Re: Personal FireWall

3t-sharif · ‎02-05-2004

We are looking for an easy to configure Personal Firewall to work with:

1) Cisco CVPN 3005 - i.e. to protect user PCs when the VPN back to the office from Remote Internet site

2) PIX - for same reason as in 1.

3) Protect user PCs when they have connected to the Internet while away from office (& do not VPN to office).

I know Cisco recommends/allows these firewalls, Cisco VPN Client firewall (too basic for us), Zone Alarm pro, BalckICE, Sygate.

Please give pros and cons of these from your experience, so we can select the best one for our needs.

Thanks a lot.

scoclayton · ‎02-05-2004

Hi,

I realize that I am a bit biased on this but if you are going to look at deploying a host based firewall application, you may want to take a look at Cisco Security Agent. This is a product we recently aquired (formerly Okena) and have integrated into our Self Defending Netowrk strategy (assume you have seen the commercials). It provides all of the functions of a host based firewall plus much, much more. The VPN 3000 has a hook built into it that will require (if enabled) that CSA be running before a VPN client is allowed to connect. CSA will also have the Network Admission Control functionality built into it in the next release that will allow your network devices to query the host for virus .dat levels, SP levels, etc... before connecting to the network whether it be via VPN, wired, wireless, etc...

Anyway, don't want to sound to salesman-y but I thought I would toss it in if you are looking to deploy something in this space. Might be worth talking to your local Cisco account team and seeing a demo. I assure you, you will be impressed. Hope this helps.

Scott

PS - If you have any other questions concerning CSA and do not wnat to use this forum, please feel free to shoot me an e-mai off-line at sclayton@cisco.com

shannong · ‎02-05-2004

I recommend the CSA as well. If has file integrity checks (think Tripwire), inbound/outbound connection control, executable control, email policies, and a whole lot more. It is recognized by VPN3000s.

It's a policy based approach that allows you to define behaviors based on machines types, users, etc. The agent pulls the policy from the Management Center where all the policies are managed.

I don't know what you mean by the personal firewall must work with the Pix. Whether or not a client or other network has a firewall is transparent to any other network layer device. There aren't any concerns here that I can think of.

3t-sharif · ‎02-05-2004

Thanks a lot guys.

Regarding "...personal firewall must work with the Pix..." I know in CVPN 3005 you can select to disconnect a VPN user in he/she does not use one of the firewalls listed. I wonder if you can do this in PIX.

I do know about CSA but this client is looking for one of the firewalls I listed (BlackICE, Sygate, ZoneAlarm). The client may use this personal firewall at many none cisco sites and/or just for end users at home etc (and never coming be in any office or VPN to any office).

I will look at CSA for other clients, but for now, please give some feedback on the non-Cisco personal firewalls.

Thanks again.

shannong · ‎02-05-2004

I like Zone Alarm, but I haven't had any enthusiastic feedback from others about particulary liking one over the other.

The Pix cannot check for the firewall like the VPN3000 can. I'm sure NAC will be able to check for this at the router level. NAC is not yet available though.