Recommendations
|
View:
New views
5 Messages
—
Rating Filter:
Alert me
|
 |
Recommendations
by Johann Spies
::
Rate this Message:
We have to either renew the licence on our Checkpoint Firewall-1 NG
(and upgrade it) or change to another software solution for our firewall setup. Our approximately 25000 users pay for internet, some of them use a pay-as-you-go-system. At the moment the accounting is done by custom programs that reads the active connections in the FW-memory. We have two problems with the present setup: 1. FW-1 does not connect the user and the traffic in memory or always in the logs. Only the source IP. So it is impossible for us to handle accounting for different users using the same IP. 2. FW-1 does not end active connections immediately after a user has logged off. We are in a process of evaluating different options. One of them is NuFw - an open source product. Any recommendations of other products you know of will be appreciated. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Children, obey your parents in the Lord: for this is right." Ephesians 6:1 |
|
|
Re: Recommendations
by Paolo Supino-3
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Hi ~ How much of a turnkey solution are you looking for? If you have the time to sit down do some development and integration than using PF on OpenBSD would give you an awesome solution... ~ I don't think it will be a very big project, look at integrating usernames/IP addresses (or anything else) with PF's anchors ... - -- ttyl Paolo Johann Spies wrote: | We have to either renew the licence on our Checkpoint Firewall-1 NG | (and upgrade it) or change to another software solution for our | firewall setup. | | Our approximately 25000 users pay for internet, some of them use a | pay-as-you-go-system. At the moment the accounting is done by custom | programs that reads the active connections in the FW-memory. We have | two problems with the present setup: | | 1. FW-1 does not connect the user and the traffic in memory or always | in the logs. Only the source IP. So it is impossible for us to | handle accounting for different users using the same IP. | | 2. FW-1 does not end active connections immediately after a user has | logged off. | | We are in a process of evaluating different options. One of them is | NuFw - an open source product. | | Any recommendations of other products you know of will be appreciated. | | Regards | Johann -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkhieIIACgkQRrCnED/jZ/h86ACfbhk082MPunvUCddSnayhzymV qWEAoJKRe46OIK1l9fs6Hqnh+SMbsLVA =EMSk -----END PGP SIGNATURE----- |
|
|
Re: Recommendations
by Daniel Clemens
::
Rate this Message:
On Jun 24, 2008, at 1:40 AM, Johann Spies wrote: > We have to either renew the licence on our Checkpoint Firewall-1 NG > (and upgrade it) or change to another software solution for our > firewall setup. I would upgrade. Keep things simple with what you already know. > > > Our approximately 25000 users pay for internet, some of them use a > pay-as-you-go-system. At the moment the accounting is done by custom > programs that reads the active connections in the FW-memory. We have > two problems with the present setup: > > 1. FW-1 does not connect the user and the traffic in memory or always > in the logs. Only the source IP. So it is impossible for us to > handle accounting for different users using the same IP. > > 2. FW-1 does not end active connections immediately after a user has > logged off. 1) What would be an acceptable connection teardown timeout value? 2) active connections will timeout or tear down within minutes of a connection. > > We are in a process of evaluating different options. One of them is > NuFw - an open source product. > > Any recommendations of other products you know of will be appreciated. > > Regards > Johann > -- > Johann Spies Telefoon: 021-808 4036 > Informasietegnologie, Universiteit van Stellenbosch > > "Children, obey your parents in the Lord: for this is > right." Ephesians 6:1 > |
|
|
Re: Recommendations
by Rick Zhong
::
Rate this Message:
HI,
From the problem you described, I find the customized accounting program is the main issue. You may want to upgrade/re-develop the program to make it charge by userid+source ip. If this will satisfy your requirement, then it is not necessary to change the firewall. Anyway if you change the firewall, I guess you still need to make changes to the accounting program. regards, Rick -- Information (In)Security @ Where It Matters - http://blog.rickzhong.com On Thu, Jun 26, 2008 at 12:56 AM, Daniel Clemens <daniel.clemens@...> wrote: > > > > On Jun 24, 2008, at 1:40 AM, Johann Spies wrote: > >> We have to either renew the licence on our Checkpoint Firewall-1 NG >> (and upgrade it) or change to another software solution for our >> firewall setup. > > I would upgrade. Keep things simple with what you already know. > >> >> >> Our approximately 25000 users pay for internet, some of them use a >> pay-as-you-go-system. At the moment the accounting is done by custom >> programs that reads the active connections in the FW-memory. We have >> two problems with the present setup: >> >> 1. FW-1 does not connect the user and the traffic in memory or always >> in the logs. Only the source IP. So it is impossible for us to >> handle accounting for different users using the same IP. >> >> 2. FW-1 does not end active connections immediately after a user has >> logged off. > > > 1) What would be an acceptable connection teardown timeout value? > 2) active connections will timeout or tear down within minutes of a > connection. > >> >> We are in a process of evaluating different options. One of them is >> NuFw - an open source product. >> >> Any recommendations of other products you know of will be appreciated. >> >> Regards >> Johann >> -- >> Johann Spies Telefoon: 021-808 4036 >> Informasietegnologie, Universiteit van Stellenbosch >> >> "Children, obey your parents in the Lord: for this is >> right." Ephesians 6:1 >> > > |
|
|
Re: Recommendations
by Johann Spies
::
Rate this Message:
On Wed, Jun 25, 2008 at 07:55:31PM +0300, Paolo Supino wrote:
> -----BEGIN PGP SIGNED MESSAGE----- ~ > How much of a turnkey solution > are you looking for? If you have the time to sit down do some > development and integration than using PF on OpenBSD would give you > an awesome solution... ~ I don't think it will be a very big > project, look at integrating usernames/IP addresses (or anything > else) with PF's anchors ... > Thanks to you, Daniel and Rick for responding. I will certainly look at the PF-solution on openbsd. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "For I am not ashamed of the gospel of Christ: for it is the power of God unto salvation to every one that believeth; to the Jew first, and also to the Greek." Romans 1:16 |
| Free embeddable forum powered by Nabble | Forum Help |
