Re: Nokia interview questions

[Peter Lukas <plukas () oss uswest net>]

*Dons Flame Suit*

The Nokia experience consists of intel-based hardware running a FreeBSD
orphan. Nokia figured out precisely what is required of a CP firewall and
assembled a modest platform onto which the software is installed.

A breif pro/con list and justification follows:

Pro:
+ Cost - hardware isn't expensive.
+ High Availabilty - No extra cost thanks to VRRP (may not be available in
  all network scenarios, though)
+ WAN capabilities - Available on Sun and Linux as well, but only utilized
  about 10% of the time, anyway.
+ Management - Simple to set up (virtually works out of the box).
+ Scalability - Distribution of multiple units is relatively simple.

Con:
- Hardware - Intel Celeron, Western Digital Hard Drive, platform is akin
  to those found in a "Bargain Basement PC." Upgrading to more capable
  hardware will void any support from Nokia.
- Networking - No dynamic routing (not necessary on a firewall, anyway).
  It is available through an unsupported, expensive add-on from Nokia.
- Management - Tools are expensive perl scripts - they get the job done
  relatively well, but at a price.
- Cost - For the assembled hardware, Nokia still managed to charge a
  premium for the hardware and CP license
- Availability - CP revs and patches are realtivley slow to release as the
  code must be ported from the original to the FreeBSD orphan.

Overall, the Nokia platform costs about as much as a more fault-tolerant
Sun solution. Management may be easier for the entry-level firewall admin
which is a big plus on distributions consisting of multiple firewalls and
low overhead.

The lack and slow-to-market release of patches and support may be a
showstopper. Another thing to nit pick over is the fact that the software
must be ported to the alternate OS. I have heard rumors of both a
synchronous release practice by CheckPoint and I that they're (CP)
writing/developing on Linux which means that both Sun and Nokia are
ported from the original. This portion of the arguement may be moot as of
CheckPoint NG.

High Availability is available on all platforms. Native on Nokia via the
Virtual Router Redundancy Protocol (VRRP). With some extra effort, VRRP
will run on both Sun and Linux CheckPoint installations. The StoneBeat HA
product provides best-of-class high availability for the Sun at a very
high cost. The new StoneBeat clustering software may or may not provide
the desired results (it's available for both Sun and Linux). CheckPoint's
high availability is not worth looking into (in my opinion).

Personally, I've stuck with Sun for it's fault-tolerant NEBS-compliant
hardware, excellent networking implementation and remote management
capabilities. Having managed CP on Sun, Nokia and Linux, each can get the
job done in relatively modest network environments. In higher-capacity
networks, I've stuck with Sun. I should also point out that the
rulebase/policy management on Nokia, Linux and Sun are transparent to one
another.

I hope this is both informative to you and non-offensive to the Nokia
zealots in the audience.

Peter Lukas

On Fri, 21 Sep 2001, Subba Rao wrote:

> Hi,
>
> We are bidding on a project with dual Nokia (Checkpoint) firewalls. Most of our
> experience with Checkpoint is on Sun system. From what I understand
> Nokia firewall is Checkpoint firewall. The customer is insisting on Nokia
> experience. I don't know what OS runs on the Nokia system.
>
> Is there anything different about Nokia Checkpoint vs other platform(s) Checkpoint.
>
> We will be meeting with this customer again next week. Is there anything
> specific to Nokia that I should know?
>
> Thank you in advance for any help and pointers.
> --
>
> Subba Rao
> subba9 () home com                     http://members.home.net/subba9/
> OpenPGP/GPG public key ID CCB7344E
>
>  => Time is relative. Here is a new way to look at time. <=
> http://www.smcinnovations.com
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards