Re: Nokia/Checkpoint firewall

[Jerald Josephs <jerald.josephs () iprg nokia com>]

In direct reply to the assertion that Nokia is behind in the HA development
as compared to Stone Soft, I would to offer some data for your evaluation.

I can take two or more Nokia platforms and accomplish the following

1) Set up a HA configuration, so that a client-to-site IKE VPN (SecuRemote) can
be
established through the physical firewall currently the master of the VRRP
router ID number,
which makes it the master of the network flow. Then fail this physical firewall
and
observe the network flow transition to the backup in about 3 seconds. I can then
fail this
physical firewall and repeat the process to the next firewall that would become
the master.

2) Upon restoration of the previously failed firewalls, I can decide whether or
not I wish for them to take back the network flow or leave it as it is.

3) The SecuRemote client perceives this group of firewalls as single entity and
really doesn't know which physical router is handling the connection. It doesn't
care.

4) I can repeat this with a site-to-site VPN and achieve the same results, where

each end of the VPN perceives the opposite end as a single entity, not knowing
which physical firewall is actually responsible for the responses.

5) In this configuration, only one firewall is actually processing the packets,
while the other(s) might remain in standby mode. Not exactly a good use of
resources, so we came up with a configuration that does not include third party
applications, that enables us to do a load distribution  model that distributes
the incoming connections across the firewalls.  This is done using Equal Cost,
Multipath in OSPF. Using a hash based upon SRC and DST IP addresses, the OSPF
routers on both sides of the firewall cluster select the same physical firewall,
maintaining symmetric routes.

Choose your weapon, whether it is StoneBeat, Rainfinity, or that which is
provided by Nokia.

--- Jerald Josephs
Nokia IP Routing Group
Customer Services

Joe Ippolito wrote:

> StoneBeat won't work on the Nokias and Nokia is behind on HA development
> compared to Stone Soft.  The Znyx 4-port is not on the Win2K HCL and only 3
> of the 4 interfaces worked in an Intel Seattle Mboard when I tried it.  Last
> I checked www.znyx.com they had not written a Win2K driver.  The Adaptec
> quad card is on the Win2K HCL but the one I have is 64-bit PCI - so you will
> need a high-end machine or a large 64-bit to 32-bit PCI-slot hammer :-).
>
> ----- Original Message -----
> From: Yin To Chu <ytchu () ozemail com au>
> To: Starkey, Kyle <Kyle.Starkey () msdw com>
> Cc: <owner-firewall-wizards () lists nfr net>; ytchucwo <yin.to.chu () cwo com au>
> Sent: Wednesday, February 02, 2000 2:55 AM
> Subject: RE: Nokia/Checkpoint firewall
>
> > Kyle :
> >
> > Can you tell the hardware configuration of the Ultra 250, i.e. memory, no.
> > of CPU and CPU speed?
> > There is only a Pentium II 450 CPU running FreeBSD 4.0 (optimized by
> Nokia)
> > in IP650. I read the spec. on Nokia GGSN (GPRS core element) which is
> IP650.
> > We got HA Ultra 450 server pair running FW-1 and StoneBeat? May save a lot
> > of money and space if Nokia box is that fast. Suppose the HA module works
> on
> > Checkpoint 2000.
> >
> > I hope the cPCI ZNYX 4-port NIC for IP650 can do host based HA networking
> > with FreeBSD RAINLink driver. www.znyx.com. I am not sure.
> >
> > Yinto
> >
> > -----Original Message-----
> > From: owner-firewall-wizards () lists nfr net
> > [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Starkey, Kyle
> > Sent: Tuesday, 1 February 2000 15:11
> > To: Wang, Daniel; firewall-wizards () nfr net; donwang () angstrommicro com
> > Subject: RE: Nokia/Checkpoint firewall
> >
> >
> > Daniel,
> > I don't now about the specifics of the hardware inside the Nokia's, but we
> > bought IP650 and replaced SUN E250's.  We saw 3 times the packets being
> > processed on the Nokia's running the SAME rule set.  I would say that the
> > slimlined, BSB kernal is well tuned to inspect and forward packets.  This
> > was out of the box and I believe with a bit of policy tuning I can see a
> 4x
> > multiplier on the Nokias.
> >
> > -Kyle
> > InfoSec
> > MSDW Online
> >
> > -----Original Message-----
> > From: Wang, Daniel [mailto:daniel_wang () tds com]
> > Sent: Tuesday, January 25, 2000 9:41 AM
> > To: firewall-wizards () nfr net; donwang () angstrommicro com
> > Subject: RE: Nokia/Checkpoint firewall
> >
> >
> > I didn't work with it myself much, but when we tried them here the power
> > supplies failed at an alarming rate. We had two replaced under warranty in
> > the just the short time we were using it.
> >
> > I don't know about performance under high load, but FYI the hardware is a
> > standard ATX PC motherboard with a P2-300 processor, and the OS is a
> > modified version of FreeBSD. You could expect about the same performance
> as
> > the equivalent PC.
> >
> > -----Original Message-----
> > From: don Wang [mailto:donwang () uac com]
> > Sent: Wednesday, January 19, 2000 12:50 PM
> > To: firewall-wizards () nfr net; donwang () angstrommicro com
> > Subject: Nokia/Checkpoint firewall
> >
> >
> > Hi,
> >
> > Does anyone have any comments about the Nokia firewall solution which
> > uses Checkpoint?  I have looked at the Nokia web site and want to hear
> > any field stories that are available.
> >
> > Thanks,
> > Don

Attachment: jerald.josephs.vcf
Description: Card for Jerald Josephs