netsceen and pix

lyes.ouarti · ‎10-13-2004

hi,

i just love cisco technologi, but someone told me that netscreen firewalls are much better then pix firewall, because they have deep inspection and support for gprs protocols.

is it true?

thanks.

davecs · ‎10-13-2004

pppfttt gprs protocols.. why on earth would you need this?

i like both netscreens and PIX's i would say they have simliar feature sets.

PIX has deep inspection - ala fixup

cheers

dave

pavlosd · ‎10-13-2004

Hi Lyes,

The Netscreen (Netscreen-500) and Checkpoint (Firewall-1 GX) are specialized products by Netsceen and Checkpoint respectively that are capable on GTP inpection (GPRS Tunneling Protocols) on the Gp and Gn interfaces. If you need such a feature then unfortunately Cisco Products are not yet able of inspecting GTP. Other than the GTP inpection (and the huge price difference) the two firewalls are normal Internet firewalls.

So it depends on the application or location you want to place the firewall. Now rumors say that PIX v7 will be able to inspect GTP, but I am not aware of the price, hardware requirements, availability, features etc.

Regards.

lyes.ouarti · ‎10-14-2004

thanks guys,

i just spoke with our copititor, and they just told me that pix is crap comparing to netscreen, because of the throuput, pix 1.5g and netscreen 40G,

but reading your answers really cheered me up!

i am managing many pix's to protect my company's network, and so far, i did not face any problem, every time my manageent ask me something i do it.

cheers.

davecs · ‎10-14-2004

which models are you comparing???

40 Gigabit sounds about 40 times faster than you will be running!

also a NS5400 (top on the line) can only manage 12 Gig a second - so you friend is full of sh!t

also 4 PIX blades (FWSM) can do a max throughput of 20 Gig/sec

but like i said I doubt if you will ever push more than 1 gig a sec through it.

cheers

dave

HEATH FREEL · ‎10-18-2004

Even on the lower end products - forgetting about throughput - Cisco has alot of work ahead of them to catch up to netscreen. Features like: Dual untrust - tunnel interfaces (route based VPNs) - dynamic routing over VPN tunnels - ip tracking - active/active failover - QOS - just to name a few of the features Netscreen has the Cisco does not.

Lets hope Version 7 steps up to the plate.

pavlosd · ‎10-19-2004

These are the official throughput given by Juniper Site:

NetScreen-5200

Number of Interfaces : 8 Mini-GBIC or 2 Mini-GBIC + 24 10/100

Maximum Throughput: 4G FW 2G 3DES VPN

NetScreen-5400

Number of Interfaces: 24 Mini-GBIC or 6 Mini-GBIC + 72 10/100

Maximum Throughput: 12G FW 6G 3DES VPN

Now, my opinion is that Cisco is left behing as far as Mobile (3GPP) standards are concerned. I have been waiting for Version 7, for a long time and nobody know what it will eventially support. Now as far as the Throughput figures, It is true that Juniper/Netscreen give much higher performance than Cisco (at a more concentrated space with less power spend). You could for example build a cisco 7609 with 4PIX blades and 2x 24port GBIC interfaces to much the same performance and again, you wouldn't get that much features as with Juniper.

On the other hand Cisco is well accepted and established and their products have been proofed stable and much secure. I think performance can be increased through software efficency and new features can add cisco back in the securiry game (as it used to be 4 years ago).

Now I do not know about prices....