display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Comparisons: Platforms for FW1?

	I'll second what Doug says.  I've been managing a handful of 650s
for a few months now, and it's been an incredible experience.  While we've
had our share of 'learning experiences' the Nokia appliance itself makes it
very easy to update our OS.  In one instance, we had a box which was
determined to be defective.  Getting a replacement onsite wasn't a huge
problem, and moving to the new box gave us an opprotunity to update to IPSO
3.3 and FW-1 SP3 at the same time.  
	The process was a breeze.  It was a simple matter of backing up the
configuration on the existing box (which consists of entering a filename and
clicking a button in a web based interface), copying that backup to an FTP
server, and restoring it on the new box.  We then upgraded the OS and FW-1
versions in place.  The beauty is that the old versions are simply turned
'off' so if there's any problem, we need only click a few buttons to turn
the old versions on and the new versions off.  Installing OS and Software
package upgrades is incredibly simple.
	I can't say enough good things about the Nokia IP devices.  As far
as I can tell, they're at least as secure as their Solaris brethren, if not
more so, and there immensely simpler to administer.  I'm coming to things
from an NT background, with only a hobbyists perspective on linux/unix, but
I've had no problems administering the Nokia devices.

Jeff Jarmoc - CCNA, MCSE
Network Analyst - Grubb & Ellis

-----Original Message-----
From: Doug Weathers [mailto:[email protected]]
Sent: Monday, April 09, 2001 4:18 PM
To: [email protected]; [email protected]
Subject: Re: [FW1] Comparisons: Platforms for FW1?

Here's my (very limited) perspective.  Perhaps it will be useful.

I used to work for an organization that ran FW-1 on a Solaris box.  It
worked well, but the Solaris platform was quite expensive, and the OS needed
to be hardened, a procedure that took up a day or so.

Then we installed FW-1 on it, which took another day.

Then we configured it that night, which took us somewhat past midnight.

After it was done, we were afraid to touch it to apply OS or FW-1 patches.
It took a lot of trouble to get it there, you see.  Plus, we didn't know
what effect patching the OS would have on FW-1, and vice versa.  And we
(well, at least I was, don't know about the Unix guys) were never sure that
the OS had been completely hardened.  It was still down there, doing stuff.
What if we had made a boo-boo somewhere?

I like the idea of a firewall appliance instead of using a general-purpose
OS.  Right now I'm evaluating the Nokia appliance line.  Nokia bundles
updates as a single piece - apply it and you're patching the OS (if needed)
and FW-1.  Plus Nokia handles all the support calls, so you never have to
talk to CheckPoint.  I haven't been able to actually try one of these out
yet.  (Nokia uses their own OS called IPSO.)

I HAVE been able to work with a smaller appliance - the PDS 2100 from  It's on my desk right now - nice little box.  Apparently the
OS is a custom, hardened version of Linux. ships updates as a
single piece as well.  However, for FW-1 support, you have to talk to
CheckPoint - which I'm discovering is a big drawback.

Then there's the physical aspect of a general-purpose computer versus a
rack-mount appliance.  We had to find a place in the computer room for the
Sun CPU, that huge monitor, that goofy keyboard, and that stupid clumsy
mouse.  Then we had to run wires to it from the datacomm closet.  If we
could have just stuck an appliance in the rack in the closet it would have
saved us a lot of time.

Heck, we generally don't do routing on computers any more, we buy "routing
appliances" from companies like Cisco.  Now that the firewall is as vital as
routing, it makes sense that your firewall should also be moved to a
purpose-built rack-mounted device, and for the same reasons.

Anyway, to sum up:  in my opinion, "Firewall on a general purpose OS like
Unix or NT - bad.  Single purpose firewall appliance - good."

Hope this helps,


Doug Weathers, Network Administrator
St. Charles Medical Center

>>> "James Bell" <[email protected]> 04/07/01 01:40AM >>>

Can anyone point me to some comparisons of FW1 running on different
platforms? I've seen the one on the CP site showing performance
comparisons between Solaris, NT, Linux, HPUX (nokia?) where Linux and
Solaris seem to lead the pack performance wise with NT bringing up the
rear.  But I'm looking for any other kinds of overall
(price/performance/hwcosts/security(from an os weakness basis)
comparisons between the various platforms that FW1 will run on.

I work for a business unit of a big aerospace co which is going about
being absorbed by another even larger entity, and we're currently
running 4.0 on an fairly anemic NT box, which runs fairly well.  We've
got the 4.1 software, but we're trying to decide if it makes sense to
move to another platform.


     To unsubscribe from this mailing list, please see the instructions at

     To unsubscribe from this mailing list, please see the instructions at


   All contents © 2004 Network Presence, LLC. All rights reserved.