Why would a Netscreen Firewall be better than others?

[TechBoyJK]

Does anybody have any experience with Netscreen firewalls that would like to talk about why they may like them better, or worse than others such as Cisco or Sonicwall?

 

[mboy]

A lot of them provide very similar functions. I have not used one, but a buddy of mine likes them. Ease on configuration/price/features is the main difference-just have to compare comperable model's.

You really can't go worng with a Netscreen,Sonicwall,Cisco Pix.

I have a Sonicwall SOHO at home and a Pro 200 at the office. VERY easy for the avg joe to config. If I had to do it again tho, I might go with a PIX. Their are some issue with the SW I do not like.

 

[spidey07]

They're pretty fast.

 

[azev]

I've used both sonicwall and PIX, and I found SW is much easier to configure than PIX.
I used to setup the smalles netscreen firewall 5xp or something, and they are just as good and as configurable as the other firewalls. I think you can go wrong with either one. Just make sure you evaluate what you need, and future upgrade and get a proper model/type. Firewall upgrade can be pretty expensives, and firewall has a much longer lifespan compared to computer if you get the right device.

 

[cmetz]

I dislike Netscreen. Their CLI is very bad, you basically have to use the web interface - strike one. Their serial console port is the wrong gender (NS5 at least) - strike two. Their support is totally unacceptable - three. Also, they obsolete their boxes the same as anyone else, I have a NS5 that's EOL, no more firmware, no more fixes.

SonicWall is no better about management - don't think it has a CLI even. I don't even think it has a serial port. I don't know about their support. So I'd put NS ahead of SW, but competing for the front-runner among products I still wouldn't use.

PIX is pretty bad too but the CLI is vaguely Cisco and really works (except that it's easy to as a side effect get into a state where you can't move bits), the console port is standard Cisco (works okay), and their support is standard Cisco - you can get decent support if you pay enough, but they have tons of documentation online and in the community that helps too.

Frankly, none of these three are particularly good products from my perspective. Among the three, I'd choose PIX with no hesitation. But if I had the freedom to choose anything I'd choose none of the above (probably OpenBSD on a decent PC).

 

[mboy]

SW does have CLI, but is very weak and very basic (it is on Pro 200 and up). I am pretty sure most of the upper end PRO models have a serial connect as well, at least my Pro 200 does.

 

[azev]

But if I had the freedom to choose anything I'd choose none of the above (probably OpenBSD on a decent PC).

Cmetz, I heard that is a bad idea; because PC has much more hardware that is prone to failure (especially moving hardware such as hardrives). Although when I was in the military I know they are using suns box with gauntlet software for their back to back firewall.
Also I've read somewhere that a pc will not be as fast as a custom hardware designed to do a specific things such as firewall, etc. I am not sure if that is true; I had upgraded pix520 once and the internal looks like a regular computer.

 

[cmetz]

azev, what do you think is in a Juniper router?

If you're paranoid about hard drives, use RAID or compact flash.
If you're paranoid about fans - use passive cooling wherever possible and don't use the latest Intel/AMD scorcher chips.

The PIX is just an embedded PC with flash memory. Higher end NetScreen boxes are also. The SonicWall and lower end NS are true embedded systems but that doesn't mean that much anymore.

 

[Nothinman]

Cmetz, I heard that is a bad idea; because PC has much more hardware that is prone to failure (especially moving hardware such as hardrives)

But it's also much easier to replace because all that hardware is so commonplace. I doubt Cisco would like to hear about you swapping out bad DIMMS on your own in one of their higher up boxes even though they're just glorified PCs, but I could be wrong as I don't deal with Cisco support much.

Also I've read somewhere that a pc will not be as fast as a custom hardware designed to do a specific things such as firewall, etc. I am not sure if that is true; I had upgraded pix520 once and the internal looks like a regular computer.

Some of the boxes will have multiple CPUs or ASICs to handle certain aspects of the boxe's job to help speed, but you'd have a hard time taxing a PC running OpenBSD or Linux on hardware that was made in the last 3-5 years anyway.