I'm putting on my flame-suit here, but I think we need to remember
that the basic premise of a firewall is to protect a company from those on
the outside. Controlling insiders from getting out is not the primary
objective of a firewall (although it is often needed). A firewall is
really not supposed to be a turn-stile for your inside users.
Checkpoint's licensing policy is based upon this idea; that if you have a
small organization, you are looking to protect a few systems on the inside
from malicious intent. I prefer this to the PIX method of counting the
number of sessions. I am one of those people who has 10 ftp's and
multiple netscapes going (because I can get 10 times the data through my
T1 this way ;-) PIX's use of session counters means that my setting of 10
threads in my browser chews up 10 of those sessions. I also feel
Checkpoint's philosophy is more true to form of what the firewall is
supposed to be doing for the customer while not impedeing a users
unlimited use of connections and throughput.
While it is not the "cheapest" way the pricing could be interpreted, I never
truely consider a the cheapest solution to be a good one (warning -
this does not mean I consider certain free software bad) When you boil it
down, PIX and Checkpoint (and most other products) are pretty much in the
same ballpark price-wise.
And I'm supprised that Sun told you $40,000 for a full blown license
(unless you've asked for the "kitchen sink" version) My price book shows
Unlimited (Internet Gateway Enterprise Security Center) for $19,000 list.
Upgrades would be $11,000 max.
Only unlimited Router modules and the "kitchen sink" (VPN, router,
Load Balancing) versions are more.
On Thu, 24 Jul 1997, Christofer Hoff wrote:
> Date: Thu, 24 Jul 1997 17:40:41 -0700
> From: Christofer Hoff <hoff @
> To: Daniel Rubin <djr @
com>, firewalls @
> Cc: djr @
> Subject: Re: Firewall-1 Limitations...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> At 2:26 PM -0400 7/24/97, Daniel Rubin wrote:
> >After much research and fighting with the support reps at Sun
> >we discovered that the Light Security Center License only supports
> >one external interface (terminology used for licensing purposes).
> >As a result it counted each host it received packets from on any
> >of the other interfaces as an internal host. That license only
> >allow 50 internal hosts. That license was about $5000.00 and
> >it turns out the license we needed is just about $40,000. Try to
> >sell that to management!
> I understand your frustration there -- I also have a problem with the manner
> in which FW-1 is licensed -- Checkpoint's philosophy differs from mine
> (go figure!) on the difference between IP nodes behind that firewall that want
> 'outbound' access through the internal interfaces vs. the "...number of
> nodes behind the external interface" routine CP pushes.
> >If we knew this earlier we would have just purcased a CICSO
> >enterprise router, which does just about everything the
> >firewall-1 software does.
> I'd beg to differ here -- If you can point me in the direction of this mythical
> CICSO (you do mean Cisco, right?) box, I'll be more than interested in
> evaluating it! We've got many a FireWall-1 installed here, and I've yet
> to find anything Cisco makes (including the PIX) that comes close to FW-1's
> balance of security, speed, management, and cost-of-ownership.
> Just my $0.02
> - ------.oOO--(_)--OOo.---------------------------------------------------
> Christofer L. Hoff \ No true genius is
> \ possible without a
> NodeWarrior Networks, Inc \ little intelligent
> \ madness!
> hoff @
> http://www.nodewarrior.net \ -Peter Uberoth
> "Nuthin' but Net!" \
> - --------------------------------------------------------------------------------
> 310.568.1700 vox - 310.568.4766 fax
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.0
> Charset: noconv
> -----END PGP SIGNATURE-----
Daniel Blander =8^)
Sr. Systems Engineer Applied Computer Solutions
Phone: (714) 842.7800 Fax: (714) 842.8299
Email: Daniel .