NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Re: Nokia vs NT (and solaris, just for kicks)





> Redundancy yes, load balancing no.  At least not yet....
> Nokia's are just PCs with fancy, small, rackmountable boxes, running
> FreeBSD.

Nokia's redundancy isn't a "true" HA solution in that the VRRP will only fail over in the event of a full system failure on one firewall. If the firewall daemon stops no failover will happen since it's not checking at that layer. Better than nothing though.


> They are reliable, and can be made into a fault tolerant pair, but then so
> can NT and the other platforms, + you can load share using Stonebeat.
> If I had to spec up firewalls again, I'd probably choose NT, as Nokia did
> seem rather expensive for the task in hand, and benchmarks show that the
> Nokia platform is actually slower than the equivalent PC running NT.
> Then again, I'd probably change my mind, as the Nokia's are very easy to
> setup - stick them in, pre-hardened, load up firewall + the licenses and
> away you go.
> Saves faffing around with NT, but if you already know how to harden NT, it
> doesn't take too long to faff around with it !
> Stick with what you know....  it will cost you less !


I really cannot agree that NT is the way to go for a firewall. Having used 3 platforms (NT, IPSO, and Solaris) my experience is that NT lacks in many areas, most notably reliability, OS security, and performance. Our firewalls on NT required constant maintenence, and frequently would restart fwd on their own. (This did not disrupt service at the time, but left zombie processes running that would eventually eat up memory -- this required a reboot.) We also saw major performance gains moving to Solaris, just by putting in paltry Ultra5's (that's about as low as Sun will go...)

NT also had *serious* issues with putkey, which already has problems of it's own. Without changing management consoles, moving to Solaris fixed the putkey problems almost completely. When the VPN's were on NT we also had issues with massive amounts of key installs, since they would lose sync frequently. Again, Solaris = good. And I won't even go into the issues of NT security, since we all know about that.

Nokia's are the easiest by far to roll out into production, and the OS comes pre-hardened for the most part. I still recommend installing SSH and disabling telnet on an IPSO box, but otherwise they're great and the Voyager management is a well-made product. However, Nokia's will not scale as high in performance and speed as Suns will, in terms of hardware product lines. Solaris is far from hardened at install time, but with a little UNIX knowledge and the help of docs/scripts on the net, this can be accomplished quite easily. And you can put CP-FW1 on some big Sun's to help throughput if that's your concern. (We're running about 50 E-220's and some E-450's here...)

My take:
- If you can handle decent performance, and scaling to a large or high-speed environment is not a concern, buy Nokia. The management and pre-secured nature of these make the cost over a standard PC worth it.
- If you have a nice budget and need to handle large policies, NAT, or VPN (*especially* on the same box) Sun's are a good bet. As you get higher up in the models they get expensive, but Sun's are also known for hardware reliability, and Solaris is pretty damn solid. Requires some knowledge of Solaris however, but it's nothing bad. A Sol admin can handle it.
- If UNIX makes you run away in fright, or you really just can't afford the cost of a Nokia vs a PC, use NT. Can't say as I recommend it, but to each his own...


Just my (somewhat educated) opinions, take them as you will.

- Ralph Forsythe
Security Engineer
Relera, Inc.



================================================================================
    To unsubscribe from this mailing list, please see the instructions at
              http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.