[geeks] Firewalls...

Chris Byrne geeks at sunhelp.org
Thu Mar 22 12:19:24 CST 2001


Nokia my friend, nokia.

I'm a CCSA, CCSE, and CCSI as well as an NSA and NSI, and an MCNS. I've done
something on the order of 2,000 FW-1 installs (I was the lead on a project
installing 1200 of them)on every platfrom and I can say without any doubt
that Nokia is the way to go.

Don't bother trying to run FW-1 with gig e, the most throughput you'll see
out of it is about 240mb. Checkpoint released a doc showing a custom built
linux box with a special kernel and two gig e's got 400mbit, but you are
much better off with using multiple fast ethernet interfaces, and pluggin
your subnets directly into the firewall rather than concentrating them or
routing them first.

The biggest problem with Linux right now is their support situation.
Basically its a "Oh yeah it'll run but we dont know how to support it". And
of course there's no Linux gui (not a big deal) and most of the OPSEC
integration packages don't run on Linux yet (VERY bid deal).

Nokia is faster, not much more expensive, and better supported.

I've done a lot of testing between Nokias and SUn boxes and heres what I
came up with

IP110 64mb 3 interfaces- Roughly the same firewalling performance as a U10
with 512 megs of RAM
IP330 128mb 5 interfaces-  Roughly the same firewalling performance as an
E250 with 512megs of ram
IP440 256mb VPN card 2 qfe-  Not much faster than the IP330, more sessions,
and gives you a shitload of expansion options (5 pci slots and 4 drive bays)
IP650, 512mb, VPN card, 2 qfe - Roughly the same firewalling performance as
an E450 4400 with 1 gig of RAM

The biggest factor in FW-1 performance is RAM not processor speed or count
(FW-1 has minimal multi-processor capabilities)

Chris Byrne



-----Original Message-----
From: geeks-admin at sunhelp.org [mailto:geeks-admin at sunhelp.org]On Behalf
Of Will Mc Donald
Sent: Thursday, March 22, 2001 05:52
To: geeks at mrbill.net
Subject: [geeks] Firewalls...


Firewall-1 on x86/linux. Good idea? Bad idea? Discuss.

Our old sparc based firewalls are beginning to creak a bit, personally I'd
like to replace them with bigger, better sparcs but as is always the way our
budget probably won't stretch to much.

For the price we'd pay for a couple of 220Rs, 250s or 280R's kitted out
adequate RAM and enough NICs to suit the site we could probably buy decent
PC based servers for 1/10th the price, maybe a little more but not far off.

By my estimation a suitable Sun box looks like it'll probably cost around
20 - 25k, E280R with 1 x 750 MHz processor, 1 Gig RAM, 2 x 36 Gig disk, 2
QFE and 2 gig eithernet cards.

PC based solution with a couple of Quad Ethernet cards, Gig ethernet cards,
Ultra 160 SCSI and a gig or two of RAM could probably be build for about 3k
using quality components throughout.

So is it worth it? Does anyone know how stable the latest FW-1 is on linux?

Will.


_______________________________________________
GEEKS:  http://www.sunhelp.org/mailman/listinfo/geeks




More information about the geeks mailing list