Re: [fw-wiz] Nokia 5300 or Cisco Firewall Services Module

From: hermit921 (
Date: 11/06/03

  • Next message: Adam Lang: "[fw-wiz] Pix 501 configuration question"
    To: <>
    Date: Thu, 06 Nov 2003 14:34:13 -0800

    We looked at something almost identical a year ago and determined that the
    firewall rules interface was quite difficult and prone to user error (who
    wants to duplicate every rule on every interface?), and the lack of logging
    made it unnacceptable. They did offer syslog.....

    Yesterday a Cisco engineer gave us a new presentation, and they claim to
    have solved all that. They now can create firewall rules per object
    instead of per interface. We would still have to buy a separate system for
    logging, and install a database such as DB2 or Oracle or Sybase. Their
    management software is of course an extra cost and runs on Windows or Solaris.

    One of the things Checkpoint offers that Cisco didn't mention was logging
    what rule changes were made when and by whom. I am looking forward to
    actually getting hands-on experience later this month. I would love to
    hear about anyone's impressions who has used both systems.


    At 12:50 PM 11/6/2003, Camilo Tesone wrote:
    >I was wondering if anyone had experience with Cisco's Firewall Service
    >Module. We're trying to decide between two Nokia Checkpoint boxes (Nokia
    >5300s) and two Cisco PIX FWSMs. Any feedback would be appreciated.
    >1. Scalablity. The Nokia's support up to a max of 8 Gigabit Ethernet
    >interfaces while the FWSM can support up to 100 protected interfaces.
    >2. Throughput. The Nokia 5300 has a max throughput of 5 gigs while the FWSMs
    >can handle up to 10 gigs.
    >3. Cost. Each FWSM would cost us about $20K after a sizeable discount. I
    >think the Nokias are a little cheaper but I don't know yet. We will not have
    >to pay annual maintenance on the FWSMs from Cisco because maintenance is
    >already included for each module in a Catalyst 6513 once you purchase
    >support for that chassis. The Nokia maintenance would be expensive.
    >4. Ease of use. This includes the ability to create and modify rules, groups
    >Thanks again for anyone willing to provide their insights.
    >firewall-wizards mailing list

    firewall-wizards mailing list

  • Next message: Adam Lang: "[fw-wiz] Pix 501 configuration question"

    Relevant Pages

    • Re: ftp problem
      ... > here is my whole firewall script ... > # No restrictions on Loopback Interface ... > # or from this gateway server destine for the public Internet. ... > # Allow out secure FTP, Telnet, and SCP ...
    • Re: Checkpoint experiences
      ... decide they want the firewall used by the big boys...often repeated, ... The Nokia appliance IPSO, is useful if you don't want to take the ... It is no wonder that the Nokia interface is called ... > billions on training, and classes, consultants, support contracts, etc. ...
    • Re: Problem about ppp -nat
      ... ipfw firewall, ... Just setup your fw of choice as if the tun0 device is the external device and leave all the nat stuff completely out of it. ... My Internet interface is rl0, ... # /etc/rc.d/routing restart ...
    • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
      ... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ...
    • Proxy ARP and Routing
      ... some CPE from our ISP connected to a firewall. ... the public IPs on the physical DMZ network. ... packets to the host on the DMZ? ... on the DMZ interface. ...