Firewall Wizards mailing list archives
Re: Solaris router vs. Cisco IOS
From: TC Wolsey <tc () thebiz net>
Date: Mon, 15 May 2000 11:24:16 -0400 (EDT)
On Tue, 9 May 2000, Richters, Eriks wrote:
I got into a debate with someone today about the use of a Solaris box running Checkpoint Firewall-1 as a router, as opposed to using a real Cisco router for routing and a solaris box with Firewall-1, to accomplish the same task. Does anyone have any opinions on this?
Well, a Solaris/FW-1 box _is_ a router, it just may not be as full featured as the "real" Cisco (are there fake ones?) although it certainly could be more so. This is really open question but you did ask for opinions. Like any piece of critical infrastructure the router and FW must be configured and maintained to be really useful. If you have a great deal of experience with only one of these platforms than I would suggest that you leverage that. Here are some thoughts WRT common design criteria: -performance: for small to modest throughput either solution should be reasonable. The Cisco will offer much more density and throughput at the high end (ie. 100s of PPP sessions or Packet-over-SONET). I think that routing performance is not usually a primary concern at the boundary b/w security domains. -availability: both solutions can make use of load-sharing and redundant hardware. Both solutions also support the use of dynamic routing protocols and HSRP/VRRP for data-link gateway failover. The Cisco solution can support spare CPU/processor board in a single chassis, I am not sure about the Solaris/CP combo (dependant on the hardware platform). -managability: well, for the routing part at least you are looking at a CLI either way. Syntax for both IOS and gated is pretty arcane. IOS offers a way to give individual users varying privilege which may be useful if there are many administrators. Administration of gated.conf may mean root privilege on the FW, which may be fine as long as the FW and router admin are the same person(s). The IOS interface will present all the information WRT routing, interface state, etc in one interface - Solaris/CP will require at least the use of something like ndd, netstat -s and the ability to read trace logfiles. Some random thoughts: a Solaris/CP solution can probably fit in a smaller physical space than the separate FW/router combination - important if you are in a CO or colocated rack space. The separate FW/router combo represents two separate points of failure, but also two points where policy (routing and security) can be applied independently. In each scenario you will need to have multiple vendor support - to what degree is hardware/software support available wherever the equipment and admins are located? There is a reason that CP took over distribution of the Nokia solution - I personally am fond of Solaris, CP FW-1 and Cisco IOS but I would definitely consider the CP/Nokia solution also - one box with one support source (and a whole lot of closed-source code). Regards, tcw
Current thread:
- Solaris router vs. Cisco IOS Richters, Eriks (May 12)
- Re: Solaris router vs. Cisco IOS Ryan Russell (May 14)
- Re: Solaris router vs. Cisco IOS TC Wolsey (May 15)