[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] Re:

To: Bogus Dude <somebogusdude@yahoo.com>
Subject: [FW1] Re:
From: bbarth@tyringham.com
Date: Thu, 14 Oct 1999 11:29:55 -0400


I must have missed something here.  I implement the Checkpoint version of
the Nokia box quite frequently - the VPN-1 Remotelink.  The 250 user
firewall costs about $12K including the checkpoint licensing, with the only
other expense being a single firewall management station costing $2K.  The
only additional expense is implementation, which I usually peg at three to
five days, including network assessment and establishment of a security
policy, installation, configuration and haggling with the ISP.  On a flat
250 user network, I see no problem with using it as the Internet access
router as well, although there are obviously benefits to having a router
outside the firewall for more complex networks.

The management station is licensed separately because it is a separate
product - it provides the policy and manages the logging functions.  There
has been some talk of enabling the loading of the management station on the
Nokia platform itself, but for nows, figure you will need a separate PC.





>I am curious as to where you ended up with all of
>this. Obviously, I hope it is a Nokia!

Well, the project has been delayed somewhat mostly due
to budget constraints.  This software gets very
expensive:

About $12k for the Nokia box;
About $12k for a 250-seat license of Firewall-1;
ANOTHER $12K for some sort of management station
software, which everyone insists we need but can't
really tell me why.

You know, I don't mind paying for good software, but
this is really highway robbery.  Even mega-premium
super-expensive Cisco will sell me a
fully-hardware-redundant PIX for about $17K with all
the options I want (on two boxes, yet), and I can get
away with $12K if I don't do redundant (which I can't
get on the Nokia box).   An UNLIMITED user license is
$3K.   And those are list prices: I can probably get
at least another 25% off.

You know, Checkpoint really makes good software and I
like it a lot, but I just don't think I'm going to be
able to get $35K appropriated for a new firewall.
And I don't think I'm willing to fight this fight,
because I'm going to have to fight AGAIN for ANOTHER
chunk of cash when I exceed 250 IPs.   If I buy a PIX,
I don't have to pay another dime, no matter how big
this office gets.   That is the kind of solution I
want... a SOLUTION, not a ticking time bomb.

On the other hand, the Checkpoint solution is probably
cheaper over the long term -- once we have invested
the initial $35k, we can add extra sites for $5k or
so, assuming we're willing to run them on NT.   I'd
have to cough up $12k/site for PIX boxes.

So I'm kind of stuck.  This is much more expensive,
IMO, than it should be.  Hell, I can do a decent
stateless firewall for free with Linux, and I can even
get VPN running with Free/SWAN.   It's not wonderful
-- I think Linux NAT leaves a lot to be desired, and
writing Linux firewall scripts is about as much fun as
putting your hand in a blender.  As a pure firewall,
though, it's not bad, and it lets me massage
individual packets however I wish.  Like with most
Linux things, it's painful to set up, but then it just
runs and runs.  And it is developing faster than any
software product I have ever seen.

I'm not arguing that Linux is as good as Checkpoint --
it's honestly not even in the same league -- but $35K
pays for an awful lot of time.  And that's a lot of
money we can't use for other projects.

When a company makes Cisco look cheap, you know there
is a problem. :-)

I'm open to comments.  We have a substantial budget
here and I can probably get this cleared if I argue
persuasively enough -- but right now I am massively
unconvinced that this is a smart way to use that much
money.   I think I'm just buying an ongoing expense,
not a solution.  Checkpoint seems very greedy to me.

-- BD

__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com


================================================================================

     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Prev by Date: [FW1] Re:
Next by Date: RE: [FW1] NT SP5
Prev by thread: [FW1] Re:
Next by thread: Re: [FW1] Re:
Index(es):
- Date
- Thread