> > Redundancy yes, load balancing no. At least not yet....
> > Nokia's are just PCs with fancy, small, rackmountable boxes, running
> > FreeBSD.
Nokia's redundancy isn't a "true" HA solution in that the VRRP will only
fail over in the event of a full system failure on one firewall. If the
firewall daemon stops no failover will happen since it's not checking at
that layer. Better than nothing though.
> > They are reliable, and can be made into a fault tolerant pair, but then so
> > can NT and the other platforms, + you can load share using Stonebeat.
> > If I had to spec up firewalls again, I'd probably choose NT, as Nokia did
> > seem rather expensive for the task in hand, and benchmarks show that the
> > Nokia platform is actually slower than the equivalent PC running NT.
> > Then again, I'd probably change my mind, as the Nokia's are very easy to
> > setup - stick them in, pre-hardened, load up firewall + the licenses and
> > away you go.
> > Saves faffing around with NT, but if you already know how to harden NT, it
> > doesn't take too long to faff around with it !
> > Stick with what you know.... it will cost you less !
I really cannot agree that NT is the way to go for a firewall. Having used
3 platforms (NT, IPSO, and Solaris) my experience is that NT lacks in many
areas, most notably reliability, OS security, and performance. Our
firewalls on NT required constant maintenence, and frequently would restart
fwd on their own. (This did not disrupt service at the time, but left
zombie processes running that would eventually eat up memory -- this
required a reboot.) We also saw major performance gains moving to Solaris,
just by putting in paltry Ultra5's (that's about as low as Sun will go...)
NT also had *serious* issues with putkey, which already has problems of
it's own. Without changing management consoles, moving to Solaris fixed
the putkey problems almost completely. When the VPN's were on NT we also
had issues with massive amounts of key installs, since they would lose sync
frequently. Again, Solaris = good. And I won't even go into the issues of
NT security, since we all know about that.
Nokia's are the easiest by far to roll out into production, and the OS
comes pre-hardened for the most part. I still recommend installing SSH and
disabling telnet on an IPSO box, but otherwise they're great and the
Voyager management is a well-made product. However, Nokia's will not scale
as high in performance and speed as Suns will, in terms of hardware product
lines. Solaris is far from hardened at install time, but with a little
UNIX knowledge and the help of docs/scripts on the net, this can be
accomplished quite easily. And you can put CP-FW1 on some big Sun's to
help throughput if that's your concern. (We're running about 50 E-220's
and some E-450's here...)
My take:
- If you can handle decent performance, and scaling to a large or
high-speed environment is not a concern, buy Nokia. The management and
pre-secured nature of these make the cost over a standard PC worth it.
- If you have a nice budget and need to handle large policies, NAT, or VPN
(*especially* on the same box) Sun's are a good bet. As you get higher up
in the models they get expensive, but Sun's are also known for hardware
reliability, and Solaris is pretty damn solid. Requires some knowledge of
Solaris however, but it's nothing bad. A Sol admin can handle it.
- If UNIX makes you run away in fright, or you really just can't afford the
cost of a Nokia vs a PC, use NT. Can't say as I recommend it, but to each
his own...
Just my (somewhat educated) opinions, take them as you will.
- Ralph Forsythe
Security Engineer
Relera, Inc.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
