certificationkits

[nicklauscombs]

Kind of hi-jacking the thread, but any recommendations on what and where to get Juniper firewalls to learn on?

SRX100 is the cheapest you can pick up new they sit around 600 or 700 bucks.

[sil]

Kind of hi-jacking the thread, but any recommendations on what and where to get Juniper firewalls to learn on?

SRX100 is the cheapest you can pick up new they sit around 600 or 700 bucks.

SRX is not the cheapest you can get, and the SRX is an altogether different platform from the SSG series. If you wanted to learn say ScreenOS on the Juniper side, you can pick up an older NS25 (http://www.ebay.com/itm/Lot-of-2-Juniper-Netscreen-NS25-big-brother-to-NS5-FW-VPN-Unlimited-Users-/221016001718?pt=US_Firewall_VPN_Devices&hash=item3375948cb6) which will run the latest versions of ScreenOS.

SRX' are more router gateways and run JunOS and if you haven't dealt with JunOS before, will give you a headache. For more on the pros/cons see the following thread: http://www.gossamer-threads.com/lists/nsp/juniper/23125

As for ASAs I try to avoid them. Checkpoint, same applies. However, since you want to tinker around, different story. VMWare had/has a checkpoint appliance you can fiddle with. It is not the same as say maintaining something like a Nokia IP series running checkpoint, but will get you familiar with it.

[knwminus]

Why don't you like ASAs?

[sil]

ASAs mungle "non-Cisco" VoIP so horrible. They have their pluses but NAT isn't one of them. I have seen them break their own Cisco Cube deployments as well. Overall they have been more of a headache then a lifesaver/help. Cisco does things really well when an entire infrastructure is Cisco down. They just don't play well with others

[knwminus]

What is your favorite firewall brand or solution?

[sil]

It depends, for high availability, I love Stonegates. They have the ability to keep a VoIP call up and running even if one provider on an interface goes down. I favor Juniper over Cisco because overall they play better with most equipment outside of their own brand. I also like Palo Alto, but they can be pricey. End of the day though, in a managed security service arena, one gets used to them all. So I have no issue dealing with most. I do have my preference when I am the designer.

[Agoonie]

ASAs mungle "non-Cisco" VoIP so horrible. They have their pluses but NAT isn't one of them. I have seen them break their own Cisco Cube deployments as well. Overall they have been more of a headache then a lifesaver/help. Cisco does things really well when an entire infrastructure is Cisco down. They just don't play well with others

It is funny you say that since I had a tough time with IPSEC tunnels with cisco/checkpoint and cisco/watchguard.  The phases were identical yet I still had to troubleshoot for ages.  I will eventually have to set up the same with some SSG's but hopefully will have a better experience. 

The last time I messed with Checkpoint, I learned with R60-R70 on servers.  I never messed with their appliances.  I think Sil is right, there are a lot of VMware appliance to learn from as far as firewalls too. 

[knwminus]

@Sil


@Sil

I am a shocked you didn't mention iptables of pf. Do you not like open source firewalls in the enterprise?

[bbel121]

I have had experiences with CertificationKits and ebay.  It ended up costing me more to purchase all the pieces seperately on ebay when you factor in shipping and then i found i got units with wrong memory that would not support some of the features i needed and did not have ios to do some of the commands i needed either.  Luckily this was when I just started with a basic 2 router kit.  The other big difference I found with CertificationKits is you don't have to spend hours trying to figure out all the little peices you need.  I don't know about you, but for me my time is valuable and ordering things from 15 different ebayers and tracking them was a PIA.  CertificationKits also included lots of very valuable study materials like their lab workbook, a cram type sheet and a subnetting workbook that really helped me understand subnetting.  Those books had to be worth $30 to $40 each and the cram sheet I would guess $10.  So when I took all that into consideration CertificationKits was basically the same price as eBay and a lot less hassle.  BTW, they helped me upgrade the kit I already had and I probably shot them 5 or 6 questions on concepts that were not making sense to me and they answered all the questions within an hour or so.  So that also made me very happy.

[SephStorm]

welcome to the forums I guess?!  Nothing suspicious here.

ANyway, I just briefly saw the discussion above, I would love to see someone give a tutorial on playing around with a few firewalls, virtual appliances or not. Anyone up to the challenge?