RE: Firewall-1 platforms - Performance, etc.

[Peter Lukas <plukas () oss uswest net>]

CheckPoint only supports RootHat 6.2, but most are free to whip out the
zig-zags and roll their own Linux CP-based firewall if they've got the
time.

I'll be inclined to agree with previous comments regarding the stability
of Sun hardware as well as the convenience of Nokia's configuration.

I do take issue with the bottom-of-the-barrel hardware deployed on Nokia
systems (even most bargain-basement PC's don't use WD hard drives these
days!).

I also feel Linux to be inferior when handling a bombardment of concurrent
network connections.  A *BSD would be much more suitable for such an
environment -- unfortunately Nokia's closed business model surrounding
IPSO and their CheckPoint binaries prevent me from building a *BSD-based
CP Firewall on more capable hardware.

Has anyone tried running the Nokia CP binaries against a *BSD != IPSO?
Did they modify the runtime libraries entirely or is it possible to "roll
my own?"

VRRP for free is highly attractive.  StoneBeat's High Availability works
very well and can be configured for load *sharing* for an effective
throughput capacity of 2X the capacity of a single system.  Their
FullCluster and other similar load-balancing solutions can *never*
surpass the maximum of the multicast interface they represent.  The
theoritical maximum in these multicast scenarios is the limitation of a
single interface (not (n)X interface capacity as most literature would
have one believe).

Hardware encryption (IMHO), leaves quite a bit to be desired.  Most
encryption accelerators use an aging Intel SA-110 processor.  While in
its day, this was a good place to off-load encryption, I've only been able
to notice a 2-3X increase over no acceleration.  Using the CAST algorithm
proved much more speedy than 3DES with acceleration.  I am not aware of
the technical or security merits one has over the other, though.

I have seen a soft-VPN accelerator which will utilize a second CPU for VPN
processing.  This may prove a dynamo as the second processor in most
systems could effectively surpass a SA-110.  Has anyone had any experience
with these?

I have also noticed that the majority of firewall testing is not balanced
or unbiased in the comparasions made.  I suppose that real-world examples
of firewall bombardment would be more applicable when choosing a
particular platform.

Without getting into a firewall muscle-flexing contest, I offer the
following real-world example and encourage others to do the same:

I have a number of Sun/Solaris configurations in networks that average a
sustained throughput of 15-20Mbps with an average of 12-16000 active
connections in the state table.  These systems peak around 86Mbps (only on
large network backups).  None of them utilize load-sharing or
load-balancing.  None run dunamic routing protocols or other intensive
applications.  They are all based on UltraII 440MHz processors, 256MB
memory and 66MHz Quad FastEthernet adapters (A sun Ultra60/Netra t1125).

I'd be interested in what other people have experienced - what worked,
what worked well, what didn't work at all.

Peter Lukas



On Tue, 6 Mar 2001, Joe Ippolito wrote:

> Some things that Nokia does do:
>
> VRRP (Virtual Router Redundancy Protocol) - HA without additional cost.
> IPSO OS-level Flow Control, BGP, and a management interface for OS-level
> stuff and software license and patch-level management.
> No hardware encryption ...yet -stay tuned.
>
> -----Original Message-----
> From: firewall-wizards-admin () nfr com
> [mailto:firewall-wizards-admin () nfr com]On Behalf Of Kalat, Andrew (ISS
> Atlanta)
> Sent: Tuesday, March 06, 2001 8:28 AM
> To: 'Smith, Gary (SCOTAM)'; 'firewall-wizards () nfr com'
> Subject: RE: [fw-wiz] RE: Firewall-1 platforms
>
>
> Hello Gary,
> Nokia is good platform for FW-1, but there are some things to keep in mind.
>
> First, Nokia often lags in patch release. Often, you'll see a few weeks
> between the time a patch/hotfix/service pack comes out for the Sun version
> of FW-1 and the Nokia version.
>
> Second, Nokia is based on BSD. My understanding (could be wrong) is that
> Checkpoint is asking all application vendors to now run the Linux version of
> FW-1. This would mean that conceivably at some point Nokia will have to
> switch from BSD to Linux. This *is* speculation on my part, but it seems
> reasonable.
>
> Third, Sun is much faster at DES encryption throughput than Nokia (however,
> Nokia seems to win in raw packet passing speed.) Also, I don't believe the
> add on cards for encryption acceleration support Nokia yet, but I'm not
> certain on that...
>
> Fourth, with dual Sun boxes, and a good fail over product like StoneBeat, I
> believe you can do load balancing of traffic between both Sun boxes. As far
> as I know, you can't do load balancing between two Nokia boxes yet.
>
> Just some of my random thoughts and considerations. But, like I said,
> overall, Nokia is a good platform, depending on your needs.
>
> -Andrew Kalat
>
> Note: Comments are my own, not my employers, yadda, yadda...
>
> -----Original Message-----
> From: Smith, Gary (SCOTAM) [mailto:gary.smith () ScottishAmicable co uk]
> Sent: Tuesday, March 06, 2001 5:45 AM
> To: 'firewall-wizards () nfr com'
> Subject: [fw-wiz] RE: Firewall-1 platforms
>
>
> David+others:
>
> We are looking at putting in two Nokia Firewall-1 appliances with VRRP
> failover.  Aside from cost, can you share any of the potential reasons that
> you had for discounting Nokia as a platform?
>
> --Gary;
>
>
>
>
> > -----Original Message-----
> > From: David Lang [mailto:dlang () diginsite com]
> > Sent: Friday, March 02, 2001 4:36 PM
> > To: firewall-wizards () nfr com
> > Subject: [fw-wiz] Firewall-1 platforms
> >
> >
> > I am looking at putting in a couple Firewall-1 boxes and am debating
> > between the various hardware platforms.
> >
> > The Nokia appliances are a distant third choice due to a
> > number of reasons
> > (cost being one of them) but I don't have much info to help me choose
> > between running Firewall-1 on Linux or Solaris
>
>
> **********************************************************************
> Information contained herein is the sole responsibility of the Individual
> sending the message. No responsibility is admitted by Scottish Amicable
> for any loss or damage incurred through use of the email. In addition, no
> statement should be construed as giving investment advice within or
> outside the United Kingdom.
> An email reply to this address may be subject to interception or monitoring
> for operational reasons or for lawful business practices.
> *********************************************************************
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards