It depends on your use. We're using both, and for low bandwidth requirements (say under 500 Mb/s total throughput), I really like the Nokia IP-380's. They're easy to manage, they have reasonable VPN acceleration on the motherboard, and are cost competitive with a 1U Dell server for the same use. If you need to do active-active instead of HA, factor in the cost increase of having to buy Cluster-XL from Checkpoint instead of doing it in the Nokia OS. There's also some features in IPSO like routing protocols, broadcast helpers, the ability to be an NTP source for DMZ subnets, etc, that you might have to add on to SPLAT, but aside from NTP, I have only rarely needed to use a lot of those features.
If you go higher in bandwidth there's no cost comparison. The Intel boxes with SPLAT go up slightly in price to handle multi-GB throughput, whereas the Nokia line gets ridiculous in the same bandwidth for IP-7xx and 12xx boxes and higher that can be 10X the cost of SPLAT per Mb/s. Nokia does offer a fully solid state option in the high end, (for $$$), as well. What you train on makes a lot of difference, as there are non-intuitive parts to both platforms (I originally moved to them from running Checkpoint on Sun Solaris, so both were confusing in some areas for a while). There are minor annoyances to either one, like the GUI for SPLAT not sorting addresses displayed in the routing table (a mess to search through). The Nokia's use GUI for some things that work easier by command line, and using command line on the SPLAT boxes for stuff like adding vlan tags to interfaces is a pain. Both have their points, and both are usable to configure. You can backup & restore a Nokia box config (interfaces, vlans, VRRP addresses, and so on) just as quick as a splat box, if you actually do backups. If you deploy enough of them, you can script the Nokia configs and run them with your new IP's / vlans to get them running really quickly, but for a single pair you'll probably run through the web GUI and spend a half hour setting them up unless you have a really complicated network or a lot of vlan trunks for some reason. If you need to keep spare h/w on site, like I said, for smaller stuff like an IP-380, it's not far off in cost from an Intel server, but larger boxes would be more. If you're running H/A, and have support, you don't really have to have spare h/w on site for either platform. If you already have enough Intel servers to keep spares on site for other platforms in your company, then your decision might skew in favor of Intel again for that reason. I've not personally had problems upgrading Nokia IPSO, or installing Checkpoint on them, for the last couple of years worth of revisions. Nokia support has been pretty good, and even helped solve some problems faster than the Checkpoint support people figured it out, so I'd rate their support pretty well for my usage as well. Likewise, reliability has been pretty good. We've got about 30 Nokia boxes ranging from the old IP-330's up to the IP-740's on site, and I can think of 1 hard drive failure in the last 3 years. We've only got less than a dozen SPLAT boxes on site at the moment, and they're not that old, but it's all dependant upon the h/w vendor you choose, and you can usually get an idea on h/w reliability from another server team on site to pick what h/w you'll choose anyway. One thing is I think I'd recommend Nokia to a site that had part time FW admins, or didn't do much firewall work, and wanted something easier to work with. I do think it's a bit easier if someone's coming back to do firewall changes only once in a while, but that's personal decision on how the interfaces seem to be built. If you do enough work on either one you'll have it memorized regardless. Just a few ideas from what we're doing here, I'm sure there are other decision points to consider as well. Bruce -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Emily Conrad Sent: Tuesday, July 12, 2005 15:18 To: [email protected] Subject: [FW-1] Intel vs. special purpose FW-1 servers Hello, We are working on a project to upgrade our firewall infrastructure. One of the questions is whether to use FW-1 on a standard Intel server or to use a special-purpose optimized version of FW-1 on a dedicated hardware platform such as Nokia firewall appliance or Crossbeam systems C30/X40. Does anyone have any advice on what factors are important when making such a decision? Thanks, Emily _________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ********************************************************************** The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please re-send this communication to the sender and delete the original message or any copy of it from your computer system. Thank You. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
