INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Replacing Checkpoint firewalls with HP or Cisco switch controlled ACL's?

Replacing Checkpoint firewalls with HP or Cisco switch controlled ACL's?

Replacing Checkpoint firewalls with HP or Cisco switch controlled ACL's?

(OP)
Morning
I work for a manufacturing company with multiple sites. I have been asked to investigate replacing our exisitng Checkpoint firewalls (running on aging hardware) as the upkeep and management is very expensive. As far as I can tell, all we are using them for is to provide traffic management between the different subnets at our manufacturing sites, and some VPN access.
We have another secure option already working for the VPN access, we just need to control the cross talk between subnets locally at each site. Would a layer 3 managed switch from either Cisco or HP work for this situation, or am I looking at this the wrong way?
At the moment, it is all about saving money. I just want to make sure that what I recommend will do the same job as the current Checkpoint devices are doing.
Thanks.


RE: Replacing Checkpoint firewalls with HP or Cisco switch controlled ACL's?

A couple of questions to ask -
- who will be managing the new device?
- what are their skills? (Cisco, Juniper, etc....)

RE: Replacing Checkpoint firewalls with HP or Cisco switch controlled ACL's?

(OP)
Hi Vince
Well, if we could go with setting up ACL's on say the HP Procurve series of switches, which we are familiar with, we could support internally. The question really is whether this setup would provide a similar outcome.
If this would not work, we could look at a managed switch / device by Cisco, we have access to third party cisco support staff at a fairly low cost, so that is an option as well.
The preference is to keep the ongoing costs down. I just don't want to put our head on the chopping block to save money!
Thanks.

RE: Replacing Checkpoint firewalls with HP or Cisco switch controlled ACL's?

The support issue is important.

As far as security goes - what are the security zones?
Are any of them fully public?
Are any security-classified in any way?
Do any involve legal obligations to 3rd-parties?

On the whole, unless any of the above apply, then, using access lists on your "Core" switch which does all your inter-VLAN routing should be OK. Not brilliant, but OK.

On the other hand, if you have chassis-based switches, you might be able to add a firewall module to them.

Or, replace your existing firewalls with something cheap and simple. First, figure out your throughput requirements, then find a Cisco ASA, Juniper SRX, etc... to cover those requirements, then compare prices and check them out to see how hard they are to administer.

RE: Replacing Checkpoint firewalls with HP or Cisco switch controlled ACL's?

Taking Vince's questions into account, another thing to consider is if all you need to do is filter based purely on port and protocol, then you could do it via ALCs. If you have to filter based at the application level, then you will need a application level firewall/appliance which most of the current products are today.

So fo example, needing to filter port 21 (FTP), or 53 (DNS), etc... from one subnet to another or doing it via specific or range of hosts... no issue with ACLs. Needing to allow an application with runs over port 80, but disallow another that runs over port 80 would require a appliance that does application level filtering.

RE: Replacing Checkpoint firewalls with HP or Cisco switch controlled ACL's?

(OP)
Thanks for the input guys. We really only need IP based filtering in place, the firewalls are only being used at the most basic level at the moment, so they are just directing traffic between subnets. Nothing special.

RE: Replacing Checkpoint firewalls with HP or Cisco switch controlled ACL's?

Just sitting in a Security class - apparently packet-based filtering is almost *worse* than useless. I think I agree...

What risk are you addressing?

Maybe you don't need any filtering at all?

After all, presumably you are on an AD Windows domain, everything is locked down with AD authentication, etc... What role can packet filtering play for you?

In my last job, working as an organisation's network person, I was often asked to implement access lists to seperate VLANs, but ultimately, hardly any of these requests ever became reality once I looked to see if there was a reason why.

I did a few other things, though, which you should look into:
1/ Enable Radius authentication on all network equipment
2/ Enable Spanning-tree everywhere (yes, they had almost 2000 devices running on a network with no spanning-tree...)
3/ Enable DHCP snooping on every network switch

I didn't manage to get 802.1x implemented.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close