Basic firewall functionality: Check Point's maturity shows through

By Joel Snyder, Network World |  Security, check point, firewalls

SonicWall failed our BGP testing because we were unable to fully synchronize the SonicOS dynamic routing with our systems. In general, SonicWall's support for anything beyond OSPF and RIP protocols is half-hearted at best. For example, one of the reasons we had problems making BGP work properly was that SonicWall does not offer documentation on the dynamic routing system. If you want to use SonicWall in a dynamic routing environment, stick to Open Shortest Path First, which is better documented and supported. In the case of Barracuda NG Firewall, BGP isn't supported at all.

Our evaluation of global management put the Check Point Security Gateway on top by a wide margin. Check Point has always required a centralized management system for their enterprise firewalls, and their experience shows when compared with less sophisticated and less complete products. As part of our testing, Check Point sent along their "not quite a SEIM" product, SmartEvent, which we recommend highly for any "next generation" focused deployment. SmartEvent is a critical component in analyzing the logs from Check Point firewalls; without it, you've got logs but no way to understand traffic flows and patterns.

SonicWall's Global Management System is a huge help in synchronizing firewall configurations, maintaining consistency of objects, and collecting traffic information. Anyone with more than a handful of SonicWall firewalls should strongly consider adding Global Management System to their deployment and management toolkit. Since the SonicWall internal log system is very limited in its capacity, external log analysis through tools such as Global Management System is critical for any debugging or reporting.

Neither Barracuda nor Fortinet sent their global management systems. Barracuda told us that their global management system for the NG Firewall, called Control Center, was primarily useful in defining complex VPN configurations and in analyzing log files from multiple firewalls. Fortinet offers two different management appliances for the FortiGate firewalls, FortiManager (for device management) and FortiAnalyzer (for log analysis).

FortiAnalyzer is a log receiver that replicates and extends the reporting available on the FortiGate itself. Because the FortiGate has a very sophisticated reporting engine and database built-in, we got a good feel for what the FortiAnalyzer was able to do. Anyone who wants to run reports on a FortiGate should add a FortiAnalyzer to their shopping basket. Mixing an SQL database and a firewall in the same box is a recipe for disaster in all but the smallest deployments, making the FortiAnalyzer a "must have" for enterprise users who want to know what is going on with their firewalls.

Originally published on Network World |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

Ask a Question