RE: Comments from Checkpoint on Nokia load balancing

["Kalat, Andrew (ISS Atlanta)" <akalat () iss net>]

Hey Roger,
        Thanks for giving us Checkpoint's thoughts. One thing I keep hearing
people say is to use Load Balancing hardware (switches, whatever) to achieve
a true load balanced situation with Nokia's or others. There are a few
problems there, in fact, I'm not sure it would work at all. 

> It is true that currently Nokia service packs, patches etc 
> are released a 
> little bit after Sun and NT versions.  The goal is two weeks. 
>  As of now, 
> both Nokia and Check Point are dedicating more resources to 
> gettting this 
> process speeded up.

Great to hear. Mind you, this may not be a big deal for a lot of folks, but
I get worried if an announced vulnerability is out there for 2 weeks and I
can't upgrade my code on my most critical security piece. I'd love to see
the day when Checkpoint releases patches on all platforms at the same time,
but only if they can achieve that by not delaying much needed patches on any
of the platforms. I know, I know, asking for a lot there... 

> Check Point is not asking all appliance vendors to run on Linux.  The 
> criteria used in selecting an OS for a "Secured by Check 
> Point" appliance 
> are performance and cost.  In many cases, Linux turns out to 
> be the best in 
> both areas

Ah, guess I had some bad info in this area. Good to have that cleared up. 


> According to the figures I've seen 
> (http://www.checkpoint.com/products/vpn1/vpn1perfdata.html), 
> Sun is only 
> slightly faster on DES encryption.  The Chrysalis Accelerator card is 
> currently available for Nokia and the release of the Broadcom 
> card for 
> Nokia is imminent.

True, but you start to add additional cost then to the Nokia platform. This
lessens the attractivness of the price savings on the Nokia platform. By the
by, I've heard the Broadcom board is MUCH happier than the Chrysalis. I
guess they've had some problems with the Chrysalis, but the Broadcom is
supposed to work like a champ. I haven't used it yet myself, so this is just
what I've heard...

> Yes, this is true.  However, there are also other options 
> such as load 
> balancing switches etc.
> http://www.checkpoint.com/opsec/performance.html#HA_Load_Balancing

True, but again, be sure to compare the costs. If you have to add on an
encryption board, plus two HA/LB switches (one for the inside and outside I
would expect, then let's think about any DMZ's...) I wonder if the cost
savings is still there. 

Again, I like the Nokia platform, I just think it can't do everything the
Sun platform can. However, if used in the right circumstances, you save
substantially with the Nokia route. Just make sure you're using the right
tool for the job. 

-Andrew Kalat
Note: The thoughts are my own, and not my employeers...

PS. Off to the Checkpoint Conference in Nashville. Hopefully I'll see the
latest and greatest stuff. If anyone else is going, maybe I'll see you
there. 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards