Re: Intel vs. special purpose FW-1 servers

["Keith A. Glass" <salgak () speakeasy net>]

> -----Original Message-----
> From: Emily Conrad [mailto:emilydconrad () hotmail com]
> Sent: Tuesday, July 12, 2005 08:17 PM
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] Intel vs. special purpose FW-1 servers
>
> Hello,
>
> We are working on a project to upgrade our firewall infrastructure.
>
> One of the questions is whether to use FW-1 on a standard Intel server or to
> use a special-purpose optimized version of FW-1 on a dedicated hardware
> platform such as Nokia firewall appliance or Crossbeam systems C30/X40.
>
> Does anyone have any advice on what factors are important when making such a
> decision?

Several comments.

1. Have you EVER previously implemented FW-1 on an Intel platform ?  IF not, I'd suggest an appliance-based solution.  
Personally, if I wanted to run FW-1 on generic hardware, I'd buy some cheap SunFire 120s and run it on Solaris, now 
that single-processor licenses for Solaris are free.  I'd specifically  recommend Solaris 9, and note that locking down 
a Solaris system for firewall usage is FAR easier and more complete than trying to lock down a Win2K/2K3 system.

2. Are you looking to CLUSTER FW-1 for HA or load balancing ?  If so, you will DEFINITELY need to look for an  
optimized appliance-based solution.  And, based on my experience, I'd suggest the Nortel "Alteon" systems for FW-1: a 
pair of Alteon Directors and a pair of compatible Alteon Accelerators give you a clustered solution that doesn't 
require you to play any oddball Cisco tricks   on your switches, allows you a NUMBER of separated nets behind the 
firewall, and even multiple DMZs.  I've used Nokia IP-series before, as well as FW-1 on Solaris, and can't say enough 
about the Alteon platform. . .


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards