HI,
From the problem you described, I find the customized accounting
program is the main issue. You may want to upgrade/re-develop the
program to make it charge by userid+source ip. If this will satisfy
your requirement, then it is not necessary to change the firewall.
Anyway if you change the firewall, I guess you still need to make
changes to the accounting program.
regards,
Rick
--
Information (In)Security @ Where It Matters - http://blog.rickzhong.com
On Thu, Jun 26, 2008 at 12:56 AM, Daniel Clemens
<daniel.clemens (at) packetninjas (dot) net [email concealed]> wrote:
>
>
>
> On Jun 24, 2008, at 1:40 AM, Johann Spies wrote:
>
>> We have to either renew the licence on our Checkpoint Firewall-1 NG
>> (and upgrade it) or change to another software solution for our
>> firewall setup.
>
> I would upgrade. Keep things simple with what you already know.
>
>>
>>
>> Our approximately 25000 users pay for internet, some of them use a
>> pay-as-you-go-system. At the moment the accounting is done by custom
>> programs that reads the active connections in the FW-memory. We have
>> two problems with the present setup:
>>
>> 1. FW-1 does not connect the user and the traffic in memory or always
>> in the logs. Only the source IP. So it is impossible for us to
>> handle accounting for different users using the same IP.
>>
>> 2. FW-1 does not end active connections immediately after a user has
>> logged off.
>
>
> 1) What would be an acceptable connection teardown timeout value?
> 2) active connections will timeout or tear down within minutes of a
> connection.
>
>>
>> We are in a process of evaluating different options. One of them is
>> NuFw - an open source product.
>>
>> Any recommendations of other products you know of will be appreciated.
>>
>> Regards
>> Johann
>> --
>> Johann Spies Telefoon: 021-808 4036
>> Informasietegnologie, Universiteit van Stellenbosch
>>
>> "Children, obey your parents in the Lord: for this is
>> right." Ephesians 6:1
>>
>
>
From the problem you described, I find the customized accounting
program is the main issue. You may want to upgrade/re-develop the
program to make it charge by userid+source ip. If this will satisfy
your requirement, then it is not necessary to change the firewall.
Anyway if you change the firewall, I guess you still need to make
changes to the accounting program.
regards,
Rick
--
Information (In)Security @ Where It Matters - http://blog.rickzhong.com
On Thu, Jun 26, 2008 at 12:56 AM, Daniel Clemens
<daniel.clemens (at) packetninjas (dot) net [email concealed]> wrote:
>
>
>
> On Jun 24, 2008, at 1:40 AM, Johann Spies wrote:
>
>> We have to either renew the licence on our Checkpoint Firewall-1 NG
>> (and upgrade it) or change to another software solution for our
>> firewall setup.
>
> I would upgrade. Keep things simple with what you already know.
>
>>
>>
>> Our approximately 25000 users pay for internet, some of them use a
>> pay-as-you-go-system. At the moment the accounting is done by custom
>> programs that reads the active connections in the FW-memory. We have
>> two problems with the present setup:
>>
>> 1. FW-1 does not connect the user and the traffic in memory or always
>> in the logs. Only the source IP. So it is impossible for us to
>> handle accounting for different users using the same IP.
>>
>> 2. FW-1 does not end active connections immediately after a user has
>> logged off.
>
>
> 1) What would be an acceptable connection teardown timeout value?
> 2) active connections will timeout or tear down within minutes of a
> connection.
>
>>
>> We are in a process of evaluating different options. One of them is
>> NuFw - an open source product.
>>
>> Any recommendations of other products you know of will be appreciated.
>>
>> Regards
>> Johann
>> --
>> Johann Spies Telefoon: 021-808 4036
>> Informasietegnologie, Universiteit van Stellenbosch
>>
>> "Children, obey your parents in the Lord: for this is
>> right." Ephesians 6:1
>>
>
>
[ reply ]