Does anyone have an opinion on the CISCO PIX. I would be interested to here
them.
-----Original Message-----
From: Randall, Mark [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 03, 1999 9:43 AM
To: 'Gary Ramah'
Cc: '[EMAIL PROTECTED]'
Subject: RE: Nokia IP Series
The IP400 series is soon to be discontinued. The IP330 will take its place.
It's a much nicer box (Only 1 or 2 units high in the rack, I believe) and
will serve the lower-end customers better than the IP410 or IP440. For more
high-end customer needs, the IP650 brings high availability/redundancy to
the table and there's not a whole lot of hardware on the market that can
compare to its throughput. Very nice.
I've heard that their operating system is a hybrid of a FreeBSD kernel that
has been "hardened" to provide the minimal services and maximum stability.
I've not actually verified that, however. I heard the same thing about the
WatchGuard Firebox series of firewall appliance, but a meeting with a
WatchGuard rep recently revealed that they actually use a stripped down
Linux kernel. I've not pressed the issue with Nokia, so I'm still going on
the rumor that it uses the BSD variant...
As for CheckPoint's Firewall-1 software...well, I don't know how to talk
about it without my personal opinions clouding my statements. Last year, my
opinion of CheckPoint was that it was a piece of crap. Stories about rules
to deny packets and CheckPoint making log entries that the packets were
dropped, yet a sniffer running on the inside showed the packets getting
through...those were not good. Going off to CheckPoint training to obtain
my CCSE changed my opinion significantly. I learned that many of the
problems were due to the deployment on NT. There were problems with NT
forwarding packets even though FW-1 was dropping them. Much of that kind of
stuff was due to the NT configuration, but there are a few things that don't
quite work correctly under NT, regardless. Firewall-1 was originally
written for Solaris, and IMNSHO should be run on Solaris or a Nokia box.
The port to NT is problematic.
Another thing about CheckPoint is one must understand the policy properties
screen, which is separate from the rule set and by default passes things
like DNS and RIP. I think this is a bad idea, but so long as you understand
the software, it is trivial to uncheck a box with your mouse. ;-)
Understanding the technology behind FW-1 was what really changed my mind.
The essential traffic handling portion (their inspect engine) separated out
as a kernel module and not running in the user space is an excellent idea.
That, working in concert with the FW daemon that must run in the user space
to do things like open and write to log files makes for a nice design. Even
if the server gets bogged down and programs running in the user space get
slowed down somewhat, the kernel component still gets priority for the
handling of traffic. This is part of why CheckPoint's throughput kicks ass
over a "real" firewall that passes nothing at layer 3 and forces everything
through a layer 7 proxy.
Okay, sorry for the long message...didn't mean to get started on my opinions
of CheckPoint.
As for pricing, the Nokia boxes are sold as a base unit price and you then
add the cost of the hardware you need. Most applications seem to be fine
with 2 or 3 10/100 ethernet NIC's, but since the Nokia is taking on the
router market as well, it can be built with FDDI, ATM, or whatever. So, you
have to define the hardware configuration to get an idea of price.
Beyond the hardware configuration, you then get CheckPoint's Firewall-1
software, just as you would on any other platform. The full VPN-1 single
gateway product is around $10K or so. While you actually purchase the
software from Nokia (a version to run on their OS), the license is still
directly from CheckPoint and is basically the same as any other platform.
My opinion of these boxes is rather high. Aside from my rather long opinion
stated above regarding CheckPoint, I like the idea of moving to a network
appliance for a firewall installation. I'm pushing hard to steer clients
away from installing "just another server" in their server farm that happens
to run firewall software. The reason for this, is I know that down the
road, when the company gets into some sort of budget constraints, they will
be tempted to run other services on the firewall box. After all, it's just
another server, right? I don't think a firewall should have other services
running on it unless they've been FULLY evaluated and are KNOWN to not
compromise the security of the firewall. What company is actually going to
do that?
I'm pushing "black-box" network appliances whenever possible.
-----Original Message-----
From: Gary Ramah [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 02, 1999 12:35 PM
To: [EMAIL PROTECTED]
Subject: Nokia IP Series
I would like to hear user comments from anybody using the following
products:
Nokia IP400 Series
Nokia IP650 Series
Nokia's IPSO routing operating system
with Check Point's FireWall-1
My specific questions:
400 vs. 650 performance & availability
Price of the fully configured system
Opinions on these products.
Thanks in advance.
--
Gary Ramah
Advanced Network Technology and Applications
NASA Ames Research Center
Mail Stop 233-21
Moffett Field, CA 94035-1000
USA
mailto:[EMAIL PROTECTED]
http://www.nren.nasa.gov
650-604-0890 (voice)
650-604-3080(fax)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
