don Wang, The saying, 'let routers route and firewalls firewall' pertains to this piece of equipment. I did not use it in a LAN to Internet situation but in a LAN - Nokia - LAN environment. Things not to believe, to question, take into consideration: * ATM interfaces - not ready for prime time, and either is the throughput * BGP4 - let routers do dynamic routing. We experienced several dropped routes, which required a reboot of the Nokia to re-learn them from the Cisco routers. * High-availability - I will caveat this by saying, as long as you are only using it for 10BaseT or slower speeds, than you should be fine. Otherwise, the keeping of stateful connections does not work so well on high speed lines (ATM, FE) where the 10BaseT connection between the two firewalls is slower than the communication on the other interfaces. The issues are when the packet has already arrived at the FE/ATM interface but the Ethernet interface has not learned about it yet. * IP Classless addresses - I would further research this if you required. We tried a /22 (255.255.252.0) supernet, and there seems to be a bug in the ftp filter. I do not know if the latest patches have fixed the bug. It turns out that the rule would work for 25% of the supernet, but not for the rest of the it pertaining to the data channel. It would work for the command channel!? * Be wary of the licensing issues. I have had countless issues with my lab firewalls and production. * Too many rules? This one is odd, and I am still trying to get a good answer. We have made some changes in the rules, and then made another change later in the rules to basically allow the same thing. When reading the logs, you would see it hit the high rule a couple of times, and then go back to the lower rule (where it should have been allowed in the first place). This started happening around the 60th rule or so. Yes, I have a foul taste in my mouth. However, in the right situation/environment it may fit your needs. One of the reasons that we chose the Nokia was the high availability. 19 hour backups across the firewall with stateful connection was nice, and Cisco was (and still is) talking about futures. I do not know of any other company who is even going that far. Layer 2 firewalls may be able to perform this same luxury. If you try it, I would like to know how you fare in 3, 6, 9 months. Happy Hunting, Jim James L. Burden, Security Engineer and Architect California Independent System Operator Phone: 916.351.2243 http://www.caiso.com 41DF 0E4C 26E0 2FD3 8C81 A260 5C40 280E B4AE 7420 _____________________________________ Know yourself, Know your enemy in a hundred battles you will never be in danger, Know the ground, Know the weather, and your victory will be total. - Sun Tzu _____________________________________ Disclaimer: The above represents my personal opinions and not an official endorsement or position by the California ISO, my current employer. I reserve the right to disavow them at my convenience. > -----Original Message----- > From: don Wang [mailto:donwangat_private] > Sent: Wednesday, January 19, 2000 12:50 PM > To: firewall-wizardsat_private; donwangat_private > Subject: Nokia/Checkpoint firewall > > > Hi, > > Does anyone have any comments about the Nokia firewall solution which > uses Checkpoint? I have looked at the Nokia web site and want to hear > any field stories that are available. > > Thanks, > Don > > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:52 PDT