RE: Nokia/Checkpoint firewall

["Starkey, Kyle" <Kyle.Starkey () msdw com>]

WOW...
I didn't read my Wizards mail for a few days and I miss out on all the good
action.  I wanted to respond to the slew of remarks made on the Nokia.
Hopefully a numerical list format will be advantageous.

1) Hardware on my E250's:
Some one asked about the hardware I was running on E250's.  It is as follows
....
Solaris 2.6
2 X UltraSPARC-II 400Mghz
512 MB RAM (4 by 128)

2) Managability and Size:
This is my favorite part about these boxes.  The OS is truely tweaked as
some of the other list memebers has stated, I don't know exactly what
version of BSD was used (I think one of the Ipsilon developers stated it was
FreeBSD 2.2.6), but I can say it is very easy to migrate from one flavor to
another.  I installed the new OS image 3.2.1, ugraded Firewall version, and
installed SSH package on 4 new boxes yesterday. It took me approximately 45
minutes, TOTAL with these Nokia's, any other flavor boxes would have taken
hours to do the same.  As far as the size issue is concerned these things
are amazing.  I can fit 8 Nokia's and an E250 in a single Full size (72" x
19") rack and still have enough room for cable guides, the E250's are VERY
large and don't lend themselves to scaleing.

3) Support:
I have called the tech support number at Nokia a few different times and I
have never spent more than about 5 minutes on hold waiting for an operator
(usually more like 60 seconds).  I have also never had to have anything
escalated, the level one support is good enough to help me with what I need
(most of you guys who are Unix gurus will not need any help at all on
these).  They have also given me access to the support website with all the
new packages and documentation to help me get on my way.

4) Price:
Bang for the buck, these things are great.  We got a pretty good deal on
ours cause we bought a whole mess of them, but they are comparably priced to
Enterprise class SUN hardware.

5) HA Solutions
While it is true that the there is no options for the Stonesoft people with
the Nokia, I am sure that it will not be far behind, but in the interim the
VRRP does just fine for the fial over solution.  I have also talked to
vendors from ArrowPoint Communications, Alteon and Cisco.  All of their
solutions have been very clever, but it seeems a bit overkill.  If I have
VRRP running and one box goes down, the other machine will take over and I
can order new parts or a full replacement box if need be.  If I was really
paranoid well then I would buy an extra box and leave it sitting in a basic
config sitting on a self waiting to be used.  At the price I think this
solution would be much cheaper ths than any of the super deluxe routing
scenarios that would be a pain to set up and a pain to manage.

As far as the management station is concerned I keep it on a solaris box,
the multitude of services and hardware that are available and will integrate
with SUN hardware and Solaris is nice to have.  I like to also send my
syslog fwlogs from my firewalls to my managment machine that way I have a
single point to search the logs for people doing funny things to my servers.

I found this to be a great solution for me due to the enterprise size and my
lack of expertise in the solaris realm.  Perhaps it is not the solution for
you, but if you are like me and have more things to do than you have time,
well than these things will free up some cycles for you to do other things
like read this list....

-Kyle
Information Security
MSDW Online


-----Original Message-----
From: Yin To Chu [mailto:ytchu () ozemail com au]
Sent: Wednesday, February 02, 2000 2:56 AM
To: Starkey, Kyle
Cc: owner-firewall-wizards () lists nfr net; ytchucwo
Subject: RE: Nokia/Checkpoint firewall


Kyle:

Can you tell the hardware configuration of the Ultra 250, i.e. memory, no.
of CPU and CPU speed?
There is only a Pentium II 450 CPU running FreeBSD 4.0 (optimized by Nokia)
in IP650. I read the spec. on Nokia GGSN (GPRS core element) which is IP650.

We got HA Ultra 450 server pair running FW-1 and StoneBeat? May save a lot
of money and space if Nokia box is that fast. Suppose the HA module works on
Checkpoint 2000.

I hope the cPCI ZNYX 4-port NIC for IP650 can do host based HA networking
with FreeBSD RAINLink driver. www.znyx.com. I am not sure.

Yinto

-----Original Message-----
From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Starkey, Kyle
Sent: Tuesday, 1 February 2000 15:11
To: Wang, Daniel; firewall-wizards () nfr net; donwang () angstrommicro com
Subject: RE: Nokia/Checkpoint firewall


Daniel,
I don't now about the specifics of the hardware inside the Nokia's, but we
bought IP650 and replaced SUN E250's.  We saw 3 times the packets being
processed on the Nokia's running the SAME rule set.  I would say that the
slimlined, BSB kernal is well tuned to inspect and forward packets.  This
was out of the box and I believe with a bit of policy tuning I can see a 4x
multiplier on the Nokias.

-Kyle
InfoSec
MSDW Online

-----Original Message-----
From: Wang, Daniel [mailto:daniel_wang () tds com]
Sent: Tuesday, January 25, 2000 9:41 AM
To: firewall-wizards () nfr net; donwang () angstrommicro com
Subject: RE: Nokia/Checkpoint firewall


I didn't work with it myself much, but when we tried them here the power
supplies failed at an alarming rate. We had two replaced under warranty in
the just the short time we were using it.

I don't know about performance under high load, but FYI the hardware is a
standard ATX PC motherboard with a P2-300 processor, and the OS is a
modified version of FreeBSD. You could expect about the same performance as
the equivalent PC.

-----Original Message-----
From: don Wang [mailto:donwang () uac com]
Sent: Wednesday, January 19, 2000 12:50 PM
To: firewall-wizards () nfr net; donwang () angstrommicro com
Subject: Nokia/Checkpoint firewall


Hi,

Does anyone have any comments about the Nokia firewall solution which
uses Checkpoint?  I have looked at the Nokia web site and want to hear
any field stories that are available.

Thanks,
Don