Re: Nokia interview questions

[<black () galaxy silvren com>]

Ok, not to post a major flame, but I disagree on a couple points.

As far as the hardware goes, what it runs really makes no difference as
long as it gets the job done. It makes no difference to me if it's running
a celeron, a pentium 4, a custom built chip or a strongarm. If you buy a
decently sized Nokia, like an IP650 then it should be able to handle
pretty much anything you throw at it unless you're dealing with gigantic
amounts of data. They do make gigabit interfaces for the Nokia firewalls,
and while I haven't seen any specifics on benchmarking, I don't think the
manufacturer would make an interface for their product if it could not
stand up to the bandwidth reasonably well. You may choose to argue this
point.

The Nokias can also include redundant fans and power supplies, as well as
hot swap cards. This is pretty different than a bargain basement PC.

I agree that for the majority of cases, your firewalls will only need to
support static routes and not need dynamic routing. Do you happen to have
a rough idea of how much extra dynamic routing costs? And is it purchases
as an entire package, or on a protocol basis? I see that it supports RIP
and OSPF, among others.

I'm not sure what you're driving at with the expensive management being
perl scripts. IPSO actually includes a version of tcl for all its
scripting, which is used in the Voyager web interface. I've never had to
purchase any additional scripts to manage the Nokias. Could you please
clarify this?

I also disagree that "management may be easier for the entry-level
firewall admin." There is no OS to harden, in contrast to NT, Solaris, and
Linux. To me, that translates to "easier to manage for all admins." Need
to upgrade a package or move to a new version of IPSO? Simply ftp the
image or package to the Nokia and make it active. Piece of cake.

The rest is pretty on the mark, the only other advice I'd give is to not
let "flows" be a major factor in choosing Checkpoint. So far, flows has
caused nothing but grief, and I don't know of a single person that has
chosen to implement it. Especially in HA situations, it is a disaster.

You have a lot of good info Peter.

On Mon, 24 Sep 2001, Peter Lukas wrote:

> *Dons Flame Suit*
>
> The Nokia experience consists of intel-based hardware running a FreeBSD
> orphan. Nokia figured out precisely what is required of a CP firewall and
> assembled a modest platform onto which the software is installed.
>
> A breif pro/con list and justification follows:
>
> Pro:
> + Cost - hardware isn't expensive.
> + High Availabilty - No extra cost thanks to VRRP (may not be available in
>   all network scenarios, though)
> + WAN capabilities - Available on Sun and Linux as well, but only utilized
>   about 10% of the time, anyway.
> + Management - Simple to set up (virtually works out of the box).
> + Scalability - Distribution of multiple units is relatively simple.
>
> Con:
> - Hardware - Intel Celeron, Western Digital Hard Drive, platform is akin
>   to those found in a "Bargain Basement PC." Upgrading to more capable
>   hardware will void any support from Nokia.
> - Networking - No dynamic routing (not necessary on a firewall, anyway).
>   It is available through an unsupported, expensive add-on from Nokia.
> - Management - Tools are expensive perl scripts - they get the job done
>   relatively well, but at a price.
> - Cost - For the assembled hardware, Nokia still managed to charge a
>   premium for the hardware and CP license
> - Availability - CP revs and patches are realtivley slow to release as the
>   code must be ported from the original to the FreeBSD orphan.
>
> Overall, the Nokia platform costs about as much as a more fault-tolerant
> Sun solution. Management may be easier for the entry-level firewall admin
> which is a big plus on distributions consisting of multiple firewalls and
> low overhead.
>
> The lack and slow-to-market release of patches and support may be a
> showstopper. Another thing to nit pick over is the fact that the software
> must be ported to the alternate OS. I have heard rumors of both a
> synchronous release practice by CheckPoint and I that they're (CP)
> writing/developing on Linux which means that both Sun and Nokia are
> ported from the original. This portion of the arguement may be moot as of
> CheckPoint NG.
>
> High Availability is available on all platforms. Native on Nokia via the
> Virtual Router Redundancy Protocol (VRRP). With some extra effort, VRRP
> will run on both Sun and Linux CheckPoint installations. The StoneBeat HA
> product provides best-of-class high availability for the Sun at a very
> high cost. The new StoneBeat clustering software may or may not provide
> the desired results (it's available for both Sun and Linux). CheckPoint's
> high availability is not worth looking into (in my opinion).
>
> Personally, I've stuck with Sun for it's fault-tolerant NEBS-compliant
> hardware, excellent networking implementation and remote management
> capabilities. Having managed CP on Sun, Nokia and Linux, each can get the
> job done in relatively modest network environments. In higher-capacity
> networks, I've stuck with Sun. I should also point out that the
> rulebase/policy management on Nokia, Linux and Sun are transparent to one
> another.
>
> I hope this is both informative to you and non-offensive to the Nokia
> zealots in the audience.
>
> Peter Lukas
>
> On Fri, 21 Sep 2001, Subba Rao wrote:
>
> > Hi,
> >
> > We are bidding on a project with dual Nokia (Checkpoint) firewalls. Most of our
> > experience with Checkpoint is on Sun system. From what I understand
> > Nokia firewall is Checkpoint firewall. The customer is insisting on Nokia
> > experience. I don't know what OS runs on the Nokia system.
> >
> > Is there anything different about Nokia Checkpoint vs other platform(s) Checkpoint.
> >
> > We will be meeting with this customer again next week. Is there anything
> > specific to Nokia that I should know?
> >
> > Thank you in advance for any help and pointers.
> > --
> >
> > Subba Rao
> > subba9 () home com                     http://members.home.net/subba9/
> > OpenPGP/GPG public key ID CCB7344E
> >
> >  => Time is relative. Here is a new way to look at time. <=
> > http://www.smcinnovations.com
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () nfr com
> > http://list.nfr.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards