Inherited the job of running a small network with about 25 users. Currently have a Netscreen NS5XP. We want to get a new firewall that supports a DMZ as well as VPN (site to site plus dial up VPN..10 simultaneous VPN connections max.). I was looking at either a Cisco Pix 501 unlimited with the VPN bundle or the Netscreen 5GT or 5XT. Any thoughts on these and which might be best for our situation?
Personally, I do not care for the Netscreen much. Nice interface, great throughput but, beyond that it is a joke. Great for a "mom and pop" shop, but in my opion not a professional class firewall.
I suspect hes a noob that knows little about the Netscreen product range.
The 5GT has a phenomenal amount of functionality and most people only scrape the surface.
Make sure when you purchase you look at the DI signature service (NS-DI-5GTE) or perhaps one of the bundled support contracts (SV1-AR1-N5GTE) which gives you both the AV and DI signatures for one year at a very discounted price (you will need to buy the AV version of the 5GT).
I am curious to hear about any founded concerns/complaints with the Netscreen products... I (hesitantly and Reluctantly) bought one about 4 years ago for my network (I was convinced a PIX was the WAY TO GO)... but I haven't had ANY problems with the product... the 25 manages our main office very well and we have 4 or 5 permanent VPN's using the 5xxx models.
Only had to call their tech support one time and the person I spoke w/ was very knowledgeable and helpful (at least for the specific problem I was calling for, anyhow)....
other than a few hoops you need to jump through when using the GUI w/ policies, addresses, etc, etc. under certain circumstances (that's why I like the command line option)... it is a pretty good product... and in basic environments, yes, a monkey could probably set it up (unlike the PIX)...
I have found the best reason to learn the PIX is to pass the tests. In all practical applications, there are better firewalls out there (for less money too).
Most of the Anti-Netscreen sentiment is usually Cisco-Clones regurgitating marketing blurb they've heard. PIX has to be one of the most awful firewall platforms out there, performance and functionality is like something from the 90's. Even basic routing, zoning, and IPS functions are non-existant.
Mark S > Well put. And the monkeys that don't know NetScreen don't have the foggiest idea of what that firewall can do. No idea what so ever. I (like a few others here I'm sure) have installed 1.2 shitloads of firewalls, and the NetScreen line always can do far more and/or is more stable than any other device I've put in production.
While I wasn't part of the thread, I would like to say that the only issue I've ever had with a NS was moving large files between the DMZ and the LAN. We would try and move Oracle/SQL backup files (20gb+) in batch processes from the DMZ to the LAN and the would fail everytime, smaller files, 1gb would work fine. I stopped installing NS products because, at the time, 2 years ago, they could not resolve the issue.
NS has the best diagnostic tools I've seen on an appliance - problem is they are largely undocumented. IME the debug command always pinpoints the failure, but sometimes you need to track down the developer before you can fully interpret the output.
Most customers would just swap out the box for something that works today, but I like to think I've contributed to improving the product - e.g. NSRP monitoring was fairly useless in a VSYS environment prior to ScreenOS 5.1, now it works pretty much as I suggested :-)
Strange, I never experienced such issues with my 25 series... I move some rather large files from side to side (large quantities of small files (some in series, some simultaneous) as well as large files as you described... never had a problem.
Maybe you got a lemon or something was misconfigured (as hard as it is to admit, I suspect we have made some major boo boos in our time that a monkey should have gotten right the first time... hahaha, I always bame mine on Budweiser though, whether I was drinking or not!!!)
if a plop and drop new device just FIXED it (no other net, cable, config, HW ect changes occurred at the same time) then I figure you got a bunk Netscreen or something was awry in the config...
one thing I do recall now about netscreen (support) that I wasn't real impressed with (however, this could be a function of the experience of the tech on our staff who was working with them) is how they set up our software VPNs to the box...
we were using a 192.168.x.x internal network and they configured a
10.x.x.x network for the 10 sofware clients... (are you for real?? Maybe I am too inexperienced or too tidy or..? but why use a /8 subnet to manage 10 clients?????)..... furthermore, all of those virtual ports were pingable (locally)... so when I try to ping a VPNed in client's address, the ICMP reply comes from the firewall, not the actual client (which makes remote admin a pain)...
at any rate, I don't work for that company any more, I wasn't involved with that project, and I don't need to support it... but it is a concern I have moving forward if I ever elected to use Netscreens (Juniper, whatever) solution for remote access in the future...
When I get the option, for clients, and even in my own home and business, I install WatchGuard Appliances.
The netscream in question was at a company where I had been outvoted by people that had never done security work before, the pulled our watchguard and sent us a Netscream without allowing us any control.....
For remote management, we have more than 100 WatchGuard Firebox units in the field and have never had a problem with remotely supporting their networks or system - we just PPTP into the firewall and use rules to allow us access to everything. The same with the clients road-warriors, we just let them PPTP into the firewall and then have various rules for what they can access based on what group they belong too.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.