[nsp] Network Firewall

Lawrence Wong lawrencewong72 at yahoo.com
Thu Jun 17 10:54:03 EDT 2004


Hi again,

While on the same topic, has anyone tried out the
Cisco IDS appliance? How would a Cisco IDS + PIX combo
work out against say a Netscreen?

TIA!

--- Lawrence Wong <lawrencewong72 at yahoo.com> wrote:
> Hi all,
> 
> Many thanks to those who shared their
> experiences/views.
> 
> I read through the netscreen brochures as well as
> glanced the manual and noticed some distinct
> differences.
> 
> From my understanding (please feel free to correct
> me
> if I am wrong):
> 
> 1. It appears that netscreen has this Deep
> Inspection
> feature which PIX doesn't have an equivalent for?
> 
> 2. Netscreen products have a "New sessions/second"
> specification which Cisco appears not to have? i.e.
> a
> Netscreen-25 is rated at 2,000 concurrent sessions
> and
> 2,000 new sessions/second whereas a Cisco PIX515E is
> rated as just 130,000 concurrent connections.
> 
> 3. Cisco PIX "static" seems to be limited to just
> TCP
> traffic but it will try to expire off incomplete
> handshakes (or in some PIX OS not be affected by the
> number of incomplete handshakes due to use of
> cookies)
> in the event of a mass of SYN flood. Netscreen has
> protection for TCP/UDP/ICMP but when it's SYN tables
> get full, it will stop accepting new connections
> until
> the old ones die off (aka no forced expiration of
> earlier SYNs).
> 
> 4. Cisco PIX "static" gives each host/subnet it's
> own
> set of values for SYN traffic but Netscreen has a
> global value for all hosts passing through it?
> 
> Does anyone who have used them have any opinions to
> share? I'm trying to look for a firewall that is
> good
> in terms of normal stateful filtering as well as
> D/DoS
> protection.
> 
> While searching for Netscreen I came across the
> Fortigate firewall. It's website says the CEO and
> CTO
> were previously from Netscreen. Anyone has had any
> experience with it?
> 
> TIA!
> 
> --- Joe Lin <jlin at doradosoftware.com> wrote:
> > Lawrence,
> > 
> > I've deployed both cisco and netscreen myself.   I
> > found netscreen more
> > intuitive in the configuration.  The hardest part
> in
> > my deployment was
> > to convince upper management that it is ok to go
> > with a non-C vendor!
> > 
> > Joe
> > 
> > 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On
> Behalf
> > Of Lawrence Wong
> > Sent: Wednesday, June 16, 2004 7:23 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [nsp] Network Firewall
> > 
> > Hi all,
> > 
> > I am currently looking for a firewall to install
> in
> > our corporate network. Our network mainly runs on
> > Cisco hardware which made me consider using Cisco
> > firewalls as well. We use public IPs hence no NAT
> is
> > required.
> > 
> > Does anyone have any experience to share on the
> > Cisco
> > PIX firewalls? Or any other firewalls to
> recommend?
> > 
> > I noticed that compared to other vendors, Cisco
> PIX
> > seems to lack in the area of SYN/UDP DDoS flood
> > protection? The closest which I read from it's
> > manual
> > for 6.3 is the usage of some paraments in the
> > "static"
> > command to indirectly manage flooding, but static
> is
> > used in NAT mode.
> > 
> > TIA!
> > 
> > 
> > 	
> > 		
> > __________________________________
> > Do you Yahoo!?
> > New and Improved Yahoo! Mail - 100MB free storage!
> > http://promotions.yahoo.com/new_mail 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at
> > http://puck.nether.net/pipermail/cisco-nsp/
> > 
> > 
> > 
> 
> 
> 
> 		
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail is new and improved - Check it out!
> http://promotions.yahoo.com/new_mail
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 


More information about the cisco-nsp mailing list