I have to say that of the three main firewalls I work with on a daily basis, the Netscreen is one of the best out there. All 3 firewalls have their pros and cons:
- Pros
- Easy to use and understand
- The gui is built for ease of use
- tcpdump is one of my favorite tools to sniff traffic and it works well the Nokias and Crossbeams
- Cons
- The log viewer seems to "lie" sometimes, not showing the proper rule numbers at times
- Editing rules via CLI is extremely tough
- Pros
- Fast
- Relatively easy to use
- Lots of documentation online and on Cisco's website for many things
- Cons
- I'm not a personal fan of the capture command, although it does work
- Trace routes are not stateful and only the newer versions can actually perform a virtual inspection of those packets
Juniper Netscreen's are excellent firewalls. They tend to be extremely quick and the commands are straight forward. The log viewing on the firewall is excellent and gives a good amount of information. The only issue I have with these firewalls is the gui, the Netscreen Manager. NSM has some excellent features and the gui tends to be relatively easy. Unfortunately it's programmed in Java. The app can be extremely slow and unresponsive. When running NSM on the local machine, the software has a tendency to max the cpu usage for a while. The newest NSM software version I've been using (can't recall the exact version, sorry) has a memory leak that causes the application to eat up memory until all the free memory on the machine is being used by NSM. The only way to solve the issue is to minimize the app for a minute or to close NSM and reopen it.
I should reiterate the point that I do like Netscreens. I even own a Netscreen 5xp for my own home use. I do wish that they would work on improving the Netscreen Manager. I'm not a fan of using Java for the app. If they ever overhaul the application, I think it could be the best firewall on the market. I would still recommend for small offices and home use the Netscreen 5XP and for the larger business/organizations, take a look at their higher end products.
This is all crap.
Sshh you. Get back to your firewall work! ;-)
[...] little post is more of a continuation from a previous post. It is important to note that while this post dwells mostly on the negative, I am actually a large [...]