Network Computingwww.networkcomputing.com

Nokia exploded onto the firewall scene last year with its Intel-based IP series of security appliances running Check Point's FireWall-1. Based on IPSO, a customized OS derived from BSD, the Nokia product line comprises the IP330, IP440, IP530, IP650 and IP740 models.

One advantage of the Nokia units is that, unlike traditional OSes that ship "pants down," the Nokia units are configured prehardened, externally. This saves administrators a bit of time in locking down the box, and we hope this also helps to reduce some occurrences of pilot error. But make no mistake, this appliance is still running an OS, still has a hard drive and is still prone to anything a regular OS might be prone to, securitywise. You will need to baby-sit it accordingly.

We tested Check Point 2000 4.1 SP 2 on the IP530 and had few problems with initial configuration. The IP530 performed well in our initial tests, but once we rolled up our sleeves and got into 50,000-plus sessions we ran headfirst into some of the appliance's shortcomings.

Because the IP530 is running Check Point FireWall-1, the 25,000 hard limit still applies. However, unlike in our tests with Check Point NG on Solaris, trying to get the IP530 over that hard limit was painful. In an attempt to allocate more memory on the unit, we used the utility modzap documented at Nokia's support center. We wanted to allocate 50 MB of memory for the extra sessions. It turns out that 35 MB is acceptable with 256 MB of RAM (default on an IP530), but not 50 MB. After sorting out the issue with allocating memory, the 50,000-session test still knocked the appliance over. While our test FTP and SSH sessions continued to stay active, we were unable to submit the IP530 to loads above the 50,000 threshold.

Many of these performance problems may be fixed with the IP740, which we did not have an opportunity to test. However, we can't help but feel as though we're back into the "spec this PC" game. When do you order a Nokia IP530 with more RAM? When do you simply order the IP740? What's the point of buying an appliance if you still have to monkey with PC hardware under the hood?

Finally, while knowing that Nokia's own engineering team looks over Check Point code before they approve it is comforting, consumers should note that the Nokia appliances will always be a step behind Check Point, revisionwise.

IP530. Nokia Corp., (877) 997-9199, (661) 775-2007. www.nokia.com

Stonesoft Corp. StoneGate

Stonesoft cut its teeth in the firewall industry with StoneBeat, a third-party HA add-on to Check Point's FireWall-1. While many organizations are quite familiar with StoneBeat, Stonesoft recently ventured out on its own with StoneGate, touted as its "first high security, high performance and availability" firewall offering with an "embedded OS for increased security" -- direct quotes from Stonesoft. In truth, the new firewall holds some promise but feels more like a beta product than something that is ready to attack the enterprise space.

StoneGate runs on a standard PC and is built on top of a customized version of the Debian Linux distribution. It does not use an embedded OS. Stonesoft shipped us its product installed on three Compaq ProLiant DL360s. After we had some grueling troubleshooting sessions trying to get the product working, one of Stonesoft's technicians brought out three Compaq DeskPros to replace the ProLiants.

Unfortunately, the problems continued. First we were unable to push policies to the firewalls (nodes in StoneGate speak). Then we had more hardware issues, followed by occasionally losing contact with the nodes. After a marathon troubleshooting session (12:30 p.m. to 4 a.m.) with an on-site technician, a working combination was configured on the DeskPros using multicast MAC addresses and heavily reconfigured Cisco switches. While we were downright impressed with the tenacity and dependability of the on-site support, we can only wish that the firewall matched those attributes.

Unfortunately, failover testing didn't go any better. We were never able to get StoneGate to survive more then 100,000 concurrent sessions, and failover didn't seem to work even at lower speeds. At low levels (1,000 concurrent connections) the StoneGate dropped all the monitored FTP and SSH connections after a failover. For organizations with lower volumes of Web traffic, future versions of StoneGate might be an option. But right now we have little faith in the product after spending weeks trying to get it to behave and stabilize. We hope Stonesoft will improve its documentation effort, nail down some of these issues and get the product back on track.

StoneGate, Stonesoft Corp., (770) 668-1125; fax (770) 668-1131. www.stonesoft.com

Brian Eirich and Greg Shipley work for Chicago-based security consultancy Neohapsis. Please send your comments on this article to them at beirich@neohapsis.com and gshipley@neohapsis.com.