Re: [fw-wiz] Nokia 5300 or Cisco Firewall Services Module
From: hermit921 (hermit921_at_yahoo.com)
To: <firstname.lastname@example.org> Date: Thu, 06 Nov 2003 14:34:13 -0800
We looked at something almost identical a year ago and determined that the
firewall rules interface was quite difficult and prone to user error (who
wants to duplicate every rule on every interface?), and the lack of logging
made it unnacceptable. They did offer syslog.....
Yesterday a Cisco engineer gave us a new presentation, and they claim to
have solved all that. They now can create firewall rules per object
instead of per interface. We would still have to buy a separate system for
logging, and install a database such as DB2 or Oracle or Sybase. Their
management software is of course an extra cost and runs on Windows or Solaris.
One of the things Checkpoint offers that Cisco didn't mention was logging
what rule changes were made when and by whom. I am looking forward to
actually getting hands-on experience later this month. I would love to
hear about anyone's impressions who has used both systems.
At 12:50 PM 11/6/2003, Camilo Tesone wrote:
>I was wondering if anyone had experience with Cisco's Firewall Service
>Module. We're trying to decide between two Nokia Checkpoint boxes (Nokia
>5300s) and two Cisco PIX FWSMs. Any feedback would be appreciated.
>1. Scalablity. The Nokia's support up to a max of 8 Gigabit Ethernet
>interfaces while the FWSM can support up to 100 protected interfaces.
>2. Throughput. The Nokia 5300 has a max throughput of 5 gigs while the FWSMs
>can handle up to 10 gigs.
>3. Cost. Each FWSM would cost us about $20K after a sizeable discount. I
>think the Nokias are a little cheaper but I don't know yet. We will not have
>to pay annual maintenance on the FWSMs from Cisco because maintenance is
>already included for each module in a Catalyst 6513 once you purchase
>support for that chassis. The Nokia maintenance would be expensive.
>4. Ease of use. This includes the ability to create and modify rules, groups
>Thanks again for anyone willing to provide their insights.
>firewall-wizards mailing list
firewall-wizards mailing list