Thanks for your help,
To your fisrt question, the answer is not easy.
I personnally tend to agree with you that a centrally managed firwall, be it Checkpoint Integrity or another, would better fit a large company's needs. But that isn't what's done here. On the contrary, they like using Tivoli to take care of every aspect of deployment and updates, no matter how big they could be. Apart from this, our security team wants to make sure, upon connection to our Cisco VPN server, that the client has the firewall we've decided with the configuration we've chosen. This particular need can only be met with either Cisco firewall (which come with the VPN client) or Zone Alarm.
I'll be working shortly on the second part of the question. For there might be a work-around : Instead of blocking evrything and then opening a specfic port, I could open everything, then create 2 rules : The first as mentionned earlier, and the second to block everything.
Main Topics
Browse All Topics





by: davidis99Posted on 2005-03-05 at 03:20:20ID: 13465302
1) I'm curious as to why you aren't using Checkpoint Integrity for a project of this size instead of ZoneAlarm (now also a Checkpoint product.) Integrity offers a major advantage for enterprise use over ZoneAlarm in having a Checkpoint Integrity server to define policies which are then distributed to the clients, providing the automatic configuration/distribution mechanism you're looking for. It's also has an integrated VPN client, so you wouldn't have to worry about a separate software component (though you could use the cisco client if you prefer that for working with Cisco's VPN server.)
ore/conten t/support/ zap/ zapMai n.jsp?lid= ps_zap
2) In reading the manual for ZAP 5.5,
http://www.zonelabs.com/st
I found nothing to indicate that you could create an application rule that restricts a particular application to a particular port. You can create expert rules governing specific ports, and you can create expert rules governing applications, but not a rule saying an application can only go out over a particular port.
3) If I were to make a recommendation regarding this, I would contact the ZoneAlarm sales rep. to ask the pricing on upgrading the ZAP licenses to the same number of Integrity licenses - I know from a prior conversation with my ZAP sales rep. that this is a feasible option.