I am evaluating firewalls for a large (50,000 user) corporation. Gartner's magic quadant shows Netscreen (Juniper), Checkpoint, and Cisco as the top.
Would like to hear net.wisdom what the reality of what you run and why you love or hate it. Does support resolve issues ? Can a firewall team maintain 30 firewalls globally ?
alan
Eeks, Gartner. Not the best source for this sort of thing IMO. They spew a LOT of BS.
In this case, however, i'd say they are giving DECENT info, but you really need to reasearch on your own for this sort of thing.
Juniper's box is basically a netscreen if I am not mistaken.
Funny that they do NOT mention Watchguard or Sonicwall, which would be my top two picks.
Sonicwall would be a poor choice for an enterprise class firewall.
Don't get me wrong, they're really nice. I sell both Sonicwalls and Netscreens. The Sonicwall just doesn't obey certain networking guidelines in the way it does things, and some of the more advanced features just aren't there yet.
I came from a Cisco background into Netscreen (Juniper).
PIX is awful. Its old, its crusty, half the stuff doesn't work, and they haven't kept up with the current threats.
The Netscreens rock. Everything works as it should. Support is excellent, and with their NSM Management software you could maintain those 30 firewalls easily.
The only thing I can on Checkpoint vs Netscreen is that Netscreens OS is the same from the baby boxes through to the beast boxes, except of course in the throughput numbers, numbers of zones/vlans etc. But the capabilities are all there. With Checkpoint they seem to neuter some of their product in an effort to squeeze more money out of you.
I've had to make a few support calls and they've been really onto it.
We have one nasty demo we do with the Netscreens. We go onsite to a customer and put a Netscreen in behind their existing firewall in transparent mode, and leave it running for 24 hours, come back the next day and see what its picked up. Usually (especially in the case of the PIX), theres lots.
What I'd recommend you do is get hands on with all three. Get pricing, and make sure you get the maintainance support pricing as well (this can make a huge difference). Beware of the Cisco Clones, they often tell you the pix's can do stuff they actually can't.
Make sure you get a demo of Deep Inspection running if you don't intend to use any internal IDP devices.
On 2 Dec 2004 08:36:34 -0800, Alan Strassberg spoketh
Have a look at Symantec Enterprise Firewall, formerly known as Axent Raptor. Great product, easy to manage and had application proxies for the biggest problem protocols (most notable http and smtp)
Lars M. Hansen
We've been using Checkpoint since somewhere around version
3.something, currently running NG/AI on SecurePlatform (Linux). While I'm the first one to admit that Checkpoint isn't the overall best firewall, I must admit that I've come to appreciate it very much. Management is quite easy and scales well to a large number of enforcement points. Of the more popular firewalls, I believe CP does detailed packet inspection for the largest list of protocols and there are a variety of add-on features available to inspect up to layer-7.Our Checkpoint support is handled by a company called Akibia and the service has been excellent 24/7
If Checkpoint turns out to be the right solution for you, I would suggest either SecurePlatform (Checkpoints hardened RH Linux) or a Nokia "appliance" platform. We have used both here (as well as AIX) and SecurePlatform is my favorite. (avoid windows at all costs!) We run it on IBM X305's with 2.66GHz cpus and a gig of RAM per box.... and it runs cool under our highest loads. (10Mbit/sec internet, 140+ site-2-site VPN's, 800+ remote access users, 20 DMZ servers, 40 WAN connections in a separate DMZ, 12,000 LAN nodes)
If you have a very high bandwidth requirement, Netscreen has the reputaion of living up to its published transfer rates across the product line. Of all of our VPN "partners", one one uses a Netscreen, but they seem to be happy with it.
Hope this is of some use.
Cheers!
And notorious for product recalls, I seem to remember it being recalled at least 3 times ;)
Ewww, isn't there any centralised management server like Sonicwalls SGMS or Netscreens NSM?
Right now, clients, have more than 70 WatchGuard Appliances in the field, we have remote access to all of them, and we maintain them.
Once you know what to look for in the logs, in imported logs to spreadsheets and then sorting, etc... You can manage most of them in less than a week, but you don't really have to look at each one every day, you look for signs that give things away, and then do a weekly or monthly review - depending on the client.
Not on the units we're using, and not in the past. I can administer any of the units that I can reach from any network from a single workstation, but I don't have a means to select a group of units and push something out to them. Once we VPN into the networks we can do anything we want with the firewalls, and it doesn't really take any time, we have the logs exported and shipped via email to us, so there is only a couple hours a month to review them.
During the initial installs it takes some time to customize the systems to the clients needs, but the basic network is simple.
On 2 Dec 2004 20:41:18 -0600, Mark S spoketh
Recalls? I never got any recalls between 2000 and 2003 when I was managing the SEF/Raptor firewalls. A few patches and a two upgrades (from Raptor 6 to Raptor 6.5 to SEF 7.0).
Lars M. Hansen
The definitely had some where I'm at (Australia/NZ), I worked for a distributor and remember them being pulled for about 6 months.
Thats where NSM or SGMS rocks.
On NSM you can preconfigure devices before they're live (ie generate a config, load it in via console, cli, web gui, or a flash card). Then config updates can be global, things like building a VPN is drag'n'drop stuff. One click and you can update up to 5000 firewalls ;)
First, thanks to all for the great response. I confess that Checkpoint is currently used now and support has been a nightmare, hence the evaluation. The migration from NG to AI has impacted production and has been anything but smooth (FP3 to NG was similar). Most of the issues are on Solaris with ClusterXL.
I spoke to Cisco but everything is "in the next release". Also separate management stations for logging and fw management. Just didn't seem like an integrated solution yet.
Netscreen demo'ed their Netscreen Security Manager. Very impressive. I also like the fact they are ASIC based.
I will also consider Nokia/Checkpoint as a Sun replacement.
Will also talk with the others like Fortinet, Stonegate, but they're really niche players.
Still open to suggestions.
alan
Could you bee more specific? what guidelines does it not obey?
For what its worth. I went to a CISSP traning facility and everyone there was using Checkpoint. We use checkpoint and I have been very impressed too.
Plus ca change.
Its been that way for years with cisco, promises, promises.
Fine until they eol the product and you find you have a collection of very expensive paperweights which cannot run the latest supported releases.
Nokias are overpriced for what you get. Checkpoint running on Crossbeam gives you far better bang for your buck imho.
greg
Take a look at Crossbeam - excellent product - seems very scalable
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.