Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Re: Nokia vs NT (and solaris, just for kicks)

To: [email protected]
Subject: Re: [FW1] Re: Nokia vs NT (and solaris, just for kicks)
From: CryptoTech <[email protected]>
Date: Sat, 24 Feb 2001 03:15:43 -0500
Cc: Firewall-1 Mailinglist Digest <[email protected]>
References: <[email protected]>
Reply-to: [email protected]
Sender: [email protected]

I agree with you on almost all points, except that if you anticipate a lot of vpns,
then a sun box is the last thing you should be using.  Intel may only have NT and
Linux as its most common OS's (ok, solaris x86,) but the intel processor can run
circles around an ultrasparc processor when it comes to crunching 3des algorithms.
About 4 times faster, clock cycle for clock cycle.  Strangely enough, nokia just
seems to cough and wheeze when it comes to vpn, despite the apparent advantage of
processor.  Kind of strange.  However, the Nokia's have by far the easiest
management interface (except for Intrusion.com appliances,)  unless you are talking
about setting up HA, and then the nokia's seem to fall short since the monitored
circuit/vrrp seems totally unaware of the firewall's status.  If the firewall daemon
dies, then Nokia will continue to have that box as the Master device, even though
security servers and such may die.

Sorry, I probably dropped more than my $.02,
Best regards,
CryptoTech

Thomas Stala wrote:

> Well to throw my .02Cents worth in.
>
> I feel that there is an OS for everything. I would never put a UNIX type OS
> in a shop that has no Idea of what VI is.
>
> I would never use NT in a place that has a lot of overhead. Dual DS-3, High
> availability, Load Balancing and a lot of VPN's running to multiple places
> then I need a Big Bad Server such as a Sun with RISC processors not the
> Intel chipset that NT runs on.
> But if I have a lot of people that know how to run NT then that is a good
> solution for that company.
>
> I do not know Lynx but it seems to be a good product from what I hear from
> others people that are in security. But I do not know how to install it so
> it is not a solution for me at all. I would have to hire someone and have
> someone standing by to fix the OS if anything were to go wrong. $$$$$ That
> is not a solution for some companies. Now if I were a shop that has a bunch
> of UNIX people then it would be a great solution.
>
> NOKIA is a good product. It is easy to use and is as stable as all of the
> rest. With out the problems of locking down the OS before installing the
> firewall.
>
> Thomas Stala
> [email protected]
> Hope this helps
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of Ralph
> Forsythe
> Sent: Monday, February 19, 2001 5:40 PM
> To: Firewall-1 Mailinglist Digest
> Subject: [FW1] Re: Nokia vs NT (and solaris, just for kicks)
>
> > > Redundancy yes, load balancing no.  At least not yet....
> > > Nokia's are just PCs with fancy, small, rackmountable boxes, running
> > > FreeBSD.
>
> Nokia's redundancy isn't a "true" HA solution in that the VRRP will only
> fail over in the event of a full system failure on one firewall.  If the
> firewall daemon stops no failover will happen since it's not checking at
> that layer.  Better than nothing though.
>
> > > They are reliable, and can be made into a fault tolerant pair, but then
> so
> > > can NT and the other platforms, + you can load share using Stonebeat.
> > > If I had to spec up firewalls again, I'd probably choose NT, as Nokia
> did
> > > seem rather expensive for the task in hand, and benchmarks show that the
> > > Nokia platform is actually slower than the equivalent PC running NT.
> > > Then again, I'd probably change my mind, as the Nokia's are very easy to
> > > setup - stick them in, pre-hardened, load up firewall + the licenses and
> > > away you go.
> > > Saves faffing around with NT, but if you already know how to harden NT,
> it
> > > doesn't take too long to faff around with it !
> > > Stick with what you know....  it will cost you less !
>
> I really cannot agree that NT is the way to go for a firewall.  Having used
> 3 platforms (NT, IPSO, and Solaris) my experience is that NT lacks in many
> areas, most notably reliability, OS security, and performance.  Our
> firewalls on NT required constant maintenence, and frequently would restart
> fwd on their own.  (This did not disrupt service at the time, but left
> zombie processes running that would eventually eat up memory -- this
> required a reboot.)  We also saw major performance gains moving to Solaris,
> just by putting in paltry Ultra5's (that's about as low as Sun will go...)
>
> NT also had *serious* issues with putkey, which already has problems of
> it's own.  Without changing management consoles, moving to Solaris fixed
> the putkey problems almost completely.  When the VPN's were on NT we also
> had issues with massive amounts of key installs, since they would lose sync
> frequently.  Again, Solaris = good.  And I won't even go into the issues of
> NT security, since we all know about that.
>
> Nokia's are the easiest by far to roll out into production, and the OS
> comes pre-hardened for the most part.  I still recommend installing SSH and
> disabling telnet on an IPSO box, but otherwise they're great and the
> Voyager management is a well-made product.  However, Nokia's will not scale
> as high in performance and speed as Suns will, in terms of hardware product
> lines.  Solaris is far from hardened at install time, but with a little
> UNIX knowledge and the help of docs/scripts on the net, this can be
> accomplished quite easily.  And you can put CP-FW1 on some big Sun's to
> help throughput if that's your concern.  (We're running about 50 E-220's
> and some E-450's here...)
>
> My take:
> - If you can handle decent performance, and scaling to a large or
> high-speed environment is not a concern, buy Nokia.  The management and
> pre-secured nature of these make the cost over a standard PC worth it.
> - If you have a nice budget and need to handle large policies, NAT, or VPN
> (*especially* on the same box) Sun's are a good bet.  As you get higher up
> in the models they get expensive, but Sun's are also known for hardware
> reliability, and Solaris is pretty damn solid.  Requires some knowledge of
> Solaris however, but it's nothing bad.  A Sol admin can handle it.
> - If UNIX makes you run away in fright, or you really just can't afford the
> cost of a Nokia vs a PC, use NT.  Can't say as I recommend it, but to each
> his own...
>
> Just my (somewhat educated) opinions, take them as you will.
>
> - Ralph Forsythe
> Security Engineer
> Relera, Inc.
>
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- RE: [FW1] Re: Nokia vs NT (and solaris, just for kicks)
  - From: "Thomas Stala" <[email protected]>

Prev by Date: [FW1] SOS!! error on installing policy after upgrading!!! (solaris ver )
Next by Date: Re: [FW1] Secure Remote + NAT + IP Pool NAT
Previous by thread: RE: [FW1] Re: Nokia vs NT (and solaris, just for kicks)
Next by thread: RE: [FW1] Re: Nokia vs NT (and solaris, just for kicks)
Index(es):
- Date
- Thread