Check Point has long been a dominant force in the enterprise firewall space. With the FireWall-1's ability to run on multiple platforms, support for multiple OSes, staggering set of features and completely slick management interface, the product's popularity comes as no surprise. However, FireWall-1 has had a few nasty bugs discovered, the add-on features list rivals that of a Sears catalog, and its licensing complications are legendary. During our latest round of testing we had three keys expire, which completely stymied us for a good 24 hours. Each.
Check Point shipped us a set of Sun Microsystems Netra T1s running Solaris 8 and Check Point NG (Next Generation). Configuration of these units was straightforward, and Check Point has begun building OS-specific tasks into the administration GUI to help limit the amount of OS-tweaking needed to get things running. Unfortunately, the ARP (Address Resolution Protocol) table modifications necessary to get NAT running still appear to require manual intervention, as the automated methods didn't work for us.
Moving to the failover tests, we ran into an interesting challenge when we started testing NG with the Caw devices. We soon discovered that, by default, Check Point limits the number of simultaneous connections when you're using NAT to 25,000. To get around this limitation, you have to allocate memory manually by setting fw:fwhmem in /etc/system to the desired amount of memory (in hex, of course). The number of allowed connections also needs to be configured using the administration console. While this let us get past the session limitations, the units appeared to struggle with session tests of over 100,000 sessions (see our performance chart.)
Troubleshooting and monitoring are areas where general-purpose OS-based solutions tend to be fairly strong. Troubleshooting many issues on a Solaris-based solution is far easier than performing the same tasks on appliances, such as the Lucent Brick. The NG interface has some distinct improvements over the early FireWall-1 v4.1 release as well. For example, it is now possible to see which unit is active in the failover cluster and whether HA is functioning properly.
The Check Point NG solution will probably function adequately for most low- to medium-bandwidth environments. But for heavy-duty session loads, we suggest you do some serious testing before deployment.
Check Point NG. Check Point Software Technologies, (650) 628-2000; fax 650-654-4233. www.checkpoint.com
Lucent Technologies VPN Firewall Brick 201 and VPN Firewall Brick 1000
The Lucent Brick series is an appliance-based firewall solution that runs on Intel hardware using a custom OS. However, unlike the Nokia units (and other PC-based appliances), the Lucent Brick doesn't have any moving parts -- it uses solid-state hard drives. We started our tests with the Brick 201 series but quickly overwhelmed the units once we moved to our rounds of 50,000 sessions. Fortunately, Lucent shipped us some Brick 1000 units that were up to the challenge, putting to rest most of our performance concerns.
The Brick management interface is called the Lucent Security Management Server (LSMS) Navigator and runs on either Solaris or Microsoft Windows NT. It can be both useful and cumbersome, depending on what your goals are.
For multitenant firewall deployments we can see how the flexibility of the platform could be useful (see "Follow the Mellow Brick Road"). However, we found many of the Brick's methods of doing things a bit confusing. For example, while setting up a remote site for accessing the Internet behind a single IP address is a cakewalk, constructing one-to-one NAT rules is far from intuitive. You have to modify settings in multiple policies, and there are several vague ways of accomplishing the same task.
We imagine that once you understand Lucent's view of the world the management interface becomes easier to use, but we found the learning process a bit harsh.
From a raw performance perspective, the Lucent Brick 1000 works quite well. Matched in failover performance only by the NetScreen, the Brick was able to maintain HA configurations successfully. Its monitoring capabilities are above average. The Brick offers charts and counters that let you monitor and plot active sessions, CPU utilization and interface statistics. While we found the monitoring capabilities of the PIX PDM easier to use, the Brick's monitoring options still surpass those of other firewall products.
The Brick comes up short on design and functionality. It doesn't offer a functional remote console interface. Instead, administrators can use a DOS-based program to perform some rudimentary CLI monitoring tasks. The Brick is dependent on a Sun Solaris or Microsoft Windows NT LSMS deployment and doesn't have any clean way to unload flawed policies.
But perhaps our biggest concern is that the Brick crumples when it comes to performing some basic TCP checks. The Brick is the only product, for example, that failed the "Block ACK with a bad source port number and bad sequence numbers" test. If Lucent could expand the Brick to be as flexible at the command line as it is with the GUI, and if it could perform some more robust security checks, it could be a contender. Right now, however, it just leaves us scratching our heads.
Lucent VPN Firewall Brick 1000. Lucent Technologies, (908) 582-8500, (888) 458-2368; fax (908) 508-2576. www.lucent.com
RSS
