HungryHouse,
thanks for your comment. You are absolutely right about those points. I allways like to look at things from several angles. And the easiest way is to comment on all your points.
Lets see where the ship will sink (thats what we say overhere BTW
1- thats something I cannot argue.
We have several internal DMZs, a public DMZ, a private lan and no public lan.
As long as we have a Public DMZ, I agree about this point. But... (see Checkpoint comment below)
2. I agree
3. Backup and redundancy is our primairy concern.
So I have a schedule to daily backup the config of all switches. Now I don't have to come out of my bed in the middle of the night..
Secondly, our core has 2 supervisor blades.
This box is to be replaced. We are thinking about a new one with 2 hotstandby supervisors or 2 smaller chassis.
All our important servers and internetaccess routers have 2 uplinks to the core.
That leaves us at the moment to one FW and a the single switchblades.
So, if something fales, it's no disaster...
Firewalls: faster troughput is needed (not 100mb ports, but gb)
So we could buy a gigabit fw, or a Checkpoint applicance.
We use VMWare ESX more and more. We have a cluster and a SAN. Fully redundant.
And now Checkpoint does have a FW applicance for ESX...
Hmm, isn't this a complete end of the disscussion and trow any comments in the trashcan?
(I must say, I love the idea)