Netscreen Firewalls

[DirtylilTechBoy]

Has anybody had any experience with Netscreen Firewalls? Considering one and would like to hear some good/bad news on their products. I was looking at

http://netscreen.com/products/appliances.html#ns50_25

Thanks,

Jason

 

[her209]

Link for ya

I've never heard of this company.

 

[DirtylilTechBoy]

bump

 

[cmetz]

They're better regarded than Linksys/D-Link. Probably deliver better security. Very reliable. They're not very clueful, and their support really sucks.

 

[Goosemaster]

Originally posted by: cmetz
They're better regarded than Linksys/D-Link. Probably deliver better security. Very reliable. They're not very clueful, and their support really sucks.

um....are u serious?

Linksys and D-link are crappy idiotic-appliances when it comes to business needs. If you are running a business with 20 Pcs that need internet access that is one thing, but if you ftps, SSH, webserves, clusters, or anything of the sort, you need a capable firewall to handle that, and netscreen is a vailbe choice. ITs main advantage over consumer goods is that it has an excellent Stateful Inspection Firewall. Consumer goods sometimes boast that as well, but as the rules stack up and the bandwidth demand increases their capabilities dwindle. Most consumer-grade SI firewalls can handle a dsl or cable modem line, but for anything better you will some serious equipment. Netscreen is in that category.


Did I mention their eqiupment is outstoundlingly fast?
Their cheapest firewall can handle 20Mbps of total bandwidth and 13Mbps of 168bit 3DES VPN bandwidth..all for around $250.The higher grade firewalls they offer support up to 550Mbps and 200Mbps, respectively.

 

[Goosemaster]

Now here I am venturing into a subject I am not 100% familiar with ...Checkpoint.


Cellestix and a number of other companies offer Checkpoint-based network appliances as well that you might want to look into for any business nees.

Checkpoint, by the way is a very-well recognized firewall OS. Unfortunately I have heard bad things but no rebutles so I really don't know much about it. Where i used to work it was running on Redhat boxes and the admin seemed very pleased.

 

[TechBoyJK]

Could you elaborate on Stateful packet inspection a little bit? Plain English helps... analogies are great.

 

[Goosemaster]

Stateful packet inspection is a critical part of a good firewall. It basically means that you can set rules that govern the traffic of EVERY packet that passes through the firewall. Based upon these rules data is either allowed or rejected.


My Firewall for example declines any WAN to LAN requests unless they are FTP, but it is relatively simple. In a complex netwirk with various subnets, it gets complicated. just as a SWITCH has IP tables to route traffic, the firewall keeps a rules table and allows or denies requests.

A perfect example is kazaa. With a SPI Firewall, you can block kazaa or re-route it to a different port. With more capable devices QoS(quality of service) or packet shaping can be implemented allowing you to prioritize traffic etc, but that is something else

 

[Fuzznuts]

Originally posted by: Goosemaster
Stateful packet inspection is a critical part of a good firewall. It basically means that you can set rules that govern the traffic of EVERY packet that passes through the firewall. Based upon these rules data is either allowed or rejected.


My Firewall for example declines any WAN to LAN requests unless they are FTP, but it is relatively simple. In a complex netwirk with various subnets, it gets complicated. just as a SWITCH has IP tables to route traffic, the firewall keeps a rules table and allows or denies requests.

A perfect example is kazaa. With a SPI Firewall, you can block kazaa or re-route it to a different port. With more capable devices QoS(quality of service) or packet shaping can be implemented allowing you to prioritize traffic etc, but that is something else

We had netscreen 25's sitting on our E2's at work and it did a grand job it has all the fetures you require very easy to set the QoS worked a treat the only thing i s diskliked about it was you couldnt set rules on a range of ips very annoying if your have 200+ adsl customers like we did other than that it was a great box. It did all the stuff you metioned above and it did it well

 

[TechBoyJK]

anything that you would recommend over the netscreen stuff?

 

[Goosemaster]

Originally posted by: TechBoyJK
anything that you would recommend over the netscreen stuff?

Like I said, if you are a Checkpoint fanboy checkout Checkpoint for a list of appliance-vendors.
Netcreen uses their own OS. There is also Watchdog, sonicwall, and many others. I saw a comparison taht sawid Sonicwalls were more economical that Netwcreens and provided better peerformance on I think firewalls.com but it might have been biased.


Appearantly BSD is the best thing after Mom's apple Pie so check that out too. THat is not so easy to administer as you have to know how to use unix (these appliances are menu driven through HTTP) but they are endlessly configurable.


If you are looking for something in the enterprise level look at Nokia, Checkpoint running on linux/unix etc.

 

[cmetz]

OpenBSD on a PC will be superior in every way EXCEPT ease of use. If you're looking to use it for high volumes of traffic, you'll probably want a hardware crypto accelerator, which isn't too expensive.

Cisco PIX is well regarded but again leaves much to be desired in ease of use. And it's very expensive. (it's a Cisco!)

 

[cmetz]

Oh, Checkpoint is okay, but there are some issues with them. (you'll find mixed opinions)

I recently worked with some Watchguard Firebox boxes, and can't stress enough how far you should stay away from them.