Re: [IMail Forum] OT: Firewalls

[dave marchette]

My $.02 on Firewalls.  Not really OT if you own an Imail server and want to defend it from evil people who hate you  :(      --- *.nix, BSD:  Several nice free solutions, VERY powerful, quick, efficient, but still hybrid (hardware\software) based. --- PIX:  So-so, industry standard but not allot of bang for buck(typical Cisco) --- Nokia:  a bit on the inefficient side at times, even worse under full wire speed. --- SonicWall and Gnat:  Nice lightweight boxes but do not seem to react well (lockup) when you throw even close to the max number of simultaneous connections at 'em --- Netscreen:  After 4 months of tedious and ehxaustive comparative analysis, I am in the process of moving a 50 location enterprise to Netscreen firewalls.  A pair of NS10's on the main backbone and NS5E's for each location.  Because: --- 1  ASIC driven:  all processing is done with custom app specific chips, instead of trying to morph a 68xxx and 5536x into a firewall (i.e. Cisco) --- 2  Wirespeed ability:  Though most of these FWs work at wirespeed... have you measured them?  The NS-100 boxes actually throughput at 100M\Sec under full load (10,000 simultaneous connections) and still maintain decent availability to legit connections even during an attack condition. --- 3  Fully IPSEC compliant VPN ability.  I like VPN.  The fact that I can run 10,000 Lan-Lan 3DES IKE controlled(key changes every 5 seconds)fully routed tunnels through a pair of highly-availability boxes had a certain appeal to me.  Though I only use 50 lan-lan tunnels, it is nice to know I can expand to 10,000.  ---  4  Two irrelevant factors for us but appealing to most: cost and configurability.   These boxes are cheap and easy to configure.  When it comes to protecting a large enterprise, cost should really not be an object these days when any @ss with a PC can download a script to DoS a PIX in 10 seconds flat.  Nevertheless NS boxes are relatively cheap compared to the other hardware based solutions we tested.        --- 5  NS tech support is arrogant and cocky.  Luckily these boxes are easy to configure but if you do need to call support, make sure you are drunk first, else you are likely to take it personally.  ---     I am definitely no security expert but if you have any further questions you can contact me off the list, addy is in the headers.          Dave     ----- Original Message ----- From: Phil Daws To: [EMAIL PROTECTED] Sent: Sunday, February 18, 2001 2:18 AM Subject: [IMail Forum] OT: Firewalls Hi ...   We are deciding on whether to purchase SonicWall Pro or GnatBox GB-1000. Have any of you had experience with either of these two products? Any feedback would be appreciated.   regards   Phil