[nsp] Network Firewall

Lawrence Wong lawrencewong72 at yahoo.com
Thu Jun 17 10:51:02 EDT 2004 

Hi all,

Many thanks to those who shared their
experiences/views.

I read through the netscreen brochures as well as
glanced the manual and noticed some distinct
differences.

>From my understanding (please feel free to correct me
if I am wrong):

1. It appears that netscreen has this Deep Inspection
feature which PIX doesn't have an equivalent for?

2. Netscreen products have a "New sessions/second"
specification which Cisco appears not to have? i.e. a
Netscreen-25 is rated at 2,000 concurrent sessions and
2,000 new sessions/second whereas a Cisco PIX515E is
rated as just 130,000 concurrent connections.

3. Cisco PIX "static" seems to be limited to just TCP
traffic but it will try to expire off incomplete
handshakes (or in some PIX OS not be affected by the
number of incomplete handshakes due to use of cookies)
in the event of a mass of SYN flood. Netscreen has
protection for TCP/UDP/ICMP but when it's SYN tables
get full, it will stop accepting new connections until
the old ones die off (aka no forced expiration of
earlier SYNs).

4. Cisco PIX "static" gives each host/subnet it's own
set of values for SYN traffic but Netscreen has a
global value for all hosts passing through it?

Does anyone who have used them have any opinions to
share? I'm trying to look for a firewall that is good
in terms of normal stateful filtering as well as D/DoS
protection.

While searching for Netscreen I came across the
Fortigate firewall. It's website says the CEO and CTO
were previously from Netscreen. Anyone has had any
experience with it?

TIA!

--- Joe Lin <jlin at doradosoftware.com> wrote:
> Lawrence,
> 
> I've deployed both cisco and netscreen myself.   I
> found netscreen more
> intuitive in the configuration.  The hardest part in
> my deployment was
> to convince upper management that it is ok to go
> with a non-C vendor!
> 
> Joe
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf
> Of Lawrence Wong
> Sent: Wednesday, June 16, 2004 7:23 AM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] Network Firewall
> 
> Hi all,
> 
> I am currently looking for a firewall to install in
> our corporate network. Our network mainly runs on
> Cisco hardware which made me consider using Cisco
> firewalls as well. We use public IPs hence no NAT is
> required.
> 
> Does anyone have any experience to share on the
> Cisco
> PIX firewalls? Or any other firewalls to recommend?
> 
> I noticed that compared to other vendors, Cisco PIX
> seems to lack in the area of SYN/UDP DDoS flood
> protection? The closest which I read from it's
> manual
> for 6.3 is the usage of some paraments in the
> "static"
> command to indirectly manage flooding, but static is
> used in NAT mode.
> 
> TIA!
> 
> 
> 	
> 		
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> http://promotions.yahoo.com/new_mail 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at
> http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail

More information about the cisco-nsp mailing list