RE: Nokia/Checkpoint firewall

["Burden, James" <JBurden () caiso com>]

don Wang,

The saying, 'let routers route and firewalls firewall' pertains to this
piece of equipment.  I did not use it in a LAN to Internet situation but in
a LAN - Nokia - LAN environment.  

Things not to believe, to question, take into consideration:
* ATM interfaces - not ready for prime time, and either is the throughput
* BGP4 - let routers do dynamic routing.  We experienced several dropped
routes, which required a reboot of the Nokia to re-learn them from the Cisco
routers.
* High-availability - I will caveat this by saying, as long as you are only
using it for 10BaseT or slower speeds, than you should be fine.  Otherwise,
the keeping of stateful connections does not work so well on high speed
lines (ATM, FE) where the 10BaseT connection between the two firewalls is
slower than the communication on the other interfaces.  The issues are when
the packet has already arrived at the FE/ATM interface but the Ethernet
interface has not learned about it yet.
* IP Classless addresses - I would further research this if you required.
We tried a /22 (255.255.252.0) supernet, and there seems to be a bug in the
ftp filter.  I do not know if the latest patches have fixed the bug.  It
turns out that the rule would work for 25% of the supernet, but not for the
rest of the it pertaining to the data channel.  It would work for the
command channel!?
* Be wary of the licensing issues.  I have had countless issues with my lab
firewalls and production.
* Too many rules?  This one is odd, and I am still trying to get a good
answer.  We have made some changes in the rules, and then made another
change later in the rules to basically allow the same thing.  When reading
the logs, you would see it hit the high rule a couple of times, and then go
back to the lower rule (where it should have been allowed in the first
place).  This started happening around the 60th rule or so.

Yes, I have a foul taste in my mouth.  However, in the right
situation/environment it may fit your needs.  One of the reasons that we
chose the Nokia was the high availability.  19 hour backups across the
firewall with stateful connection was nice, and Cisco was (and still is)
talking about futures.  I do not know of any other company who is even going
that far.  Layer 2 firewalls may be able to perform this same luxury.

If you try it, I would like to know how you fare in 3, 6, 9 months.

Happy Hunting,
Jim

James L. Burden, Security Engineer and Architect
California Independent System Operator
Phone: 916.351.2243 http://www.caiso.com
41DF 0E4C 26E0 2FD3 8C81  A260 5C40 280E B4AE 7420
_____________________________________
  Know yourself, Know your enemy
     in a hundred battles you will never be in danger,
  Know the ground, Know the weather,
     and your victory will be total.    - Sun Tzu 
_____________________________________              
Disclaimer:  The above represents my personal opinions and not an 
official endorsement or position by the California ISO, my current 
employer.  I reserve the right to disavow them at my convenience.   




> -----Original Message-----
> From: don Wang [mailto:donwang () uac com]
> Sent: Wednesday, January 19, 2000 12:50 PM
> To: firewall-wizards () nfr net; donwang () angstrommicro com
> Subject: Nokia/Checkpoint firewall
>
>
> Hi,
>
> Does anyone have any comments about the Nokia firewall solution which
> uses Checkpoint?  I have looked at the Nokia web site and want to hear
> any field stories that are available.
>
> Thanks,
> Don