Re: enterprise class firewalls - opinions please

From: Mark S (marks_at_nothere.com)
Date: 12/02/04


Date: 2 Dec 2004 14:55:04 -0600

I came from a Cisco background into Netscreen (Juniper).

PIX is awful. Its old, its crusty, half the stuff doesn't work, and they
haven't kept up with the current threats.

The Netscreens rock. Everything works as it should. Support is excellent,
and with their NSM Management software you could maintain those 30 firewalls
easily.

The only thing I can on Checkpoint vs Netscreen is that Netscreens OS is the
same from the baby boxes through to the beast boxes, except of course in the
throughput numbers, numbers of zones/vlans etc. But the capabilities are all
there. With Checkpoint they seem to neuter some of their product in an
effort to squeeze more money out of you.

I've had to make a few support calls and they've been really onto it.

We have one nasty demo we do with the Netscreens. We go onsite to a customer
and put a Netscreen in behind their existing firewall in transparent mode,
and leave it running for 24 hours, come back the next day and see what its
picked up. Usually (especially in the case of the PIX), theres lots.

What I'd recommend you do is get hands on with all three. Get pricing, and
make sure you get the maintainance support pricing as well (this can make a
huge difference). Beware of the Cisco Clones, they often tell you the pix's
can do stuff they actually can't.

Make sure you get a demo of Deep Inspection running if you don't intend to
use any internal IDP devices.

"Alan Strassberg" <alan@internal.wj.com> wrote in message
news:congai$t1t$1@internal.wj.com...
> I am evaluating firewalls for a large (50,000 user) corporation.
> Gartner's magic quadant shows Netscreen (Juniper), Checkpoint,
> and Cisco as the top.
>
> Would like to hear net.wisdom what the reality of what you run
> and why you love or hate it. Does support resolve issues ? Can
> a firewall team maintain 30 firewalls globally ?
>
> alan



Relevant Pages

  • Re: PIX 506E vs NetScreen 5XP/5XT
    ... I work for reseller that sells both Cisco and NetScreen. ... although PIX OS 6.3 is suppose to fix a lot of these ... Both the OS, VPN Client, and ICMP support. ... > because its a Cisco and seems solid, but I like the Netscreens because ...
    (comp.security.firewalls)
  • Re: [fw-wiz] insecurity in internet connection thro cable modems
    ... GlobalPro makes it easier to maintain a fleet of Netscreens. ... Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, Cisco VPN3k, FreeSWAN; ... Support for preshared keys, x509 certs, ldap auth, and securid ...
    (Firewall-Wizards)
  • RE: [fw-wiz] insecurity in internet connection thro cable modems
    ... missed something in the config or docs), I found that I was unable to get it ... I just kind of feel like netscreen is about where the PIX was 2 ... > Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, Cisco VPN3k, ... >> bunch of PIXen than it is to maintain a bunch of netscreens. ...
    (Firewall-Wizards)
  • Re: PIX 506E vs NetScreen 5XP/5XT
    ... the firewall and the VPN client. ... > I work for reseller that sells both Cisco and NetScreen. ... Both the OS, VPN Client, and ICMP support. ... >> because its a Cisco and seems solid, but I like the Netscreens because ...
    (comp.security.firewalls)
  • Re: PIX 506E vs NetScreen 5XP/5XT
    ... NAT, that depeneds on your situation, both Cisco and Netscreen support it. ... when I shipped all our Netscreen products to the VP of Technical Services ... >> because its a Cisco and seems solid, but I like the Netscreens because ...
    (comp.security.firewalls)