You'll probably want to look up performance stats with Cisco and
Checkpoint directly, although I would doubt that Checkpoint is faster.
Can someone else with more experience on PIX hardware jump in with more
information? You also have to look at the cost perspective. Ok, maybe
Checkpoint running on an E450 or an E3000 will be as fast as much less
hardware/cost in a PIX solution. But, do you have the extra rack space
to lug one of those Sun boxes in? Do you have a hired unix admin to
take care of the box when it goes down, or needs general
maintenance/upgrades? Sun reps can be expensive.
In general, hardware based firewalls are always going to be faster.
I've worked a lot with the netscreen 100 devices that are mostly
hardware based, cost about $10,000 and use 100Mb ethernet ports on all
sides. They perform very well under a wide variety of traffic loads,
although I've never pushed more then 70Mb/s through it. Using a
SmartBit to max it out isn't always the most realistic of scenarios
either. Netscreen claims that their hardware adds very little
(microseconds) latency, but again, this is all in their labs using only
SmartBits. I haven't measured realistic latency myself.
Ok enough firewall plugs.. I'd really suggest going to the NetworkWorld
trade journal site http://www.networkworld.com and searching for
firewalls in their archives. They do routine performance evals of every
major platform out there.
David
Kent wrote:
>
> David,
>
> I have a question, as I understand that Checkpoint is
> a software based firewall, right?
> And it is faster than PIX, which makes me think that
> software based firewalls sometimes can be faster than
> hareware based ones, is that right?
>
> Thanks
>
> Kent
> --- David <[EMAIL PROTECTED]> wrote:
> > well, simply blocking traffic from outdoors and
> > using NAT is usually OK
> > for a SOHO or regular user, but in general access
> > lists ARE NOT A
> > FIREWALL. They don't keep status of connections and
> > do any realtime
> > inspection of traffic looking for more then just
> > IP/TCP/UDP
> > information. A stateful firewall keeps an active
> > table of all
> > connections and can do a lot more then just deny
> > traffic on basic things
> > in the layer 3/4 header. If you really want to
> > protect a network don't
> > just use access lists.
> >
> > In larger environments, one of the big factors to
> > address is
> > performance. If you're sitting behind a T-1 with 40
> > to 50 average users
> > and a server or two, this may not be a big deal.
> > Any decent software
> > based firewall or small hardware-based solution
> > should be fine. But if
> > you're sitting behind a network with hundreds of
> > users, hundreds of
> > servers, and pushing 50+ Mb/s of traffic out
> > multiple DS-3's, you better
> >
> > A. Make sure you segment your network and use
> > multiple firewalls.
> > B. Use a fast hardware based solution.
> >
> >
> > Some of the bigger firewall platforms out there are
> > Checkpoint's
> > Firewall-1, Cisco PIX, and my current favorite,
> > Netscreen. I'm not sure
> > about netscreen's site right now, but Cisco and
> > Checkpoint should have
> > some basic firewall/security documentation out there
> > about firewalls.
> > There are plenty of good books on firewalls out
> > there as well as things
> > on the Internet, but I haven't searched.
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
