If you were and ISP or in the role of and ISP, I would probably suggest a
PIX firewall. They are extremely fast, and if you don't need to make
that many changes and you have a relatively basic policy, they are a nice
fit.
They are not very "engineer friendly". Even with the GUI tools, the PIX
management is not nearly as slick or straight forward as a FireWall-1.
These are extremely easy to misconfigure. I don't like the way NAT is
setup, and I have yet to see the HA (high availability) configuration
actually work.
Most of my problem with this product when I was evaluating it was that
most of the features I wanted were "going to be in the next rev".
Carric Dooley
COM2:Interactive Media
http://www.com2usa.com
On Thu, 3 Jun 1999, ward, bryan wrote:
>
>
> Does anyone have an opinion on the CISCO PIX. I would be interested to here
> them.
>
> -----Original Message-----
> From: Randall, Mark [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 03, 1999 9:43 AM
> To: 'Gary Ramah'
> Cc: '[EMAIL PROTECTED]'
> Subject: RE: Nokia IP Series
>
>
> The IP400 series is soon to be discontinued. The IP330 will take its place.
> It's a much nicer box (Only 1 or 2 units high in the rack, I believe) and
> will serve the lower-end customers better than the IP410 or IP440. For more
> high-end customer needs, the IP650 brings high availability/redundancy to
> the table and there's not a whole lot of hardware on the market that can
> compare to its throughput. Very nice.
>
> I've heard that their operating system is a hybrid of a FreeBSD kernel that
> has been "hardened" to provide the minimal services and maximum stability.
> I've not actually verified that, however. I heard the same thing about the
> WatchGuard Firebox series of firewall appliance, but a meeting with a
> WatchGuard rep recently revealed that they actually use a stripped down
> Linux kernel. I've not pressed the issue with Nokia, so I'm still going on
> the rumor that it uses the BSD variant...
>
> As for CheckPoint's Firewall-1 software...well, I don't know how to talk
> about it without my personal opinions clouding my statements. Last year, my
> opinion of CheckPoint was that it was a piece of crap. Stories about rules
> to deny packets and CheckPoint making log entries that the packets were
> dropped, yet a sniffer running on the inside showed the packets getting
> through...those were not good. Going off to CheckPoint training to obtain
> my CCSE changed my opinion significantly. I learned that many of the
> problems were due to the deployment on NT. There were problems with NT
> forwarding packets even though FW-1 was dropping them. Much of that kind of
> stuff was due to the NT configuration, but there are a few things that don't
> quite work correctly under NT, regardless. Firewall-1 was originally
> written for Solaris, and IMNSHO should be run on Solaris or a Nokia box.
> The port to NT is problematic.
>
> Another thing about CheckPoint is one must understand the policy properties
> screen, which is separate from the rule set and by default passes things
> like DNS and RIP. I think this is a bad idea, but so long as you understand
> the software, it is trivial to uncheck a box with your mouse. ;-)
>
> Understanding the technology behind FW-1 was what really changed my mind.
> The essential traffic handling portion (their inspect engine) separated out
> as a kernel module and not running in the user space is an excellent idea.
> That, working in concert with the FW daemon that must run in the user space
> to do things like open and write to log files makes for a nice design. Even
> if the server gets bogged down and programs running in the user space get
> slowed down somewhat, the kernel component still gets priority for the
> handling of traffic. This is part of why CheckPoint's throughput kicks ass
> over a "real" firewall that passes nothing at layer 3 and forces everything
> through a layer 7 proxy.
>
> Okay, sorry for the long message...didn't mean to get started on my opinions
> of CheckPoint.
>
> As for pricing, the Nokia boxes are sold as a base unit price and you then
> add the cost of the hardware you need. Most applications seem to be fine
> with 2 or 3 10/100 ethernet NIC's, but since the Nokia is taking on the
> router market as well, it can be built with FDDI, ATM, or whatever. So, you
> have to define the hardware configuration to get an idea of price.
>
> Beyond the hardware configuration, you then get CheckPoint's Firewall-1
> software, just as you would on any other platform. The full VPN-1 single
> gateway product is around $10K or so. While you actually purchase the
> software from Nokia (a version to run on their OS), the license is still
> directly from CheckPoint and is basically the same as any other platform.
>
> My opinion of these boxes is rather high. Aside from my rather long opinion
> stated above regarding CheckPoint, I like the idea of moving to a network
> appliance for a firewall installation. I'm pushing hard to steer clients
> away from installing "just another server" in their server farm that happens
> to run firewall software. The reason for this, is I know that down the
> road, when the company gets into some sort of budget constraints, they will
> be tempted to run other services on the firewall box. After all, it's just
> another server, right? I don't think a firewall should have other services
> running on it unless they've been FULLY evaluated and are KNOWN to not
> compromise the security of the firewall. What company is actually going to
> do that?
>
> I'm pushing "black-box" network appliances whenever possible.
>
>
>
> -----Original Message-----
> From: Gary Ramah [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 02, 1999 12:35 PM
> To: [EMAIL PROTECTED]
> Subject: Nokia IP Series
>
>
> I would like to hear user comments from anybody using the following
> products:
>
> Nokia IP400 Series
> Nokia IP650 Series
> Nokia's IPSO routing operating system
> with Check Point's FireWall-1
>
> My specific questions:
>
> 400 vs. 650 performance & availability
> Price of the fully configured system
>
> Opinions on these products.
>
> Thanks in advance.
>
> --
> Gary Ramah
> Advanced Network Technology and Applications
> NASA Ames Research Center
> Mail Stop 233-21
> Moffett Field, CA 94035-1000
> USA
>
> mailto:[EMAIL PROTECTED]
> http://www.nren.nasa.gov
>
> 650-604-0890 (voice)
> 650-604-3080(fax)
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
