Re: Solaris router vs. Cisco IOS

[TC Wolsey <tc () thebiz net>]

On Tue, 9 May 2000, Richters, Eriks wrote:

> I got into a debate with someone today about the use of a Solaris box
> running Checkpoint Firewall-1 as a router, as opposed to using a real Cisco
> router for routing and a solaris box with Firewall-1, to accomplish the same
> task.  Does anyone have any opinions on this?

Well, a Solaris/FW-1 box _is_ a router, it just may not be as full
featured as the "real" Cisco (are there fake ones?) although it certainly
could be more so. This is really open question but you did ask for
opinions.

Like any piece of critical infrastructure the router and FW must be
configured and maintained to be really useful. If you have a great deal of
experience with only one of these platforms than I would suggest that you
leverage that. Here are some thoughts WRT common design criteria:

-performance: for small to modest throughput either solution should be
reasonable. The Cisco will offer much more density and throughput at the
high end (ie. 100s of PPP sessions or Packet-over-SONET). I think that
routing performance is not usually a primary concern at the boundary b/w
security domains. 

-availability: both solutions can make use of load-sharing and redundant
hardware. Both solutions also support the use of dynamic routing protocols
and HSRP/VRRP for data-link gateway failover. The Cisco solution can
support spare CPU/processor board in a single chassis, I am not sure about
the Solaris/CP combo (dependant on the hardware platform).

-managability: well, for the routing part at least you are looking at a
CLI either way. Syntax for both IOS and gated is pretty arcane. IOS offers
a way to give individual users varying privilege which may be useful if
there are many administrators. Administration of gated.conf may mean root
privilege on the FW, which may be fine as long as the FW and router admin
are the same person(s). The IOS interface will present all the information
WRT routing, interface state, etc in one interface - Solaris/CP will
require at least the use of something like ndd, netstat -s and the
ability to read trace logfiles. 

Some random thoughts: a Solaris/CP solution can probably fit in a smaller
physical space than the separate FW/router combination - important if you
are in a CO or colocated rack space. The separate FW/router combo
represents two separate points of failure, but also two points where
policy (routing and security) can be applied independently. In each
scenario you will need to have multiple vendor support - to what degree is
hardware/software support available wherever the equipment and admins are
located? There is a reason that CP took over distribution of the Nokia
solution - I personally am fond of Solaris, CP FW-1 and Cisco IOS but I
would definitely consider the CP/Nokia solution also - one box with one
support source (and a whole lot of closed-source code).

Regards,

tcw