Re: RE: Firewall-1 platforms

["shawn . moyer" <shawn () net-connect net>]

"Kalat, Andrew (ISS Atlanta)" wrote:

> Fourth, with dual Sun boxes, and a good fail over product like StoneBeat, I
> believe you can do load balancing of traffic between both Sun boxes. As far
> as I know, you can't do load balancing between two Nokia boxes yet.

Oh, but you can! :) Not a huge fan of the Nokia's (pretty pricey as far
as bang for the buck -- I'd like to see FW-1 support *BSD... then I
could build my own appliance for 1/3 the cost), but at a previous
employer we chose the Nokia's over Stonebeat and Sun gear because of the
excellent failover support. 

Nokia's boxen do VRRP (Virtual Router Redundancy Protocol) with state
shared between firewalls without having to add a third party app. This
is also cool becuse it will interoperate with other gear that talks
VRRP, like Foundry, etc.

YMMV, but (better put on my asbestos pajamas!) in my experience Nokia's
VRRP is simpler to configure and more robust than Stonebeat.

This is not to say Nokia is the way to go, in our particular situation
it made sense, but if you're comparing to Sun, either way you're looking
at pretty hefty dollars.

On the Linux side, if I recall correctly the only supported distro was
Redhat, so if you're considering going that route, make sure you
implement as many OS security measures as possible. You definitely want
a minimal install, followed by some hardening scripts -- you might give
Bastille a try:

http://www.bastille-linux.org





--shawn

-- 

s h a w n   m o y e r
shawn () net-connect net

Man will occasionally stumble over the truth,
but most of the time he will pick himself up and continue on.

                                        -- Churchill
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards