:30 -0400

Alex wrote:
> Hello list,
>
> I would like some opinions, again.
> For a fixed budget would you go for
> * an all-in-one "Firewall" ( FW+IPS+VPN+...) ie. Checkpoint,
> * a dedicated, known and expensive firewall/gateway with the company of
> an Open Source solution for IPS, URL filtering etc?
> * a full Open Source solution (iptables,snort,ossec,squid etc) and
> spend the money elsewhere :)

Personally, I don't think that Checkpoint SmartDefense is an adequate
replacement for a decent IDS/IPS. That said ...

> The things that concern me are,
>
> Redundancy. I can live without IPS for a while but not without Internet
> ( and by "I" I mean "The Company")

Checkpoint offers a version of ClusterXL that supports higher
availability and load balancing. It does have a few limitations, but
isn't bad.

I'm not as aware of open source high availability solutions as I perhaps
should be.

> Scalability. Not only performance-wise but cost-wise too. I think that
> having to pay for every "extra feature" is going to lead to Open Source
> anyway...

Out of the gate, FOSS is going to cost less than a commercial all-in-one.

Whether or not a FOSS solution is better than a commercial one is
partially religious, and partially driven by what your staff can handle.

Whether or not it costs less by the time you get everything working
correctly is another matter. That is mostly driven by the experience,
willingness and talent possessed by your staff.

IE: if you have a pool of highly capable and willing IT professionals to
help build it out, FOSS probably will end up being cheaper and better.
If, forgive the phrase, you have a bunch of button pushing reboot
monkeys, going the FOSS route will be painful and difficult.

That said, in regards to scalability, it depends on how much bandwidth
you think you're going to be pushing around -- now, and for the service
life of the solution (ie: about 3 years from now). However, in general,
both checkpoint and FOSS scale pretty well (of course, with checkpoint,
the more you want to scale, the more you have to pay!) 

-- 
-- John E. Jasen (jjasen_at_realityfailure.org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
Received on May 28 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]