display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Comparisons: Platforms for FW1?

Here's my (very limited) perspective.  Perhaps it will be useful.

I used to work for an organization that ran FW-1 on a Solaris box.  It worked well, but the Solaris platform was quite expensive, and the OS needed to be hardened, a procedure that took up a day or so.

Then we installed FW-1 on it, which took another day.

Then we configured it that night, which took us somewhat past midnight.

After it was done, we were afraid to touch it to apply OS or FW-1 patches.  It took a lot of trouble to get it there, you see.  Plus, we didn't know what effect patching the OS would have on FW-1, and vice versa.  And we (well, at least I was, don't know about the Unix guys) were never sure that the OS had been completely hardened.  It was still down there, doing stuff.  What if we had made a boo-boo somewhere?

I like the idea of a firewall appliance instead of using a general-purpose OS.  Right now I'm evaluating the Nokia appliance line.  Nokia bundles updates as a single piece - apply it and you're patching the OS (if needed) and FW-1.  Plus Nokia handles all the support calls, so you never have to talk to CheckPoint.  I haven't been able to actually try one of these out yet.  (Nokia uses their own OS called IPSO.)

I HAVE been able to work with a smaller appliance - the PDS 2100 from  It's on my desk right now - nice little box.  Apparently the OS is a custom, hardened version of Linux. ships updates as a single piece as well.  However, for FW-1 support, you have to talk to CheckPoint - which I'm discovering is a big drawback.

Then there's the physical aspect of a general-purpose computer versus a rack-mount appliance.  We had to find a place in the computer room for the Sun CPU, that huge monitor, that goofy keyboard, and that stupid clumsy mouse.  Then we had to run wires to it from the datacomm closet.  If we could have just stuck an appliance in the rack in the closet it would have saved us a lot of time.

Heck, we generally don't do routing on computers any more, we buy "routing appliances" from companies like Cisco.  Now that the firewall is as vital as routing, it makes sense that your firewall should also be moved to a purpose-built rack-mounted device, and for the same reasons.

Anyway, to sum up:  in my opinion, "Firewall on a general purpose OS like Unix or NT - bad.  Single purpose firewall appliance - good."

Hope this helps,


Doug Weathers, Network Administrator
St. Charles Medical Center

>>> "James Bell" <[email protected]> 04/07/01 01:40AM >>>

Can anyone point me to some comparisons of FW1 running on different
platforms? I've seen the one on the CP site showing performance
comparisons between Solaris, NT, Linux, HPUX (nokia?) where Linux and
Solaris seem to lead the pack performance wise with NT bringing up the
rear.  But I'm looking for any other kinds of overall
(price/performance/hwcosts/security(from an os weakness basis)
comparisons between the various platforms that FW1 will run on.

I work for a business unit of a big aerospace co which is going about
being absorbed by another even larger entity, and we're currently
running 4.0 on an fairly anemic NT box, which runs fairly well.  We've
got the 4.1 software, but we're trying to decide if it makes sense to
move to another platform.


     To unsubscribe from this mailing list, please see the instructions at


   All contents © 2004 Network Presence, LLC. All rights reserved.