Thread: Firewalls

As everyone know... I love everything Juniper. To that tune, we are looking for a set of new firewalls and are thinking of these in routed mode (OSPF stub, iBGP defaults) as A/A pairs:

http://www.juniper.net/products_and_...ies/index.html

Anyone have any previous experience with them? I am hoping to get one on eval for a play.

I've not heard fantastic things about Netscreen for some time now, we were looking at them + the Juniper IPS product for a customer, in the end we went with TopLayer.

We have used many Juniper products, and we personally prefer the TopLayer applications, as these are proving much more effective.

Have a look at this thread

THIS USER HAS BEEN GAGGED BY THE FORUM HOSTS FOR SPAM OR BREAKING THE RULES...
User will be ungaged in around 65 hours from this post.

PIX does all we need.

PIX doesn't do all we need

Karl: this is the SSG i'm looking at, not netscreen. same screenos yes, but iirc the boxes are a lot more powerful, no?

Does anyone have any toplayer pricing info and a spec sheet?

At the end of the day, the SSG is a Celeron or a P4 running stuff in software - It's the same as the J-Series routers

Pricing for TopLayer - from £10k from memory.

Cisco ASA for the Lower budget clients, Checkpoint for the higher bidget clients.

Sorted.

Goscomb - Interested to hear what the PIX's or ASA's dont do that you need? Always good to keep abreast of customer firewall/solution demands.

Originally Posted by MattParks

Goscomb - Interested to hear what the PIX's or ASA's dont do that you need? Always good to keep abreast of customer firewall/solution demands.

Unless they do routed mode these days and support OSPF + BGP and IPv6 ? They didn't used to the last time i looked...

I went for the Cisco's because they seem to be pretty much standard in my price range and I've rarely heard a bad word said about them. (except from nokia checkpoint nerds)

I was put off by the Netscreens by a couple of members on here and also a friend who almost broke into a sweat during a 15 minute rant damning them to hell!

They will do routed mode and OSPF and IPV6 but I'm not sure about BGP.

From memory, a recent NANOG thread said that whilst they do support IPv6, it's a very limited feature set compared to the IPv4 support.

Not used any Juniper kit, but I swear by Fortinet's FortiGates. Hardware accelerated with AntiVirus and IPS/IDS. You can pick up a FortiGate 400A for about £4500 which will do 450Mbps across a pair of gigabit and four 10/100 ports if memory serves me correctly. Awesome performance and no bloody host count licensing (I'm looking at you Check Point). They do OSPF and BGP as well.
I think Check Point still wins out with management and logging tools though, they just have a much more mature tool set.
Not had the joy of playing with Crossbeams or anything like that, but I've worked with a lot of Nokias running everything from 4.1 to NG R55 and they are all right, not fantastic, but all right. They don't seem to work well with more than 50-60 VLANs and getting them to crash and reboot isn't too hard if you know what you are doing but if you just leave them alone then they are fine. Have worked with some in a data centre environment that have been up for years, running hundreds of VPNs and the only problems are when the hardware eventually dies.
Nokias do OSPF and BGP, as do other Check Point appliances like the Corssbeams but with Check Point it is up to the appliance/OS to provide routing protocol support, something that dedicated, integrated systems don't suffer from.