Replacing Checkpoint firewalls with HP or Cisco switch controlled ACL's?

[bludbunny]

Morning
I work for a manufacturing company with multiple sites. I have been asked to investigate replacing our exisitng Checkpoint firewalls (running on aging hardware) as the upkeep and management is very expensive. As far as I can tell, all we are using them for is to provide traffic management between the different subnets at our manufacturing sites, and some VPN access.
We have another secure option already working for the VPN access, we just need to control the cross talk between subnets locally at each site. Would a layer 3 managed switch from either Cisco or HP work for this situation, or am I looking at this the wrong way?
At the moment, it is all about saving money. I just want to make sure that what I recommend will do the same job as the current Checkpoint devices are doing.
Thanks.

 

[VinceWhirlwind]

A couple of questions to ask -
- who will be managing the new device?
- what are their skills? (Cisco, Juniper, etc....)

 

[bludbunny]

Hi Vince
Well, if we could go with setting up ACL's on say the HP Procurve series of switches, which we are familiar with, we could support internally. The question really is whether this setup would provide a similar outcome.
If this would not work, we could look at a managed switch / device by Cisco, we have access to third party cisco support staff at a fairly low cost, so that is an option as well.
The preference is to keep the ongoing costs down. I just don't want to put our head on the chopping block to save money!
Thanks.

 

[VinceWhirlwind]

The support issue is important.

As far as security goes - what are the security zones?
Are any of them fully public?
Are any security-classified in any way?
Do any involve legal obligations to 3rd-parties?

On the whole, unless any of the above apply, then, using access lists on your "Core" switch which does all your inter-VLAN routing should be OK. Not brilliant, but OK.

On the other hand, if you have chassis-based switches, you might be able to add a firewall module to them.

Or, replace your existing firewalls with something cheap and simple. First, figure out your throughput requirements, then find a Cisco ASA, Juniper SRX, etc... to cover those requirements, then compare prices and check them out to see how hard they are to administer.

 

[cajuntank]

Taking Vince's questions into account, another thing to consider is if all you need to do is filter based purely on port and protocol, then you could do it via ALCs. If you have to filter based at the application level, then you will need a application level firewall/appliance which most of the current products are today.

So fo example, needing to filter port 21 (FTP), or 53 (DNS), etc... from one subnet to another or doing it via specific or range of hosts... no issue with ACLs. Needing to allow an application with runs over port 80, but disallow another that runs over port 80 would require a appliance that does application level filtering.

 

[bludbunny]

Thanks for the input guys. We really only need IP based filtering in place, the firewalls are only being used at the most basic level at the moment, so they are just directing traffic between subnets. Nothing special.

 

[VinceWhirlwind]

Just sitting in a Security class - apparently packet-based filtering is almost *worse* than useless. I think I agree...

What risk are you addressing?

Maybe you don't need any filtering at all?

After all, presumably you are on an AD Windows domain, everything is locked down with AD authentication, etc... What role can packet filtering play for you?

In my last job, working as an organisation's network person, I was often asked to implement access lists to seperate VLANs, but ultimately, hardly any of these requests ever became reality once I looked to see if there was a reason why.

I did a few other things, though, which you should look into:
1/ Enable Radius authentication on all network equipment
2/ Enable Spanning-tree everywhere (yes, they had almost 2000 devices running on a network with no spanning-tree...)
3/ Enable DHCP snooping on every network switch

I didn't manage to get 802.1x implemented.