RE: Nokia IP platform Versus Netscreen Platform

["Ofir Arkin" <ofir () sys-security com>]

Never claimed one is better than the other.

Never said Netscreen is not for real.

Never said I TRUST the PowerPoint.

All I said that one should not conclude that one is better than the other
just based "reviews", magic words "statefull inspection", or  his wish
thinking...
ALWAYS do a serious testing before concluding.

Never claim that Check Point is the ultimate solution...
If you know my previous posts you know I never claim that.

Hope this clarifies the things.

Ofir

-----Original Message-----
From: JVBrown [mailto:jvbrown () gte net]
Sent: Friday, June 01, 2001 6:43 AM
To: Ofir Arkin; David Pearl; firewall-wizards () nfr net
Subject: RE: [fw-wiz] Nokia IP platform Versus Netscreen Platform



Never lose sight of the fact that many times in technology circles....The
Convert becomes
the Fanatic !.
Seems like a heavy dose of FW-1/Nokia juice in play here.

A couple of comments are worth response.

Put a NetScreen box on your bench and see if you can bust it up, especially
the reverse
engineering effort !

If you, or anyone else has benchmarked GigNokia, we'd be really
interested in your observations. As of now, GigNokia runs only on a
Powerpoint platform.

Truth be known, very few have the gear required to conduct serious,
repeatable tests at
Gig speeds.

Happy are those that believe yet do not see...(or something like that from
Scripture...)

NetScreen is for real !  Just ask Nokia and Cisco SE's who they view as
their principal
competition.

Deny most,
allow a few.

jvb

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Ofir Arkin
Sent: Friday, June 01, 2001 5:06 AM
To: David Pearl; firewall-wizards () nfr net
Subject: RE: [fw-wiz] Nokia IP platform Versus Netscreen Platform


David


> There have been a number of 3rd party articles on
> the two products...

> When I was evaluating fw/vpn for our network, I
> searched the web and found a number of articles on
> CommWeb, Network Computing, eWeek, Tolly
> Group, Network World, etc.

Well, until a box is not in my test lab and I myself test it...
I find these "reviews" sometimes misleading...

Marcus can tell you why :)


> NetScreen ranked high on all four counts.  Since both
> use Stateful Inspection, security was tight.

OH! G!
Statefull inspection is not bullet proof!
Netscreen claims they hold the last sequence number used...
How they hold the window size / sliding window?
How they synchronize themselves against TCP/IP stacks they guard?
How do they allow incoming packets?

Nokia don't have this ability as far as I know a.k.a. CheckPoint.

So there is a lot to check and verify before stating something.


> Although I ranked NetScreen a little higher because they use a
> non-commercial operating system

Holy smokes!
Security Through Obscurity!

> that can't be purchased and therefore, reverse engineered to find the
holes.

Let's buy one and reverse engineer the box itself :)


> Performance on the NetScreen is tops, bar none, due
> to their 3rd generation ASIC.

3rd generation asic... I don't think you might have the inner design? :)

> The Nokia boxes are really legacy-based PCs with CheckPoint software
> running on them.

True, BUT the new boxes can run at Gigabit...
Did you test these before concluding?


> NetScreen also has built-in SSH and SSL for secure
> management.

Nokia has this as well.


Don't make conclusions like this before REALLY checking out.


I don't claim this is good or the other is bad.
But did you included in your thinking the OPSEC program of checkpoint?
With big companies it do raise the check point side points.



Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards