Re: Nokia interview questions

[Peter Lukas <plukas () oss uswest net>]

On Tue, 25 Sep 2001 black () galaxy silvren com wrote:

> As far as the hardware goes, what it runs really makes no difference as
> long as it gets the job done. It makes no difference to me if it's running
> a celeron, a pentium 4, a custom built chip or a strongarm. If you buy a
> decently sized Nokia, like an IP650 then it should be able to handle

I agree, Nokia does sell best-of-class PC hardware in their larger
devices, but those end up costing more than a Sun equivalent. If price is
paramount, Nokia has a hard sell there. Like I said though, "Nokia has it
figured out as far as hardware requirements go."

> pretty much anything you throw at it unless you're dealing with gigantic
> amounts of data. They do make gigabit interfaces for the Nokia firewalls,
> and while I haven't seen any specifics on benchmarking, I don't think the
> manufacturer would make an interface for their product if it could not
> stand up to the bandwidth reasonably well. You may choose to argue this
> point.

You mean you didn't buy CheckPoint's benchmark of the Linux Ferrari, Sun
Oldsmobuick, Nokia Ford Escort and NT Lexus? :-) Of course, they follow
their 250Mbps/3DES nonsense with "ample for most T1's." Of couse, I've
always maintained that folks spend the national defecit building fast
firewalls so they can cram 100GB of traffic up their cocktail straw DS3!
;-)

> The Nokias can also include redundant fans and power supplies, as well as
> hot swap cards. This is pretty different than a bargain basement PC.

True, but once again only in their top-o-the line model$.

> I agree that for the majority of cases, your firewalls will only need to
> support static routes and not need dynamic routing. Do you happen to have
> a rough idea of how much extra dynamic routing costs? And is it purchases
> as an entire package, or on a protocol basis? I see that it supports RIP
> and OSPF, among others.

I'm not sure. The conversation with the Nokia rep ended when he said:
"Yes, but with an unsupported add-on at an extra cost." Of course, this
was two years ago. I'd hope things have changed since then.

> I'm not sure what you're driving at with the expensive management being
> perl scripts. IPSO actually includes a version of tcl for all its
> scripting, which is used in the Voyager web interface. I've never had to
> purchase any additional scripts to manage the Nokias. Could you please
> clarify this?

I seem to recall an account management system they were trying to sell us
for distribution across multiple systems. It was little more than a couple
of perl scripts bundled with ssh authorized_keys. Their Voyamager utility
is quite skilled at getting the job done.

> I also disagree that "management may be easier for the entry-level
> firewall admin." There is no OS to harden, in contrast to NT, Solaris, and
> Linux. To me, that translates to "easier to manage for all admins." Need
> to upgrade a package or move to a new version of IPSO? Simply ftp the
> image or package to the Nokia and make it active. Piece of cake.

I guess it depends on the scenario. For a 1 firewall installation site,
the Nokia's got admin components scaled down to a manageable level. For a
distributed firewall management situation, where the firewall admin has
hundreds of firewalls and must choose the best platform for the job, the
Nokia will do well, but so will a crafted firewall distribution of
Linux/NT/Sun. And that's just what the Nokia product is: A crafted
firewall distribution of FreeBSD.

> The rest is pretty on the mark, the only other advice I'd give is to not
> let "flows" be a major factor in choosing Checkpoint. So far, flows has
> caused nothing but grief, and I don't know of a single person that has
> chosen to implement it. Especially in HA situations, it is a disaster.

Agreed. Another drawback of porting the code to an alternate OS (although
the native implementation of it sucked, too :-) ).

Peter

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards