Sidewinder vs Netscreen as layer 3 firewall only.

From: Andy Davidson ($andy$_at_nosignal.org)
Date: 05/13/05


Date: 13 May 2005 16:16:50 GMT


Hi,

I'm trying to compare the performance of a Netscreen ISG1000/2000 firewall
and a Secure Computing Sidewinder 1100C **as a layer 3 packet inspector**
rather than an application proxy ?

Regarding the Sidewinder, it might sound unusual to you that we may
buy a firewall which is mainly sold as an application proxy / layer
seven filtering device, in order to do stateful inspection, but one of
our suppliers is trying to push them to us as the perfect firewall for
our needs.

This is what we are looking for.. (this will look terrible on google
if you don't use a fixed width font..)

     internet
        |
    cisco 2821s
        |
        |
    firewall
    | |
    | +----+
  redline |
  reverse |
  proxy internal
    | app servers/dbs
    |
   webservers

This is easy to visualise on the Netscreen firewall (3 security zones)
and the Sidewinder (3 burbs) so as far as I can see, there's no logical
reason why this would not work on both platforms.

The main differences I can see are :

 * the Netscreen would give us IDS reports straight away, as soon as we
   buy the ids blade.
 * The Netscreen performance suffers, I am told, when IDS reporting is
   turned on (this might not be the case at all. :-) )
 * the Sidewinder 1100C is much cheaper
 * the Sidewinder has a comfortable unix-style shell interface
 * The peer support community for Netscreen is 'probably' larger.

We simply do not want or need the application proxy stuff, so that's
not an advantage, or ISP of the Sidewinder in this case.

How do the firewalls compare in this circumstance, please ?

-- 
http://fotoserve.com/ - Prints, Slides, Posters, Mugs, T-shirts,,
Calendars, Jigsaws, Tableware, Caricatures, Greetings cards, Picture
bags, Photo Album and Book covers, Canvas Prints, tissues and more
                ..... from your own digital images.


Relevant Pages

  • Re: [fw-wiz] Secure Computing Sidewinder?
    ... We are moving off Sidewinder G2 solely because of the price. ... There are many different approaches to designing a firewall, ... thorough than most other "application proxy" firewalls, ... packet, tear it apart, inspects it, and then depending on the protocol it ...
    (Firewall-Wizards)
  • RE: [Full-Disclosure] Sidewinder G2
    ... Secure Computing Sidewinder G2 Firewall Stops New High-Profile Sendmail ... Technology Prevents Sendmail Attack Warned About in CERT Advisory ...
    (Full-Disclosure)
  • Re: [fw-wiz] Secure Computing Sidewinder?
    ... being "application layer proxy" means there is no such thing as ... a packet for the inspection engine. ... With Sidewinder, you do, however. ... firewall is when it seemingly is never updated i.e. Microsoft ISA ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Secure Computing Sidewinder?
    ... hardware firewall in front of it at our perimeter). ... One of the options that I'm looking at is the Secure Computing Sidewinder. ... I know both ISA and Sidewinder are "Application Layer" firewalls and act as ... I'm also struggling to understand how useful an application layer firewall ...
    (Firewall-Wizards)
  • Re: Advice on software for dedicated firewall server
    ... but no one has ever compromised a Sidewinder firewall. ... I install WG and other firewall appliances for customers all over ...
    (comp.security.firewalls)