Hardware Opinions - Server and Quadport Cards

[fdamstra]

We're upgrading our hardware, and I need some opinions.

Our setup:
Single management server
Two enforcement nodes running Splat Pro
12 physical interfaces per firewall

We have 2 DS3's for Internet connectivity, and obviously a high degree of segmentation in our networks. We have about 5000 users any given day, though most are restricted by 64kbps WAN pipes. On some segments, there are backups or other high-volume transfers, but the bulk of our traffic is low bandwidth/small packet size interactive sessions (similar to telnet/ssh).

We're looking at replacing the enforcement nodes with a pair of IBM x366 systems. These are not on the official "supported" list, but the specs are similar to others that are. These will be single processor 3.6GHz Xeons with 4GB RAM.

Our main concern is the interfaces. We feel that if we're buying hardware now, we should be looking at gigabit interfaces. Since we need at least 11 interfaces, we're looking at 3x quadport cards. Lastly, the x366's are PCI-X, , our choices are limited to the following cards (from checkpoints list):
HP NC340T
Intel Pro/1000 GT Quad
Sun Gigaswift X4445A

The HP cards seem to have been discontinued/replaced, and we're really unhappy with HP right now due to some lemon hardware and support issues, so they're out.

We'd like the Intel cards, but looking at their support documentation, they appear to have issues with the IBM x365 and x370, and further, they recommend that you don't add more than 2 of these to a server (and we'd be looking at 3). While these aren't the exact IBM models we're looking at, we're uncomfortable with them.

So that leaves us with the Sun cards. They're a bit pricey (retail $750/ea as opposed to about $500/ea for the Intel cards). We can't find any similar notices about the compatibility, but that could just mean that Sun makes it harder to find.

Anybody have recommendations or, more importantly, "don't do it" advice? Should we be looking at different servers than the IBM x366's (that doesn't help with the interface card choice)? Anybody have a favorite supported quad port GigE card that's not listed on checkpoint's site? How do you pick hardware for a great, solid, checkpoint firewall?

[mcnallym]

Personally if it's not on the Hardware List then I wouldn't go near it.

Check out the Pro1000 MT cards as they are also on the list.

[chuachongchee]

If you need such throughput/interfaces, why arent you looking at firewall appliances?

They are pre-hardened, optimised and can have hardware vpn acclerators.. Crossbeam C12 looks ok for your needs, its 4gb throughput or even crossbeam c25, 12 interfaces, 6gb throughput..

Both can have muti-apps in them, c12 can support 2, c25 can support 4, meaning you can run checkpoint with trend micro/websense etc...

[rugby1725]

We use the Sun Gigaswift cards in all of our firewalls, granted we are using Sun platforms as well. But we've only had one problem where an interface went bad and no configuration or monitoring problems. Currently we have about 70 cards in service.

[fdamstra]

Quote:

Originally Posted by chuachongchee

If you need such throughput/interfaces, why arent you looking at firewall appliances?

Commodity hardware is cheaper, considering existing service contracts and our partnerships with certain vendors. I didn't look too closely at this option, though.

When running CheckPoint, aren't these "appliances" just custom-built boxes?

Quote:

Originally Posted by mcnallym

Check out the Pro1000 MT cards as they are also on the list.

It was actually the MT cards that were reported to have all the problems. We ended up going with Pro1000 PT cards.

Quote:

Originally Posted by mcnallym

Personally if it's not on the Hardware List then I wouldn't go near it.

Partially on your recommendation, but mostly based on the hellish deals Dell was offering, we ended up switching to a much more powerful pair of Dell 2950's. Hopefully VPN-1 Power/Splat Pro can truly take advantage of multiple cores like they claim.

[chuachongchee]

Multiple CPU i think Checkpoint is coming out with something like "CoreXL"?? I heard it on a local checkpoint event....

If not, thats why you can get an appliance like Crossbeam, currently, the multiple cores are supported on the os level..

[mcnallym]

CoreXL is aiming at 4 or more CPU Cores wether Quad Core or 2 x Dual Core etc, and will be extra license if follows the usual Check Point.

I have worked with Crossbeam C Series and wouldn't touch them again compared to a Nokia. Despite the fact that say can run multiple apps then is only in certain pretested combos and even the Crossbeam SE's say that even the C25 is really only good for running one app. I was at Crossbeam Offices with a customer and the SE said that in front of the prospective customer. The only good thing I could say about the Crossbeam C series is that is cheaper then a Nokia (not that it is hard to be cheaper than a Nokia)

Most of the appliances now whilst using Intel CPU's and NIC also have the additional ASIC built in to allow faster throughout, Nokia's come as standard with a Broadcom VPN accelerator and bringing out the ADP cards to further accelerate the traffic.

For people that have existing Dell or HP or IBM contracts then SPLAT is a very attractive offering if they just want a Firewall appliance.

What yo may have to put up with though is issues where possibly limited in number of NIC cards can fit in and work properly still as has been found with some HP boxes and the Intel Pro1000MT cards.

fdamstra how are you getting on with the Pro1000PT cards as looking at ordering a pair myself, and would appreciate the feedback on how they are working with SPLAT.