NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] choice bw nt or linux, crypto cards???



I hate when Linux evangelists turn up on every mailing list.

I know you have a real inferiority complex to solve, but please let's not
turn
this list into an O/S bashing contest when it is supposed to be used for
discussion about firewall-1.

Yes you could use NT, yes you could use BSDi, yes you could use Solaris, yes
you
could use Linux, yes you could use the Nokia via IPSO/BSD etc....or you
could even
use an "appliance" like the myriad of SOHO "firewalls".
The simple answer to this entire debate is that when it comes to deciding
which platform
to use, "it depends" on what the customers requirements are. No great debate
is
required to arrive at this point.

As far as crypto cards are concerned...I have seen the prices for the
cards that provide IPSEC and they seem high compared to some other
solutions I have seen. Has anyone tried the Intel i960 based "Intelligent"
server adapter which has coprocessor support and handles IPSEC without
loading the CPU? I think the drivers for this are only available under NT,
but I could be wrong.  I have 3 of these in my server and they support ISL,
which is nice because you can trunk them to a Catalyst switch and provide
multiple DMZ legs via VLANs.

----- Original Message -----
From: Chris Trudeau <[email protected]>
To: Firewall Admin <[email protected]>;
<[email protected]>
Sent: Tuesday, September 05, 2000 2:53 PM
Subject: Re: [FW1] choice bw nt or linux


>
> I agree the Nokia boxes kick serious rear-end AND offer much more from a
feature
> set.  The only point I wanted to make was that for it's "freshman" season
Linux
> is making some noise...
>
> Apple-to-Apple comparison is extremely valid, however if Linux supports
SMP
> accross the board and BSDI doesn't that would be a feature in my
mind...and I do
> believe that is the only reason that Nokia doesn't support the config you
> mention below.  Additionally the point about bang for the buck is
applicable, a
> Nokia box is EXTREMELY expensive, and if an organization wanted a box like
this
> ONLY for VPN connectivity, I'd gladly sell them a Linux solution with
Crypto
> card possibly multpile processor ove the Nokia.
>
> Things like this require an extyensive evaluation of the customer's
business
> needs.  For example..consider the following:
>
> Customer "A" wants a border firewall to handle outbound traffic, 2
PHYSICAL
> DMZ's and route sharing via BGP to their ISPs for 1 of the DMZ's, then I
would
> definitely recommend the NOKIA, if for no other reason then its ability to
> handle and accept BGP protocol requirements.  It's ability to provide a
large
> number of interfaces and the inherent ability to be configured in a
redundant
> pair help support that decision.  This kind of need justifies the large
dollars
> for this solution and NOTHING can handle this as well as the NOKIA
platform.
>
> However, Customer "B" wants to run 200 concurrent VPN sessions for
> dial-up/telecommuters and possibly a development DMZ leveraging the same
> architecture...I would lean toward a hardened linux solution.  It is
> considerably less expensive and even as a freshman could handle this type
of
> functionality pretty well.
>
> So, in summary,  I suppose I should have gathered additional information
about
> the original question which was...
> comparing Linux to NT...
>
> What is the particular application, need, business requirements etc...I
suppose
> I just jumped on the opportunity to say that Linux kicks NT's butt pretty
much
> across the board when Checkpoint is involved...
>
> CT
>
>
> Firewall Admin wrote:
>
> > But if you compared apples to apples and had a Nokia box with dual Xeon
> > processors it would most likely kick Linux's butt. The performance
figures
> > on CPs web site show the IP650 with SINGLE PIII 700 and 256MB pushing
> > 240Mbps.
> >
> > Just my two pence worth.
> >
> > ----- Original Message -----
> > From: "Chris Trudeau" <[email protected]>
> > To: "Brett Lymn" <[email protected]>
> > Cc: <[email protected]>
> > Sent: Tuesday, September 05, 2000 12:19 PM
> > Subject: Re: [FW1] choice bw nt or linux
> >
> > >
> > > As I was then...
> > >
> > > I did not actually SEE the results, although I would very much like to
be
> > involved
> > > in the benchmarking of the different solutions.  I definitively HAVE
seen
> > postings
> > > and otherwise indicating that a comparable Solaris Solution (processor
> > etc) was
> > > used int he test and was beaten by some crazy percentage...
> > >
> > > Nokia boxes were also tested in the same benchmark and were also
beaten.
> > I can
> > > easily go out and find a redundant power supply 19" rack mountable
Intel
> > based
> > > hardware solution for about $4500, install RH 6.X and Checkpoint on
the
> > box and it
> > > will beat an Existing Nokia platform in most tests...
> > >
> > > I agree that the Linux Stack has a way to go to be as efficient, but
$4500
> > for a
> > > linux solution which does in fact SMOKE a $30,000 Nokia solution is a
nice
> > price
> > > point for a lot of people.
> > >
> > > The point I suppose I SHOULD have made is the "bang-for-the-buck" one.
> > The linux
> > > solution far and away provides more bang for the buck than ANY of the
> > other
> > > solutions.
> > >
> > > CT
> > >
> > > Brett Lymn wrote:
> > >
> > > > According to Chris Trudeau:
> > > > >
> > > > >
> > > > >and IMHO the reports I hear is that a tuned linux kernel running
> > Checkpoi=
> > > > >nt SMOKES
> > > > >the competition, including Nokia, and ANYTHIN on NT...
> > > >
> > > > Uhhhh ``I doubt it'' the processor in the linux box used in the
> > > > testing may have been a lot faster than the processor in the Nokia
> > > > giving you an inflated figure.  The linux tcp/ip stack still has a
way
> > > > to go in terms of performance, I am reasonably certain that it beats
> > > > the NT implementation but as for beating the BSD IP stack... I think
> > not.
> > > >
> > > > >May be spoiled, but=
> > > > > routing
> > > > >issues are normally easier to troublshoot as is remote management
of
> > the =
> > > > >OS and many
> > > > >other factors when one uses a linux or *nix mased solution.
> > > > >
> > > >
> > > > secure, remote access is something the *nix solutions do do better
> > > > than NT.
> > > >
> > > > >And in this case it is supposedly so much faster too...
> > > > >
> > > >
> > > > I would crank up the salt mine on that one.
> > > >
> > > > --
> > > >
> >
============================================================================
> > ===
> > > > Brett Lymn, Computer Systems Administrator, BAE SYSTEMS
> > > >
> >
============================================================================
> > ===
> > >
> > >
> > >
> > >
> >
============================================================================
> > ====
> > >      To unsubscribe from this mailing list, please see the
instructions at
> > >                http://www.checkpoint.com/services/mailing.html
> > >
> >
============================================================================
> > ====
> > >
>
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents � 2003 Network Presence, LLC. All rights reserved.