Firewall/VPN recommendation for (Ex-) Gauntlet reseller

["Patrick M. Hausen" <hausen () punkt de>]

Hi Wizards!

I'm seeking a little advice on commercial firewall products
with integrated VPN function.

We have a strong background with TIS/NAI Gauntlet firewalls.
I really like the one proxy per service approach - from a
security viewpoint as well as in terms of configuration.
We have a couple of customers with Gauntlet on Solaris.

I'm looking for a new "strategic" product for a couple of reasons:

- We need IPsec VPN built in to the firewall and from what I've heard/read
  people get "mixed/interesting" results with Gauntlet and PGPnet.
  We are an F-Secure Solution Provider, so interoperability with
  F-Secure VPN+ on the client side is a check item.

- NAI sales, support and pricing sucks - nuff said.
  If it wasn't for gauntlet-user and Meenoo, we'd have dumped
  the product long ago.

- I haven't heard a single success story with Eppliance and
  a hot standby/failover implementation yet.

- CVP 2.0 would be nice, so we could offer our fine F-Secure virus
  scanners ;-)

- The quality of Gauntlet software leaves a little bit to be desired. :-/


When selling Gauntlet I always argued strongly about how proxies
were much more secure _by_design_ than stateful packet filters.
OTOH a generally good desing doesn't help a lousy implementation.
And there seems to be quite a bit of good information about FW 1
on the net - like Lance Spitzner's site, just to mention one.
So I'm currently in the process of dumping my religious preferance
of proxies and investigating SPF firewalls as well. ;-)
Especially the Nokia box looks very interesting.

Another candidate is Cisco's PIX. We are Cisco Premier Certified,
so this would fit our portfolio nicely.


So, what do you think would fit an "old fart" Gauntlet reseller with
> 10 years of experience in the Unix and networking business and
selling Gauntlet since 3.0?

Must have:

- IPsec VPN integrated
- CVP 2.0 or integrated virus scanner
- If not an appliance but on top of a general purpose OS,
  we need Solaris support. We don't do NT, period.
- If appliance, then an entry level version for less than 5,000 USD
  should be available for SMBs
- Hot standby/failover configuration available
- Configurability with command line access only and
  a well documented set of configuration files/scripts.
  Not that I would never use a nice GUI, but it must be possible
  to configure _everything_ through SSH _if_needed_.


Thanks for any comments/opinions,
Patrick
-- 
--- WEB ISS GmbH - Scheffelstr. 17a - 76135 Karlsruhe - 0721/9109-0 ---
------ Patrick M. Hausen - Technical Director - hausen () punkt de -------
"Contrary to popular belief, penguins are not the salvation of modern
 technology.  Neither do they throw parties for the urban proletariat."

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards