Cisco vs Netscreen for our environment

Inherited the job of running a small network with about 25 users. Currently have a Netscreen NS5XP. We want to get a new firewall that supports a DMZ as well as VPN (site to site plus dial up VPN..10 simultaneous VPN connections max.). I was looking at either a Cisco Pix 501 unlimited with the VPN bundle or the Netscreen 5GT or 5XT. Any thoughts on these and which might be best for our situation?

Reply to
The other Mike
Loading thread data ...

Reply to
The other Mike

I didn't know that a PIX 501 has more than 2 Interfaces.

Get a Clavister. Even the smallest models have 3 separate interfaces.

Wolfgang

Reply to
Wolfgang Kueter

You can get an Extended license on the 5GT which gives you a true DMZ and double the session count.

Reply to
Munpe Q

The Netscreen NS5GT is an outstanding choice (you'll need the unlimited version).

alan

Reply to
Alan Strassberg

Reply to
The other Mike

Personally, I do not care for the Netscreen much. Nice interface, great throughput but, beyond that it is a joke. Great for a "mom and pop" shop, but in my opion not a professional class firewall.

Michael

Reply to
Michael Pelletier

Michael Pelletier, you're an ass hat. You obviously have no idea what that firewall can do.

Reply to
Munpe Q

Why?

Please give *technical* reasons for that.

Wolfgang

Reply to
Wolfgang Kueter

Whom do you trust more: CIA or Massad?

SCNR Wolfgang

Reply to
Wolfgang Kueter

I suspect hes a noob that knows little about the Netscreen product range.

The 5GT has a phenomenal amount of functionality and most people only scrape the surface.

Make sure when you purchase you look at the DI signature service (NS-DI-5GTE) or perhaps one of the bundled support contracts (SV1-AR1-N5GTE) which gives you both the AV and DI signatures for one year at a very discounted price (you will need to buy the AV version of the 5GT).

Reply to
Mark S

I am curious to hear about any founded concerns/complaints with the Netscreen products... I (hesitantly and Reluctantly) bought one about 4 years ago for my network (I was convinced a PIX was the WAY TO GO)... but I haven't had ANY problems with the product... the 25 manages our main office very well and we have 4 or 5 permanent VPN's using the 5xxx models.

Only had to call their tech support one time and the person I spoke w/ was very knowledgeable and helpful (at least for the specific problem I was calling for, anyhow)....

other than a few hoops you need to jump through when using the GUI w/ policies, addresses, etc, etc. under certain circumstances (that's why I like the command line option)... it is a pretty good product... and in basic environments, yes, a monkey could probably set it up (unlike the PIX)...

okay, the redneck is done ranting now...

thanks, htredneck

Reply to
Doug

I have found the best reason to learn the PIX is to pass the tests. In all practical applications, there are better firewalls out there (for less money too).

-Bob

Reply to
Bob

Most of the Anti-Netscreen sentiment is usually Cisco-Clones regurgitating marketing blurb they've heard. PIX has to be one of the most awful firewall platforms out there, performance and functionality is like something from the 90's. Even basic routing, zoning, and IPS functions are non-existant.

Reply to
Mark S

Mark S > Well put. And the monkeys that don't know NetScreen don't have the foggiest idea of what that firewall can do. No idea what so ever. I (like a few others here I'm sure) have installed 1.2 shitloads of firewalls, and the NetScreen line always can do far more and/or is more stable than any other device I've put in production.

Reply to
Munpe Q

While I wasn't part of the thread, I would like to say that the only issue I've ever had with a NS was moving large files between the DMZ and the LAN. We would try and move Oracle/SQL backup files (20gb+) in batch processes from the DMZ to the LAN and the would fail everytime, smaller files, 1gb would work fine. I stopped installing NS products because, at the time, 2 years ago, they could not resolve the issue.

Reply to
Leythos

What protocol was used to move the files?

(Just curious, we do large SCPs through NS boxes without issue)

Reply to
Triffid

NS has the best diagnostic tools I've seen on an appliance - problem is they are largely undocumented. IME the debug command always pinpoints the failure, but sometimes you need to track down the developer before you can fully interpret the output.

Most customers would just swap out the box for something that works today, but I like to think I've contributed to improving the product - e.g. NSRP monitoring was fairly useless in a VSYS environment prior to ScreenOS 5.1, now it works pretty much as I suggested :-)

Triffid

Reply to
Triffid

Strange, I never experienced such issues with my 25 series... I move some rather large files from side to side (large quantities of small files (some in series, some simultaneous) as well as large files as you described... never had a problem.

Maybe you got a lemon or something was misconfigured (as hard as it is to admit, I suspect we have made some major boo boos in our time that a monkey should have gotten right the first time... hahaha, I always bame mine on Budweiser though, whether I was drinking or not!!!)

if a plop and drop new device just FIXED it (no other net, cable, config, HW ect changes occurred at the same time) then I figure you got a bunk Netscreen or something was awry in the config...

one thing I do recall now about netscreen (support) that I wasn't real impressed with (however, this could be a function of the experience of the tech on our staff who was working with them) is how they set up our software VPNs to the box...

we were using a 192.168.x.x internal network and they configured a

10.x.x.x network for the 10 sofware clients... (are you for real?? Maybe I am too inexperienced or too tidy or..? but why use a /8 subnet to manage 10 clients?????)..... furthermore, all of those virtual ports were pingable (locally)... so when I try to ping a VPNed in client's address, the ICMP reply comes from the firewall, not the actual client (which makes remote admin a pain)...

at any rate, I don't work for that company any more, I wasn't involved with that project, and I don't need to support it... but it is a concern I have moving forward if I ever elected to use Netscreens (Juniper, whatever) solution for remote access in the future...

any thoughts?

Reply to
htredneck

When I get the option, for clients, and even in my own home and business, I install WatchGuard Appliances.

The netscream in question was at a company where I had been outvoted by people that had never done security work before, the pulled our watchguard and sent us a Netscream without allowing us any control.....

For remote management, we have more than 100 WatchGuard Firebox units in the field and have never had a problem with remotely supporting their networks or system - we just PPTP into the firewall and use rules to allow us access to everything. The same with the clients road-warriors, we just let them PPTP into the firewall and then have various rules for what they can access based on what group they belong too.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.