Firewall Wizards mailing list archives
RE: PIX vs Checkpoint vs Sonicwall vs Netscreen - comm e nts?
From: David Klein <dklein () netscreen com>
Date: Fri, 2 Aug 2002 14:26:49 -0700
I feel inclined to respond, that in such large enterprise/service provider environments don't use a $500 Netscreen-5. For these types of environments you would be using NS500 or NS5200 which support tens of thousands of policies. Dave Klein Netscreen SE
-----Original Message----- From: Nimesh Vakharia [mailto:nvakhari () clio rad sunysb edu] Sent: Friday, August 02, 2002 2:57 PM To: Gregory Austin Cc: Gregory Austin; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts? I feel inclined to point out, that in large enterprise/service provider environments I've seen the total number of rules grow into the thousands even after regurlar bi-monthly cleanups. There are instances where you have a ton of extranet partners with VPN/leased line connectivity which need to be filtered and have very unique requirements or the latest and greatest concept of having a shared firewall model where service providers manage firewalls for lets say a hundered customers with one device through virtual instances of firewalls/policies etc. In both scenarios the effective number of rules can effectively grow over time. Yep and some of the firewall GUIs fail miserably for management, and security admins have to revert back to the traditional text based import/export/tftp integrated with cvs ways of managing the rule set. Just my 0.02 cents of what i've seen out there... Nimesh. On Thu, 1 Aug 2002, Gregory Austin wrote:All, I'm glad someone else has already answered this(fairly silly)Checkpoint propaganda stuff. But just to inject some realworld experienceinto this discussion, I must note that I've never had anyissues with theASIC rules limit at any of the Netscreen deployment/supportprojects that Ihave worked--including several at large (>2000 seats) customers. In my past message I refrained from even mentioningthe technicalproblems I've encountered over the years with Firewall-1.I didn't want todescend into the mire of the almost religious hysteria thatsome peoplehave when it comes to defending their favorite product. In Frank's company's case the favorite product is obviouslyCheckpoint, take a lookat: http://www.locked.com/products/#Firewall. The"firewalls and VPNs"list contains Checkpoint and, well, ... Checkpoint. It'ssad that we can'tever have constructive conversations about actualcapabilities/expenses ofthese devices without someone starting off on avendor-centric jihad.Besides, how many rules do you want your customers tohave? I'vespent most of my security consulting career trying to stompout bloatedrulebases that have grown that way over time. There issomething to besaid for not making something so hard that you causeyourself to makemistakes, after all. Let's all try to be objective, Greg Austin CISSP, CCSE, etc. At 01:08 PM 8/1/2002 -0400, Frank Darden wrote:I will add my 2 cents on the Netscreen side. I recentlybecame aware ofserius weaknesses in the Netscreen product. I have a paper which outlines the issues and problems with the Netscreenfirewall. If yourchoice is between Check Point or Netscreen, I wouldstrongly urge you toread the information below carefully. Please send your comments/questions my way. Frank Basically what it boils down to with Netscreen is the following All NetScreen appliances rely on custom-designed ASICs (Application Specific Integrated Circuits) for security policy enforcement. Appliances cannot be field upgraded to accommodate new oradditionalASIC devices. Each NetScreen ASIC is limited to the size of securitypolicy it cansupport. Once customers reach this limit they are unable to expand their security policy to meet future needs. The NetScreenappliancecontinues to function, but no additional rules can be added to the policy. NetScreen is aware of this limitation and provides a utility for customers to check the remaining capacity of the ASICbefore hitting thelimit. NetScreen's recommended resolution is to eitherredesign thesecurity policy to meet the unique constraints of the NetScreen appliance or upgrade to a more expensive NetScreen productas well aspay for the software license again. NetScreen customers are adversely affected by this designconstraint.There are no other known security/VPN products in themarket that haveinherent limitations to the size of policy that can be defined and enforced. Problem Details: Each NetScreen ASIC (i.e. MegaScreen, GigaScreen and GigaScreen II) supports a finite number of "rules" or "policies" (N). Ifthe additionof a single rule beyond the hard limit is attempted (N+1),the NetScreendevice operator sees the following error message: "The Maximum Number of ASIC rules has been reached. Cannot add this policy" At that point the operator cannot add any more rules tothe securitypolicy. This limitation restricts granular access control and, therefore, the security of the network. Term definition: ASIC Rules NetScreen uses the terms "policies", "rules" and "ASICrules" somewhatinterchangeably. An ASIC rule is defined by the following equation: (reference from NetScreen support site provided at end ofthis document)#Asic rules = #source addresses * #destination addresses *#servicesNote that the number of ASIC rules consumed is not the sumof individualobjects, but the product of those objects used in a rule.This has theeffect of consuming the finite number of ASIC rules rapidly. Groups The terms "Grouping" and "Groups" refer to a NetScreenfeature by whichseveral servers or gateways (e.g. individually defined webservers orbranch office locations) and services (e.g. FTP, FTP get,FTP put) arejoined to one logical name, for instance "Web Servers","Branch Offices"or "FTP Services". It is common for securityadministrators to grouplike objects to facilitate the definition of security rules. For example, an object may be created that includes all company web servers. The security administrator can use this objectwhen definingthe security policy, rather than including separatesecurity rules foreach web server. This useful feature makes the creationand subsequentediting of security rules more efficient. Surprisingly, the use of groups in a NetScreen policyresults in FEWERASIC rules being available to the security administrator.Although theuse of group objects provides efficiency to the administrator, it rapidly exhausts the number of ASIC rules available to NetScreen customers. A practical example The NetScreen 100 has a rule limit 733 applying to trafficoriginatingfrom an external interface (Internet) to the DemiliterizedZone (DMZ).The following is a NetScreen rule base showing a group of 10 branch offices granted access to mail, FTP and web-based serviceshosted by 10separate servers located on a company's DMZ. The service groups have been defined as follow: Web and FTP Services: HTTP, HTTPS, FTP, FTP-Get, FTP-Put Mail Group: SMTP, POP3, IMAP, HTTPS Teleconferencing Services: H.323, NetMeeting All other services are pre-defined within the NetScreen device. The rulebase as shown uses 732 ASIC rules. At this point, the device will not allow the addition ofany more rulesno matter how simple. Adding another branch office ortrying to giveremote access VPN users access to the DMZ, yields thefollowing message:NetScreen Response to Customers Recently NetScreen acknowledged the policy limitation in amailing topartners. The Company contends that the security policylimits will notaffect customers as long as the right device is selected for the application. This is a highly unconventional design approach. Since granular access control translates to degree of security, imposing limits on the number of rules is effectively restrictingsecurity forany size deployment. The restriction also requires thatcustomers andresellers be aware of the ASIC limits per platform beforepurchasing, sothat they can perform the complex calculations which wouldguide productselection. Assuming that this is even feasible given an existing security policy, it is not an approach which accounts fornetwork growthor expansion. NetScreen has implicitly admitted this by promising toextend the limitsin a future release. It is clear however, that since thelimits are tiedto the ASIC type that these restrictions will always beimposed. It isalso likely that extending the limits may affect the advertised performance of the devices since according to the company: "What is important is that a NetScreen device with it's ASIC-based security acceleration functions, can maintain predictably high performance at the indicated policy count levels." (excerpt from NetScreen channel partner mailing) NetScreen Technical Support Posting--------------------------------------------------------------------------------DOC #: 549 Subject: Maximum number of policies Question: I am configuring the firewall, and I don't have too many policies. However, I get the following error message:Policy: Can't additem. Asic limit reached What does this mean? Answer: Check and see if you are using the "Grouping" feature on address books and services. If you are, then you have reached the policy limit on the Netscreen. Internally, the Netscreen logs policies on the ASIC ACL.You can checkthe capacity of your Netscreen by telnetting into thedevice and enterthe command, get policy <out|in|todmz|fromdmz> asic This will give you the total number of policies available in that direction, the number of policies currently configured,and the numberof policies remaining. To calculate how many ASIC ACL rules are used, do the following: #Asic rules = #source address * #destination address * #services The number of policies enforced due to groupings multiplyas you addmore entries per group. https://www2.netscreen.com/cgi-bin/restricted/sla/kb.cgi?1?549?2---------------------------------------------------------------------------- DOC #: 569 Subject: Maximum Policies for Netscreen 5 Question: How many policies can a Netscreen 5 handle? Answer: The Netscreen 5 can only handle 95 policies total. https://www2.netscreen.com/cgi-bin/restricted/sla/kb.cgi?1?569?2 ======================================= Frank Darden Chief Technology Officer Mission Critical Systems 3320 NW 53rd St. Suite 202 Fort Lauderdale, FL 33309 Phone (954)766-2550 x203 Fax (954-766-2580 AIM/MSN FishinCritical =========================================== -----Original Message----- From: Gregory Austin [mailto:greg () austinconsulting com] Sent: Monday, July 29, 2002 10:28 PM To: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts? Hello all, Felt I too had to throw my $0.02 on this littleCheckpoint versusNetscreen discussion. I work for a security servicescompany, and wesell a whole bunch of Checkpoint. I touch a whole bunch ofCheckpoint, quitea bit of PIX, and a little bit of Netscreen, Watchguard,etc.--but that'schanging. In my experience the Netscreen product is notonly vastlysuperior to Checkpoint in terms of price and performance, but the company actually seems to be working to improve their product(unlike Checkpointand their latest piece of betaware, No-Go). On performance consider this: I have a customer who put in 100mbps service between their major metro sites on one of those big fiber carriers. They want the traffic between the sitestunneled. For closeto the same money it would cost them to get tiny little NokiaIP-120's thatcan only push <3mbps VPN traffic, they can get Netscreen204's that canpush >100mbps of VPN traffic. Good central management is nice, agreed, but is itworth gettingbent over on the price? Any way you look at it, rape is thebest term todescribe their licensing. I will admit that you can'tbeat Checkpointwhen it comes to interoperability, though. Through all of their OPSEC alliances they've built up a huge stable of products that will play (mostly) nicely with FW-1. Also, consider another reason to not go Checkpoint.The last timeI remember a company with this big a market share being thisarrogant andmaking this many bad moves was Novell in '93. They'll beable to coastfor 5 or 6 years on declining market share alone, but I can'timagine a rosyfuture for them unless something changes. When you canbuy technicallysuperior better performing products for vastly less moneyit's only amatter of time before the market gets a clue. Just my opinion, certainly not that of my employer(party line:We love Checkpoint!), Greg _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: PIX vs Checkpoint vs Sonicwall vs Netscreen - comm e nts? David Klein (Aug 02)