Rack mounted Firewalls
13 July 2001, 04:44 PM
#1
Scooby Regular
Thread Starter
Join Date: Apr 1999
Location: Bore Knee Muff
Posts: 3,666
Likes: 0
Received 0 Likes
on
0 Posts
So what are the best high end hardware Firewalls, what sort of throughput can they handle and how secure are they?
We have used Sonicwall but someone is doubting their ability to protect.
Any experts out there?
We have used Sonicwall but someone is doubting their ability to protect.
Any experts out there?
13 July 2001, 05:34 PM
#2
Scooby Regular
Join Date: Sep 2001
Location: Kingston ( Surrey, not Jamaica )
Posts: 4,670
Likes: 0
Received 0 Likes
on
0 Posts
Really a choice of 2 ..
Nokia is a black box solution, I know not much about the implementation
Cisco Pix is cheaper, but runs checkpoint FW1, which is robust and secure - the downside is that the Checkpoint Licences are not cheap.
Don't forget for a 'real' firewall solution, you need 2, with failover between.
SteveM
I have a contact who will do you a good quote for Cisco kit if you want a rough guide. ( drop me a mail )
Nokia is a black box solution, I know not much about the implementation
Cisco Pix is cheaper, but runs checkpoint FW1, which is robust and secure - the downside is that the Checkpoint Licences are not cheap.
Don't forget for a 'real' firewall solution, you need 2, with failover between.
SteveM
I have a contact who will do you a good quote for Cisco kit if you want a rough guide. ( drop me a mail )
13 July 2001, 09:33 PM
#3
Scooby Regular
Join Date: Apr 1999
Posts: 882
Likes: 0
Received 0 Likes
on
0 Posts
Just a point....
The effectiveness of a firewall is down to the person who sets it up.
Make sure you are happy with the "usabillity" or the system. And make sure the person who administers it knows what they are doing. If you get a top line cisco job they need a well skilled person to set them up.
(no offence meant, I couldnt configure one to save my life!)
The effectiveness of a firewall is down to the person who sets it up.
Make sure you are happy with the "usabillity" or the system. And make sure the person who administers it knows what they are doing. If you get a top line cisco job they need a well skilled person to set them up.
(no offence meant, I couldnt configure one to save my life!)
13 July 2001, 10:55 PM
#4
Scooby Regular
Join Date: Sep 2001
Location: Kingston ( Surrey, not Jamaica )
Posts: 4,670
Likes: 0
Received 0 Likes
on
0 Posts
any * any * any * allow
isn't it ? :-)
GT has a valid point . It's worthwhile getting some expertise in at least for the initial config. Firewall 1 isn't hard to administer once the base rules are in place though, a bit of RTFM and understanding of what each of the rules does gets me by day-day. Security consultancy doesn't come cheap ( 3k a day range ), and should be budgeted for in a corporate environment.
SteveM
isn't it ? :-)
GT has a valid point . It's worthwhile getting some expertise in at least for the initial config. Firewall 1 isn't hard to administer once the base rules are in place though, a bit of RTFM and understanding of what each of the rules does gets me by day-day. Security consultancy doesn't come cheap ( 3k a day range ), and should be budgeted for in a corporate environment.
SteveM
14 July 2001, 08:02 AM
#6
Scooby Regular
Join Date: May 2001
Location: Scotland
Posts: 4,580
Likes: 0
Received 0 Likes
on
0 Posts
If its high end high throughput your after then I'ld look at maybe a couple of Compaq ML570's running Checkpoint FW1 set up as a cluster running Stonebeat or Rainfinity..
That way you get load balancing and redundancy aswell.
Too true that you can have the db's of a setup, but its only ever gonna be as good as who built, configured and administers it!!
Pix and Raptor probably a bit faster, but you probably wouldn't notice anyway.
John
That way you get load balancing and redundancy aswell.
Too true that you can have the db's of a setup, but its only ever gonna be as good as who built, configured and administers it!!
Pix and Raptor probably a bit faster, but you probably wouldn't notice anyway.
John
14 July 2001, 08:11 AM
#7
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
OK - based on my experiences:
Sonicwall - the company I worked for a few years ago was one of the first installing these in the UK. I have personally installed many of them (as I have mentioned before, I know of at least one high profile site, advertised on Scoobynet that uses them). All firewalls have pros and cons - but it usually comes down to who has configured them and how good your policy is - if you are protecting a company site/network - take professional advice - it is well worth it. Security consultancy ain't cheap - but how much is your company's business worth??
Sonicwall is a perfectly good firewall, however where it would start to struggle is with throughput, rather than being insecure. Many people take the view that because a box uses a web interface and easy to configure that it can't be as secure as a high end box which has a more difficult and complex procedure for configuring the rules base - not true.
Cisco PIX - good but showing it's age. More difficult to configure that some other boxes (Sonicwall and Nokia Checkpoint included) and doesn't use a hardened operating kernal in the same way that Nokia does. There are also a frightening large number of bugs published for them. To be honest, the Cisco box has traded largely on its name for some time and a certain amount of US paranoia (for those who don't know, Checkpoint is an Israeli company and a few years ago, a Mosad 'backdoor' was found in FW-1, which meant that it was withdrawn from the US govt approved firewall list (incidently, it does not exist anymore)).
Stevem2K mentioned that Cisco PIX runs Checkpoint - it doesn't. The Cisco box runs its own bespoke software.
The Nokia firewall uses Checkpoint FW-1. If you want a professional high end solution, then the Nokia boxes are the way to go and they are the easiest to setup into a resilient configuration. My company (Equant) has over 500 such installations under management at the moment (makes us one of the top 5 companies in the world for managed firewall services).
More info on the Nokia range at
Sonicwall - the company I worked for a few years ago was one of the first installing these in the UK. I have personally installed many of them (as I have mentioned before, I know of at least one high profile site, advertised on Scoobynet that uses them). All firewalls have pros and cons - but it usually comes down to who has configured them and how good your policy is - if you are protecting a company site/network - take professional advice - it is well worth it. Security consultancy ain't cheap - but how much is your company's business worth??
Sonicwall is a perfectly good firewall, however where it would start to struggle is with throughput, rather than being insecure. Many people take the view that because a box uses a web interface and easy to configure that it can't be as secure as a high end box which has a more difficult and complex procedure for configuring the rules base - not true.
Cisco PIX - good but showing it's age. More difficult to configure that some other boxes (Sonicwall and Nokia Checkpoint included) and doesn't use a hardened operating kernal in the same way that Nokia does. There are also a frightening large number of bugs published for them. To be honest, the Cisco box has traded largely on its name for some time and a certain amount of US paranoia (for those who don't know, Checkpoint is an Israeli company and a few years ago, a Mosad 'backdoor' was found in FW-1, which meant that it was withdrawn from the US govt approved firewall list (incidently, it does not exist anymore)).
Stevem2K mentioned that Cisco PIX runs Checkpoint - it doesn't. The Cisco box runs its own bespoke software.
The Nokia firewall uses Checkpoint FW-1. If you want a professional high end solution, then the Nokia boxes are the way to go and they are the easiest to setup into a resilient configuration. My company (Equant) has over 500 such installations under management at the moment (makes us one of the top 5 companies in the world for managed firewall services).
More info on the Nokia range at
Trending Topics
14 July 2001, 10:44 AM
#8
Scooby Regular
Join Date: Oct 1999
Posts: 778
Likes: 0
Received 0 Likes
on
0 Posts
As has been said the most important thing about a firewall is the guy that sets it up.
As a company we have installed both the Sonicwall and Nokia kit.
If you are going to outsource the installation and maintenance amek sure that the compnay you employ REALLY knows your business and your network before they start. Make sure that they are employed to some back on regular basis to check the installation. If you really want to be sure get your firewall installed and then employ a team like IBMs ethical hacking team to nreak it. One of our customers did and I learnt a lot from it.
Reemember also these things won't protect you from a DoS attack fully that is down - to a part - to your ISP so knowing them and their infrastructure is part of the job.
As a company we have installed both the Sonicwall and Nokia kit.
If you are going to outsource the installation and maintenance amek sure that the compnay you employ REALLY knows your business and your network before they start. Make sure that they are employed to some back on regular basis to check the installation. If you really want to be sure get your firewall installed and then employ a team like IBMs ethical hacking team to nreak it. One of our customers did and I learnt a lot from it.
Reemember also these things won't protect you from a DoS attack fully that is down - to a part - to your ISP so knowing them and their infrastructure is part of the job.
14 July 2001, 07:35 PM
#9
Scooby Regular
Thread Starter
Join Date: Apr 1999
Location: Bore Knee Muff
Posts: 3,666
Likes: 0
Received 0 Likes
on
0 Posts
Interesting info guys, thanks.
Where can I get the best info on what models handle how much bandwith and how scalable they are?
Also, any good places to visit to read up on DoS attacks and how to prepare/protect against them?
[This message has been edited by RichB (edited 14 July 2001).]
Where can I get the best info on what models handle how much bandwith and how scalable they are?
Also, any good places to visit to read up on DoS attacks and how to prepare/protect against them?
[This message has been edited by RichB (edited 14 July 2001).]
15 July 2001, 10:59 PM
#10
Moderator
Join Date: Dec 1998
Location: Staffs
Posts: 23,573
Likes: 0
Received 0 Likes
on
0 Posts
Back from the Nothern Camping Trip ( 
weekend), so I'll stick my oar back...
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:<HR>Sonicwall is a perfectly good firewall, however where it would start to struggle is with throughput, rather than being insecure. Many people take the view that because a box uses a web interface and easy to configure that it can't be as secure as a high end box which has a more difficult and complex procedure for configuring the rules base - not true.<HR></BLOCKQUOTE>
SonicWall GX anyone? 1Gbps throughout, maximum of 10,000 3DES VPN connections, dual hot swap PSUs...
As a VAR, we use and sell the SonicWall series. One of the real benefits on an appliance type product like the SW, is that you haven't got to worry about keeping the base OS up to scratch with hotfixes and the like. Our SonicWall's send me an e-mail when a new firmware is availble.
Richie...
Throughput - should be on the spec sheets somwhere.
DoS attacks - there used to be a white paper on the SonicWall web site about them. I might have a copy saved somewhere...
ChrisB.
weekend), so I'll stick my oar back...<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:<HR>Sonicwall is a perfectly good firewall, however where it would start to struggle is with throughput, rather than being insecure. Many people take the view that because a box uses a web interface and easy to configure that it can't be as secure as a high end box which has a more difficult and complex procedure for configuring the rules base - not true.<HR></BLOCKQUOTE>
SonicWall GX anyone? 1Gbps throughout, maximum of 10,000 3DES VPN connections, dual hot swap PSUs...
As a VAR, we use and sell the SonicWall series. One of the real benefits on an appliance type product like the SW, is that you haven't got to worry about keeping the base OS up to scratch with hotfixes and the like. Our SonicWall's send me an e-mail when a new firmware is availble.
Richie...
Throughput - should be on the spec sheets somwhere.
DoS attacks - there used to be a white paper on the SonicWall web site about them. I might have a copy saved somewhere...
ChrisB.
16 July 2001, 03:42 PM
#11
Scooby Regular
Join Date: Jun 2000
Posts: 13,735
Likes: 0
Received 0 Likes
on
0 Posts
Nokia IP650 is our current beast of choice for its resilience, availability and throughput. Plus it runs firewall-1, which seems to be the best known product around at the moment - this aids system configuration and support.
Not cheap, but excellent availability and throughput make it our de-facto choice.
Nick.
Not cheap, but excellent availability and throughput make it our de-facto choice.
Nick.
16 July 2001, 07:29 PM
#13
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
Chris
I'm not knocking Sonicwall - their price / performance ratio is hard to beat. But I also know to take manufacturer figures with a pinch of salt. Stick the GX up against a serious Nokia firewall (say IP740) and I know which one will perform better, both in terms of throughput and peak connections. If your budget is limited, then Sonicwall offer tremendous value for money, but you do get what you pay for - if you want the ultimate in performance I know what I would be picking.
Chris
[This message has been edited by Chris L (edited 16 July 2001).]
I'm not knocking Sonicwall - their price / performance ratio is hard to beat. But I also know to take manufacturer figures with a pinch of salt. Stick the GX up against a serious Nokia firewall (say IP740) and I know which one will perform better, both in terms of throughput and peak connections. If your budget is limited, then Sonicwall offer tremendous value for money, but you do get what you pay for - if you want the ultimate in performance I know what I would be picking.
Chris
[This message has been edited by Chris L (edited 16 July 2001).]
16 July 2001, 07:45 PM
#14
Moderator
Join Date: Dec 1998
Location: Staffs
Posts: 23,573
Likes: 0
Received 0 Likes
on
0 Posts
Chris.
Oh yes, horses for courses. The GX is still quite new - I haven't seen it yet. Will be interesting to see how it gets on vs PIX, CP1, Nokia et al in both lab tests and sales figures.
When we brought our SonicWall Pro's we reckoned on replacing them with PIX or Nokia boxes down the line away.
ChrisB.
[This message has been edited by ChrisB (edited 16 July 2001).]
Oh yes, horses for courses. The GX is still quite new - I haven't seen it yet. Will be interesting to see how it gets on vs PIX, CP1, Nokia et al in both lab tests and sales figures.
When we brought our SonicWall Pro's we reckoned on replacing them with PIX or Nokia boxes down the line away.
ChrisB.
[This message has been edited by ChrisB (edited 16 July 2001).]
17 July 2001, 03:11 PM
#15
Moderator
Join Date: Dec 1998
Location: Staffs
Posts: 23,573
Likes: 0
Received 0 Likes
on
0 Posts
Rich,
I just tried replying to your 2nd e-mail and it bounces straight back (unknown host).
I will try again later on.
Cheers,
ChrisB.
[This message has been edited by ChrisB (edited 17 July 2001).]
I just tried replying to your 2nd e-mail and it bounces straight back (unknown host).
I will try again later on.
Cheers,
ChrisB.
[This message has been edited by ChrisB (edited 17 July 2001).]
18 July 2001, 04:51 PM
#18
Scooby Regular
Join Date: Oct 2000
Location: Surrey, UK
Posts: 8,384
Likes: 0
Received 0 Likes
on
0 Posts
Without repeating the stuff about Nokia f/ws.. if you need a proxy f/w check out a product called Raptor on Solaris.
A supplier I've dealt with in the past has been very helpful in picking the right solution (nokia, raptor, etc..), they are based in Wokingham (Berkshire?) near Bracknell, and are called BTN (plc I think).
Rgds, Alex
A supplier I've dealt with in the past has been very helpful in picking the right solution (nokia, raptor, etc..), they are based in Wokingham (Berkshire?) near Bracknell, and are called BTN (plc I think).
Rgds, Alex
19 July 2001, 06:39 PM
#19
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
Richard
To gain the Checkpoint certifications (CCSA or CCSE) - Certified Security Engineer or Administrator, you need to do a two day course for each, plus an exam. Most training places do a one day exam prep as well now. You will need to recertify after ever major release of code (not minor releases).
Checkpoint have just rewritten their firewall and VPN software called Checkpoint New Generation, so make sure when you do the training courses that they are covering the new version - otherwise you will need to get recertified.
Details at
To gain the Checkpoint certifications (CCSA or CCSE) - Certified Security Engineer or Administrator, you need to do a two day course for each, plus an exam. Most training places do a one day exam prep as well now. You will need to recertify after ever major release of code (not minor releases).
Checkpoint have just rewritten their firewall and VPN software called Checkpoint New Generation, so make sure when you do the training courses that they are covering the new version - otherwise you will need to get recertified.
Details at
Thread
Thread Starter
Forum
Replies
Last Post
Mattybr5@MB Developments
Full Cars Breaking For Spares
28
28 December 2015 11:07 PM
Mattybr5@MB Developments
Full Cars Breaking For Spares
12
18 November 2015 07:03 AM