So, not being a board regualr makes me wrong from your point of view..
I'll just add a few lines to waht invictus said...
First, any system without an IP stack won't be able to communicate with ANYTHING unless designed to create replies by itself <ie. emulating an IP stack> wich isn't a correct apparoach from a system desiging point of view. Although it saves the system from most IP packet attacks, it's considered such a memory hungry solution that isn't worth it..
And if you wanted it for CP, you should ask Nokia to provide it and not CP, CP runs on any OS that might include any system that runs a specific network-related app, wich leads to my next point...
What about content security? how would your stealthmode technology get to send packets to <for example> my UFP server? CVP? ANyone familliar with CVP knows that it could protect from viros travveling the network in alot of protocols and not like those on mail-servers...
Ok, invictus said without an IP stack mangment would be imposible, depends on the type of mangment, does Sunscreen offer a solution to mange multiple FWs from one box or something like Provider-1?
Also, what sort of HA and FO schemes do such boxes provide? any box doing HA while bound to an IP address takes around 100ms to get the info to the other box and another 55ms to add the changes, that means a total of ~155ms, would you tell me how fast is it to do HA without an IP stack bound to an interface plus the time needed to generate the replies?
Another valid point is authentication, How would it do auth? most <if not all> auths need to talk to the FW thru something, without an IP stack such communications would have to be done thru Unix pipes <or some gay socket programming> so how would you be able to auth? and to what degree does auth state sync work on the Sunscreen?
don't VPN connections need to interact with an IP stack? a FW that does the encryption and decryption is one that takes more load than it needs..
Ok, this is about it or the SunScreen, lets see why I prefer CP..
1) INSPECT, I've seen alot of ppl get majic done with it..
2) The OPSEC alliance, Provides you with nearly everything you need
3) Centralized mangment & an award winning GUI, doesn't need explanation
4) IPSO, I'd really like to see an OS scale to routing purposes as IPSO does anyone that has used it knows what I mean..
5) Support, logic, easy configuration for basic tasks and difrentiation of tasks as in control.map...
SO, am I wrong? correct me, and pleas note those *valid* points that you've said befor I ran away from answering <probably cuz I chickened>...
Hmm, if I had to do NAT from another box just cuz of 'Stealth Mode Technolog' then **** it, I bought a FW to become a border gateway to my network and not because it has a technology that isn't anywhere else..
OK, so would u tell us how does it do SKIP without having an actual IP stack bound to an interface? and BTW, SKIP *was* a great technology one time and I'd really like to see it survive IKE specially that IKE has become a standard in IPv6..
Alot of ppl claim they understand state, would you show mea state table dump for one of your own created table that actually works by tracking more than src,sport,dst,dport,ip_p? I've posted alot befor to fw1 related lists about maintaing state for syn and ack bits.
Just remebered, CP does load balancing for logical servers, does Sunscreen do it? and to wich degree? Plus, could Sunscreen be used to understand the underlying protocols as to not allow SMTP traffic to go thru port 80 in a manner similar to that of a proxy?
I didn't mean u by the weird conversations part
and i*, I'm not familiar with AOL, yet if u provide some more info, I could help...
Waiting for a reply...
Wow. Do you have no clue or what? Maybe it's the bad engish but you make no sense.
You asked what Sunscreen has to offer that CP doesn't, so I answer and you come back with more developer crap (we've been over this one already). I already answered the question about auth and all that so......go look.
You obviously have no idea of what Sunscreen is all about and you aren't about to go read, so I'll end this thread before it turns into a flame session.
As always, it's been a pleasure arguing with you about CP and Sunscreen. I still say Sunscreen is better, and you haven't given me any reason to look at CP.
And I replied..
if Sunscreen is selling becuase of it's 'Stealth mode tech' then to hell with Sunscreen, a useless technology isn't an advantage nor a disadvantage, it's a SHITLOAD....
And I haven't been shitting about developer crap, all of what I said were valid points to ANY CP admin working on a good site <invictus, what do u think?> and I haven't seen your reply to my auth Q anywhere, would u mind linking me and also linking to your valid points that I chickened after?
Also, if all fo what I named isn't considered a good reason to look at CP, then just name whatever u want to see, tell us your fantacies and I'll call the responsible parties..
Just tell me what does CP miss/need to become a better FW...
O, and BTW, state tables go into kernel space and have nothing to do with drivers regardless of the OS and type...
Like I said earlier...I do not know much about Sunscreen, so i have no basis for my argument
However, I do work with Checkpoint and I agree with etsh911's arguments because everything he said is right. I do know for a fact that checkpoint provides me with all the functionality that I need and then some, so personally I couldn't see why I would need something else.
Again...I do not know about a 'stealth' firewall because I cannot see it really providing anything useful. (I would still like to learn how it works though...curiousity is getting the best of me). I was also going to make the point about content security and VPN's because it would be impossible without an IP stack, especially if your fw was your VPN endpoint.
I do have to mention that is has been quite some time since I have found a good thread to respond to on the forums, and this one is just plain fun.
It is kinda funny how every exciting argument I have seems to be with KorpDeath ;)
Everyone is entitled to their opinion and who is really to say what is right and what is wrong. Different solutions work in different environments. I obviously have a biased opinion as does etsh911 because CP is our product of choice, but that does not necessarily mean Sunscreen is bad. CP is just better....;)
I don't really care what CP is missing. I don't use the product. I understand your point of view, but you aren't concerned with what I am concerned with so this discussion is moot. \
And auth is done with SKIP keys. VPN is also done with SKIP but I don't use my firewall to do VPN because I have an appliance for that which works great.
Thanks for the conversation.
I wouldn't mind re-entering my own thread - I think some of what you guys say is really interesting. etsh911 - I don't know cp like you do but what you say sounds right. iNViCTuS you are way beyond me in this and I am curious now in who is right (or maybe you all are, in a way). KD - now I would like to see that stealth fw, how much does it cost? Maybe I can get one in to play with. I'm going to sun's site to see.
I think I am somewhat out of my depth here so I'm not gonna argue details with you guys.
Hi MRWALL, I don't see any other conversations about AOL so I'll assume you are directing the more information to me, I hope. Where should I start, internal network or CPFW config?
Unfortunately you will probably not be able to find anything because Sun has announced an End-of-Life for Sunscreen :(
Originally posted here by gold eagle
KD - now I would like to see that stealth fw, how much does it cost? Maybe I can get one in to play with. I'm going to sun's site to see.