NOKIA or SPLAT on INTEL, which is best ?

[tangerine0072000]

Hi,

I've spend the last 9-10 years working with Checkpoint running on Nokia with IPSO. I've noticed more and more companies are starting to use SPLAT on Intel hardware as enforcement points.

While I've had plenty of experience running SPLAT on Provider1 or SmartCentre managers, I've not tried SPLAT as a firewall.

Has anyone come accross a NOKIA VS INTEL type document which might highlight the pros and cons of each platform ?

cheers,

[Mathieu]

Hello,

Splat on PC: is cheaper, if you need to upgrade or replace you just buy a new PC. However, you must pay attention on the PC you choose: it must be compatible (especially NIC cards). And you will not have a performance guarantee. OS and Software are provided by the same company.

Nokia: Hardware and support wil cost you a lot, the clustering will rely on VRRP (some people consider it to be superior), you can have accelerated network cards ($$$).

So both are a nice solution especially Splat if you have technical skills, but the question is can you afford Nokia ?

[Dominik Zanolari]

Can't really provide you with a document or link to such a discussion. Yet I collected several years of experience with Nokia/IPSO and can say it's well worth the money you spend.

I consider it a very stable, performance optimized plattform and - very important for an enterprise environment - with good support, both knowledgebase and assisted.

For me it's a bit comparing apples and oranges: I'd rather say "SPLAT vs. Sun Solaris" or similar. Nokia is an optimized platform, dedicated to a mission. While SPLAT enables you to run Check Point pretty smooth on standard hardware, which was designed for multiple purposes.

If your business case justifies the money you need to spend for Nokia, then stick with them and don't experiment.

[calyeo]

I am more biased towards SPLAT because you don't always have test nokia boxes to 'play' with or do POC before an implementation.

But SPLAT allows you this flexibility, especially you could do so with VMs.

[Thorpuse]

I think that this argument is complicated more by CP's own foray into appliances, particularly the M-Series Appliances. The disadvantages around multiple vendors/supported hardware fall away at that point, as well as the multiple vendor finger pointing exercises. Then of course you also now have the UTM-1/Power-1 CP supplied appliances, also running SPLAT with pretty decent numbers.

Nokia traditional argument has been the single point of contact with optimised HW/OS. However IPSO being derived from FreeBSD does delay the development/porting process, and recently seems to be introducing issues. SPLAT is fast becoming CP's best supported platform, and every other appliance manufacturer uses it with arguable better performance numbers than Nokia. Honestly, I don't see IPSO providing a competitive advantage anymore for Nokia, and given the choice, I'd take ClusterXL over VRRP anyday....

[mcnallym]

In a lot of ways I am suprised that Nokia didn't take the oppurtunity to move to Linux from BSD with the IPSO 6.0 move. They already have a Linux based IPSO for the appliances that run SourceFire as Sourcefire runs on Linux, (Red Hat Based).

Would have made them quicker and easier to get the Check Point packages up and running, also most UNIX out there that seems to being grabbed by enthusiats now seems to be Linux based as in Ubuntu, Fedora, Debian, CentOS, Red Hat etc, or certainly what I see.

Certainly makes it easier to use SPLAT then IPSO with the BSD differences.

[Tommo]

If you're looking for the ability to do what the Check Point application can do, then go for SPLAT.

Nokia has so many more features for the "advanced" business requirements over SPLAT - it's a very advanced router at heart. If you just want to put it in and it works with the NIC's supplied, without looking up HArdware Compatability Lists etc, then Nokia is for you.

I'd also say that, in my experience, yes, you pay your money for Nokia, but, the support is superb. I had a box "fail" in France, the customer had not told us it was currently live in France, we, and Nokia, thought it was in the UK. Nokia had a guy there within 3.5 hours with a replacement. The fault was the local users had swapped their internet and internal interfaces over, and not told my customer ;-)

Check Point is a great software company, but they do not have the hardware skills that Nokia have by any stretch. I've found CP not that good when it comes to RMA's on their hardware as there's too many people involved (sofaware and others for Edge's and UTM or Power-1's)

Tommo