[isapros] Re: OT: Checkpoint HTTPS Termination
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Fri, 25 Aug 2006 09:55:30 -0500
Dude,
I'm telling you, there's a rich and fertile psychiatric study when it
comes to Netscreen, Cisco and Check Point firewalls and what the suckers
are willing to spend on them. Why do you think you get such a reaction
formation when you trying to event suggest an ISA firewall? It's because
they have a complex belief system which is full of inconsistencies, and
is held together with the "magic" you spoke of. If you try to dispel the
"magic", then the weak belief system loses it's coherency, and you end
up with the emotional equivilant of what you see in a chemical reaction
when a more complex molecule ends up with two simpler molecules or
atoms.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Thursday, August 24, 2006 10:03 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: OT: Checkpoint HTTPS Termination
>
> But yet, there is some "magic" presented... Some "yes, but this is
> 'Checkpoint'" and people foot the bill. I mean, I know
> checkpoint is a good
> product, but the last engagement I was at for a power company
> required the
> client to get an additional network card for some
> Nokia/checkpoint box and
> it cost them $25,000. Yes, Twenty-Five-Thousand dollars to
> add another
> network segment to the box. There was obviously some other
> mojo involved
> with some license to do something, but I've got to say--
> sometimes I think
> some of these guys are going straight to hell for the earthly
> raping of
> their fellow man - or am I missing something? That goes beyond rape,
> actually... That's getting it right in the neck. Where is the
> justification?
>
> t
>
>
>
>
> On 8/24/06 5:30 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> spoketh to
> all:
>
> > Not impossible at all. I've been heads down in the lic'ing fees
> > Netscreen, Blue Coat and Cisco charge, and all I can say is
> "one is born
> > every minute" to go with one of those solutions if the ISA firewall
> > provides the customer's required functionality, and at a
> fraction of the
> > price.
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
> >> Sent: Thursday, August 24, 2006 7:24 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: OT: Checkpoint HTTPS Termination
> >>
> >> jeepers! and i thought saving one of my clients 7.5k for 700
> >> users with a
> >> customised ASP solution instead of GFI archiving was
> >> impressive, but 50k
> >> thats unpossible.
> >>
> >> Greg
> >>
> >> ----- Original Message -----
> >> From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
> >> To: <isapros@xxxxxxxxxxxxx>
> >> Sent: Friday, August 25, 2006 10:17 AM
> >> Subject: [isapros] Re: OT: Checkpoint HTTPS Termination
> >>
> >>
> >>> Hey, it's only $50,000 for 500 users. How can you call
> >> that "gouging?" :\
> >>>
> >>> ISA, here we come.
> >>>
> >>> t
> >>>
> >>>
> >>> On 8/24/06 4:45 PM, "Thomas W Shinder"
> >> <tshinder@xxxxxxxxxxx> spoketh to
> >>> all:
> >>>
> >>>> Tim,
> >>>>
> >>>> Reviewing my compete doc, you can have SSL termination and
> >> initiation if
> >>>> you introduce Connectra. CP is famous for gouging the poor
> >> sap customer
> >>>> is additional lic'ing fees for every basic application
> >> layer inspection.
> >>>> In order to get some Web proxy capabilities, you need to
> >> license their
> >>>> "Web Intelligence" product.
> >>>>
> >>>> If you find out more info on this, I'm all ears.
> >>>>
> >>>> Thomas W Shinder, M.D.
> >>>> Site: www.isaserver.org
> >>>> Blog: http://blogs.isaserver.org/shinder/
> >>>> Book: http://tinyurl.com/3xqb7
> >>>> MVP -- ISA Firewalls
> >>>>
> >>>>
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: isapros-bounce@xxxxxxxxxxxxx
> >>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> >>>>> (Hammer of God)
> >>>>> Sent: Thursday, August 24, 2006 6:09 PM
> >>>>> To: isapros@xxxxxxxxxxxxx
> >>>>> Subject: [isapros] OT: Checkpoint HTTPS Termination
> >>>>>
> >>>>>
> >>>>> Pardon the OT, but I've got a customer using Checkpoint who
> >>>>> has retained me
> >>>>> to audit/oversee the deployment of a new application in the DMZ.
> >>>>>
> >>>>> Based on what I do all the time with ISA, the client and I
> >>>>> both assumed that
> >>>>> the Checkpoint box could do HTTPS termination in order
> to perform
> >>>>> protocol-level HTTP filtering. We also assumed that the
> >>>>> checkpoint box
> >>>>> could then forward HTTP to the DMZ for IDS/NetMon logging.
> >>>>>
> >>>>> It seems, however, that the Checkpoint firewall admin
> >> cannot confim
> >>>>> Checkpoint's capability to perform this function. Given all
> >>>>> the hubbub
> >>>>> about Checkpoint, its seems that it's odd that ISA can
> >>>>> perform a function so
> >>>>> well that Checkpoint does not even support.
> >>>>>
> >>>>> Can anyone out there confirm this? This could be a great
> >>>>> opportunity for me
> >>>>> to officially introduce ISA into the company (which I would
> >>>>> love) but I want
> >>>>> to make sure I'm doing the best job for the client before I
> >>>>> just spend the
> >>>>> money (or request that they spend the money) if this is
> >> something that
> >>>>> Checkpoint can do.
> >>>>>
> >>>>> The goal is to terminate HTTPS at the Checkpoint box, perform
> >>>>> app level
> >>>>> filtering (like ISA's HTTP filter), then forward the HTTP
> >> traffic to a
> >>>>> single segmented DMZ network so that the IDS/NetMon boxes
> >> can log the
> >>>>> traffic via the switch/Nokia monitor ports.
> >>>>>
> >>>>> Thanks. Oh, any specific references would be great so that I
> >>>>> can share them
> >>>>> with the client.
> >>>>>
> >>>>> t
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
>
>
>
Other related posts:
