Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Nokia IP platform Versus Netscreen Platform
From: George Capehart <capegeo () opengroup org>
Date: Wed, 30 May 2001 18:35:23 -0400

David Pearl wrote:


There have been a number of 3rd party articles on
the two products...

When I was evaluating fw/vpn for our network, I
searched the web and found a number of articles on
CommWeb, Network Computing, eWeek, Tolly
Group, Network World, etc.

What it boiled down to was security, performance,
manageability, support, and of course, cost.

NetScreen ranked high on all four counts.  Since both
use Stateful Inspection, security was tight.  Although I
ranked NetScreen a little higher because they use a
non-commercial operating system that can't be
purchased and therefore, reverse engineered to find
the holes.

Are we advocating security-by-obscurity here?  Don't think for one
minute that those who are interested in cracking Netscreen can't
disassemble it and look for exploits.  I know nothing about NetScreen,
but if what you say is true, you've just given a very good reason *not*
to use NetScreen.

Performance on the NetScreen is tops, bar none, due
to their 3rd generation ASIC.  The Nokia boxes are
really legacy-based PCs with CheckPoint software
running on them.

Manageability between the two is close due to highly
intuitive web interfaces.  Both of them have global
management options via Provider 1 and Global Pro.
NetScreen also has built-in SSH and SSL for secure

From conversations with their support departments,
they seem to be similar.  Checkpoint being better
than Nokia (for obvious reasons), and NetScreen had
a very capable set of staff as well.  Both companies
have worldwide presence and well-developed

Cost.  Here's an area where they really diverge.
CheckPoint/Nokia with their confusing licensing
schemes and proliferation of software offerings made
it a pain in the rear for complex deployments.

NetScreen, however, does not have such licensing
arrangements.  Pay for the boxes and support, and
that is pretty much it...

As far as H/A, both of them employ it.  My testing
showed both of them performing fully stateful failover
in less than one second.  I was became a little
concerned when I was simulating a power outage by
cutting the power abruptly and when one of the Nokia
boxes experienced a software corruption and needed
some support to be revived...  No such experience on
the NetScreens and furthermore, they booted up very

I hope this helps a little.  If not, again, there are plenty
of third-party articles available on the web...


David P.


Has anyone seen a feature/performance
comparison of the above two product lines,
particularly in HA configurations?

Else has anyone done their own analysis they are
willing to share?

Many thanks,

Paul Murphy.

CRESTCo Ltd.             The views expressed above
are not necessarily those
33 Cannon Street.        held by CRESTCo Limited.
London  EC4M 5SB (UK)
+44 (020) 7849 0000     http://www.crestco.co.uk

firewall-wizards mailing list
firewall-wizards () nfr com

firewall-wizards mailing list
firewall-wizards () nfr com

George W. Capehart                               Phone:  +1 704.953.1209
                                                   Fax:  +1 704.853.2624

SMS Messaging:  http://www.mobile.att.net/mc/personal/pager_show.html
                mailto:  7049531209 () mobile att net

"Does getiud() halt the spawning of child processes?"
firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]