[nsp] Network Firewall
Lawrence Wong
lawrencewong72 at yahoo.com
Thu Jun 17 10:54:03 EDT 2004
Hi again,
While on the same topic, has anyone tried out the
Cisco IDS appliance? How would a Cisco IDS + PIX combo
work out against say a Netscreen?
TIA!
--- Lawrence Wong <lawrencewong72 at yahoo.com> wrote:
> Hi all,
>
> Many thanks to those who shared their
> experiences/views.
>
> I read through the netscreen brochures as well as
> glanced the manual and noticed some distinct
> differences.
>
> From my understanding (please feel free to correct
> me
> if I am wrong):
>
> 1. It appears that netscreen has this Deep
> Inspection
> feature which PIX doesn't have an equivalent for?
>
> 2. Netscreen products have a "New sessions/second"
> specification which Cisco appears not to have? i.e.
> a
> Netscreen-25 is rated at 2,000 concurrent sessions
> and
> 2,000 new sessions/second whereas a Cisco PIX515E is
> rated as just 130,000 concurrent connections.
>
> 3. Cisco PIX "static" seems to be limited to just
> TCP
> traffic but it will try to expire off incomplete
> handshakes (or in some PIX OS not be affected by the
> number of incomplete handshakes due to use of
> cookies)
> in the event of a mass of SYN flood. Netscreen has
> protection for TCP/UDP/ICMP but when it's SYN tables
> get full, it will stop accepting new connections
> until
> the old ones die off (aka no forced expiration of
> earlier SYNs).
>
> 4. Cisco PIX "static" gives each host/subnet it's
> own
> set of values for SYN traffic but Netscreen has a
> global value for all hosts passing through it?
>
> Does anyone who have used them have any opinions to
> share? I'm trying to look for a firewall that is
> good
> in terms of normal stateful filtering as well as
> D/DoS
> protection.
>
> While searching for Netscreen I came across the
> Fortigate firewall. It's website says the CEO and
> CTO
> were previously from Netscreen. Anyone has had any
> experience with it?
>
> TIA!
>
> --- Joe Lin <jlin at doradosoftware.com> wrote:
> > Lawrence,
> >
> > I've deployed both cisco and netscreen myself. I
> > found netscreen more
> > intuitive in the configuration. The hardest part
> in
> > my deployment was
> > to convince upper management that it is ok to go
> > with a non-C vendor!
> >
> > Joe
> >
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On
> Behalf
> > Of Lawrence Wong
> > Sent: Wednesday, June 16, 2004 7:23 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [nsp] Network Firewall
> >
> > Hi all,
> >
> > I am currently looking for a firewall to install
> in
> > our corporate network. Our network mainly runs on
> > Cisco hardware which made me consider using Cisco
> > firewalls as well. We use public IPs hence no NAT
> is
> > required.
> >
> > Does anyone have any experience to share on the
> > Cisco
> > PIX firewalls? Or any other firewalls to
> recommend?
> >
> > I noticed that compared to other vendors, Cisco
> PIX
> > seems to lack in the area of SYN/UDP DDoS flood
> > protection? The closest which I read from it's
> > manual
> > for 6.3 is the usage of some paraments in the
> > "static"
> > command to indirectly manage flooding, but static
> is
> > used in NAT mode.
> >
> > TIA!
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > New and Improved Yahoo! Mail - 100MB free storage!
> > http://promotions.yahoo.com/new_mail
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at
> > http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail is new and improved - Check it out!
> http://promotions.yahoo.com/new_mail
>
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
More information about the cisco-nsp
mailing list