Re: Checkpoint 13500 Next Generation Firewall/Security

[Timothy Pierson <Timothy.Pierson () LIVE COM>]

Daniel,

 

Thanks.  I do agree that we do have a different traffic pattern than
corporate America and certainly the intensity of certain types of traffic
may be unique to a University environment and may need to be dealt with
differently during inspection.

 

Tim

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Boyd, Daniel
Sent: Monday, December 8, 2014 8:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Checkpoint 13500 Next Generation Firewall/Security

 

First, let me say we do not have experience with this equipment, nor do we
have 14,000 students, so you can stop reading now if you are not interested,
but I wanted to offer some validity to the idea that Internet traffic is
different and devices don't all handle it the same way.

 

We've seen this before in our environment.  We tested a firewall product
from a vendor that will remain unnamed (not Checkpoint).  The throughput of
the device and the capabilities were easily ten times what we would ever
run, even at peak times, but this device fell on its face under the load of
our network, particularly the residence hall network.  Even when running
only parts of our network through it, it failed time and time again.  No
amount of software updates or configuration changes would make it work, both
we and their support engineers were baffled.  We went back to our original
vendor, Sonicwall (now Dell Sonicwall) for our solution and didn't look
back.

 

I think it proves that while network traffic might just be streams of data,
the way the designers expect traffic to flow determines their design and
optimizations and when the device sees traffic that is radically different,
it could potentially not handle it and fall over.  That seemed to be the
case in our instance, as I had seen this firewall perform just fine on much
larger networks.  Sometimes the only solution is just to find another
vendor, but I know it is never that simple once a solution has been
purchased.

 

Just my $.02

 

Daniel H. Boyd (94C)
Senior Network Architect

Security Governance and Documentation Committee Chair
Network Operations
Berry College
Phone: 706-236-1750
Fax:     706-238-5824


There are two rules to follow with your account passwords:
1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!!
2. If unsure, consult rule #1