- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: PIX vs. Netscreen posted 03/25/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

At 1:56 PM -0600 3/25/04, Raymond Jett \(rajett\) wrote:
Let me turn my badge over and state that is is my opinion and not the
opinion of my employer:

Make sure you read some of those 'shootouts' with a grain of salt...

There are companies in the industry that are known to make the company that
is paying for the test the winner in the results.

I forget who said it... There are 3 kinds of lies: Lies, Damn Lies, and

Benjamin Disraeli, I think.

I like a more recent formulation that really applies nicely to vendor tests: "statistics are like a bikini. What they reveal is suggestive, but what they conceal is vital."

Apropos of such tests, the Internet-Draft I coauthored on defining single-box BGP convergence is finally coming up for RFC approval on April 2...hopefully it will be approved. One of the delays was that the approving board wouldn't let us have six coauthors, and Alvaro Retana of Cisco gracefully allowed us to put his name under a special acknowledgement. He's an author as far as the rest of us are concerned.

It was an interesting process to have engineers from Cisco, Juniper, Nortel and NextHop all collaborate on defining performance. Yes, we had all sorts of nice engineering reasons to do so, but everybody was motivated, to a significant extent, to be REALLY TIRED of salesdroids throwing out meaningless single numbers for characterizing performance. There is no meaningful way to describe convergence with a single number, although you can define a reasonable set of benchmarks with reasonable conditions.

In other words, check multiple sources and look for packet flows strangeness... Like how many of your packets are really 64byte packets? How many are full size? How many are jumbo? What is a 'real world test'?

If you understand your environment and understand the test metrics, it is
easy to see the smoke & mirrors in the test results.


Note: I didn't slam any company out there... I didn't say one was better
than the other... All I said was do your homework before you believe the
test results. I'm not trying to start a war here on the mail list ;)


-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Chris Larson
Sent: Thursday, March 25, 2004 1:16 PM
To: Wright, Jeremy; security@xxxxxxxxxxxxxx
Cc: ccielab@xxxxxxxxxxxxxx
Subject: RE: PIX vs. Netscreen

It has been some time since I have worked with Netscreen, but I have noticed they continually beat out competition including Cisco in most firewall "shootouts". I am concerned about Juniper now owning them as Juniper has no experience in the firewall/security market but that is probably minor... who knows.

The netscreen is gui through a browser, lacks (or did) any good debugging
for troubleshooting but is very simple. If you understand the basics of
firewalling and VPN this is very easy to deploy. At the time Netscreen was
about to introduce the 1000 that was vlan aware. Of course now so is the
FWSM but. I think the netscreen is an excellent and easy to use product for
its pricing that apparently outperforms most other firewalls according to
independant "shootouts".. I would imagine that has to do with the design
around ASICS rather then a processor. Price to performance, you prolly can't
beat it. Feature wise though it may be lacking....

Chris #12380

-----Original Message----- From: Wright, Jeremy [mailto:wright@xxxxxxxxxxxx] Sent: Wed 3/24/2004 11:35 AM To: 'security@xxxxxxxxxxxxxx' Cc: 'ccielab@xxxxxxxxxxxxxx' Subject: PIX vs. Netscreen

	Has anyone had experience with both of these products? If so, what
are the advantages/disadvantages of both? Thanks.

	              Jeremy Wright
	              CCIE# 11168
	              Network Engineer
	              Archer Daniels Midland


CONFIDENTIALITY NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email reply or by telephone and immediately delete this message and any attachments. In the U.S. call us toll free at (800) 637-5843. Spanish, French, French (Canada), Portuguese, Polish, German, Dutch, Turkish, Russian, Japanese and Chinese:

Please help support GroupStudy by purchasing your study materials from:

Subscription information may be found at: