[RingBuffer]

Tom,

I find it interesting that yours is the only post in the Forum regarding Crossbeam as a platform. It speaks volumes I think.

Let me set the background to my following comments:-

I worked at Check Point for over 6 years before going to Crossbeam. Boy, did I make a mistake! This company has no ambition and no security heritage. The heritage if you are interested is Bay and Nortel.

Most of the designs of both C and certainly X are Bay based engineering. Ask yourself one question, where are they right now?

Crossbeam seem to be hanging one for one of two things to happen, 1) Check Point buy them; 2) They IPO.

Lets take the last point first, they don't have the products in dev to make an IPO viable. They have been talking 10Gig since June last year. The current X-series would require forklift upgrade to make the most of any 10Gig offering due to backplane changes.

On the first point, Nokia customers are disaffected, Check Point don't have a hardware offering and so in their blinkered ignorance, Crossbeam think that Check Point will buy them to finally seal Noki's fate. When hell freezes over! Check Point will continue to be a software company with wide hardware coverage. They can't afford to buy Crossbeam because it injures forever their precarious relationship with Nokia, and thats 45% of their installed base.

Lets take some C-series experiences. At least one ISP will never buy C-series again based on their reliability record. The disk errors you mention are not the end, nor the start of the issues. Another academic customer who experienced another more serious problem was GIVEN a second C30 for free to hush things up in the academic community.

Firstly, Crossbeam (in common with many manufacturers) don't make their own kit, so they are beholding to the contract manufacturer to ensure quality. Problem with that is the manufacturer is in Taiwan and only one person at Crossbeam HQ speaks Taiwanese, and they are in Marketing! This has given rise to many quality challenges.

The C30 uses a Network Processor to offload the CHKP SecureXL processing, except it doesn't really work. If you cluster the c30 then you must disable hardware SecureXL. This takes a 4G box down to 1G immediately. I am not going to suggest you lift the lid on a C30 to check this out, but if you do you will see that the C30 NP has a 1GB ethernet connection to the Pentium host board. So you have 18 1Gb copper and 2 1Gb fiber ports all talking over a 1Gb ethernet connection. Even Cisco doesnt oversubscribe like this.

You would hope Crossbeam could fix this? Unfortunately the engineer who wrote the code doesnt work there anymore and no-one understands his code. Look for the C30 to be EOL before long.

The C30i is the baby to go for. At least it's NIC cards are PCI based and so have a faster connection to the host processor. Oh and thats the real point. You are paying $17k for what is essentially a PC. The C30i contains absolutely nothing you couldn't build yourself using SPLAT or RHEL.

Crossbeam shipped a SMP kernel for its dual cpu C30 variants. It didn't work, kept crashing. Fix from Support? Use the Uni kernel, we'll fix it eventually. Hence the free C30 to the academic customer above!

Now onto the falsehood of UTM appliances. Why is the Crossbeam solution special in this regard? It is simply a PC, with a desktop, not server, chipset. It runs a variant of RH Linux. The reason it's UTM? Well you can run more than CHKP on it (this is its only differentiator from Nokia), but you still have to buy the license and install the product.

Haven't security professionals been saying for years (including everyone at CHKP), DON'T run other programmes on a firewall???

Onto the disk errors. These devices, unlike the latest Nokia IP range do have disks, disks break. To make matters worse, early revisions used no vibration supression on the guard disk mounts. All the range use a laptop IDE disk drive which is neither quick, nor designed for server operation. Later versions still have disk issues because 40 pin and not 80 pin cables were used for the drive. This lead to ECC errors which meant swap out of the appliance. Crossbeam claim to have fixed these issues, but unless you have a very late model (Jan this year onwards) then you will eventually have a failure. Their first attempt to fix it was to disable the IDE mode that required 80 pin connectors in SOFTWARE. This slowed the disk even more.

All in all, a customer support nightmare. The C-series should be dismissed and Secureplatform used to build your own server out of a known reliable platform such as HP or IBM.

The X is a different beast with its own problems.