Firewall Wizards mailing list archives
Re: Nokia interview questions
From: <black () galaxy silvren com>
Date: Tue, 25 Sep 2001 16:36:07 -0400 (EDT)
Ok, not to post a major flame, but I disagree on a couple points. As far as the hardware goes, what it runs really makes no difference as long as it gets the job done. It makes no difference to me if it's running a celeron, a pentium 4, a custom built chip or a strongarm. If you buy a decently sized Nokia, like an IP650 then it should be able to handle pretty much anything you throw at it unless you're dealing with gigantic amounts of data. They do make gigabit interfaces for the Nokia firewalls, and while I haven't seen any specifics on benchmarking, I don't think the manufacturer would make an interface for their product if it could not stand up to the bandwidth reasonably well. You may choose to argue this point. The Nokias can also include redundant fans and power supplies, as well as hot swap cards. This is pretty different than a bargain basement PC. I agree that for the majority of cases, your firewalls will only need to support static routes and not need dynamic routing. Do you happen to have a rough idea of how much extra dynamic routing costs? And is it purchases as an entire package, or on a protocol basis? I see that it supports RIP and OSPF, among others. I'm not sure what you're driving at with the expensive management being perl scripts. IPSO actually includes a version of tcl for all its scripting, which is used in the Voyager web interface. I've never had to purchase any additional scripts to manage the Nokias. Could you please clarify this? I also disagree that "management may be easier for the entry-level firewall admin." There is no OS to harden, in contrast to NT, Solaris, and Linux. To me, that translates to "easier to manage for all admins." Need to upgrade a package or move to a new version of IPSO? Simply ftp the image or package to the Nokia and make it active. Piece of cake. The rest is pretty on the mark, the only other advice I'd give is to not let "flows" be a major factor in choosing Checkpoint. So far, flows has caused nothing but grief, and I don't know of a single person that has chosen to implement it. Especially in HA situations, it is a disaster. You have a lot of good info Peter. On Mon, 24 Sep 2001, Peter Lukas wrote:
*Dons Flame Suit* The Nokia experience consists of intel-based hardware running a FreeBSD orphan. Nokia figured out precisely what is required of a CP firewall and assembled a modest platform onto which the software is installed. A breif pro/con list and justification follows: Pro: + Cost - hardware isn't expensive. + High Availabilty - No extra cost thanks to VRRP (may not be available in all network scenarios, though) + WAN capabilities - Available on Sun and Linux as well, but only utilized about 10% of the time, anyway. + Management - Simple to set up (virtually works out of the box). + Scalability - Distribution of multiple units is relatively simple. Con: - Hardware - Intel Celeron, Western Digital Hard Drive, platform is akin to those found in a "Bargain Basement PC." Upgrading to more capable hardware will void any support from Nokia. - Networking - No dynamic routing (not necessary on a firewall, anyway). It is available through an unsupported, expensive add-on from Nokia. - Management - Tools are expensive perl scripts - they get the job done relatively well, but at a price. - Cost - For the assembled hardware, Nokia still managed to charge a premium for the hardware and CP license - Availability - CP revs and patches are realtivley slow to release as the code must be ported from the original to the FreeBSD orphan. Overall, the Nokia platform costs about as much as a more fault-tolerant Sun solution. Management may be easier for the entry-level firewall admin which is a big plus on distributions consisting of multiple firewalls and low overhead. The lack and slow-to-market release of patches and support may be a showstopper. Another thing to nit pick over is the fact that the software must be ported to the alternate OS. I have heard rumors of both a synchronous release practice by CheckPoint and I that they're (CP) writing/developing on Linux which means that both Sun and Nokia are ported from the original. This portion of the arguement may be moot as of CheckPoint NG. High Availability is available on all platforms. Native on Nokia via the Virtual Router Redundancy Protocol (VRRP). With some extra effort, VRRP will run on both Sun and Linux CheckPoint installations. The StoneBeat HA product provides best-of-class high availability for the Sun at a very high cost. The new StoneBeat clustering software may or may not provide the desired results (it's available for both Sun and Linux). CheckPoint's high availability is not worth looking into (in my opinion). Personally, I've stuck with Sun for it's fault-tolerant NEBS-compliant hardware, excellent networking implementation and remote management capabilities. Having managed CP on Sun, Nokia and Linux, each can get the job done in relatively modest network environments. In higher-capacity networks, I've stuck with Sun. I should also point out that the rulebase/policy management on Nokia, Linux and Sun are transparent to one another. I hope this is both informative to you and non-offensive to the Nokia zealots in the audience. Peter Lukas On Fri, 21 Sep 2001, Subba Rao wrote:Hi, We are bidding on a project with dual Nokia (Checkpoint) firewalls. Most of our experience with Checkpoint is on Sun system. From what I understand Nokia firewall is Checkpoint firewall. The customer is insisting on Nokia experience. I don't know what OS runs on the Nokia system. Is there anything different about Nokia Checkpoint vs other platform(s) Checkpoint. We will be meeting with this customer again next week. Is there anything specific to Nokia that I should know? Thank you in advance for any help and pointers. -- Subba Rao subba9 () home com http://members.home.net/subba9/ OpenPGP/GPG public key ID CCB7344E => Time is relative. Here is a new way to look at time. <= http://www.smcinnovations.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Nokia interview questions Subba Rao (Sep 24)
- Re: Nokia interview questions Andrew Huffer (Sep 25)
- Re: Nokia interview questions Peter Lukas (Sep 25)
- Re: Nokia interview questions black (Sep 26)
- Re: Nokia interview questions Peter Lukas (Sep 26)
- Re: Nokia interview questions hesselsp (Sep 28)
- Re: Nokia interview questions Peter Lukas (Sep 28)
- Re: Nokia interview questions black (Sep 26)
- Re: Nokia interview questions hermit1 (Sep 25)
- Re: Nokia interview questions Joe Dauncey (Sep 25)
- Re: Nokia interview questions Oscar Wahlberg (Sep 25)