I should probably also mention a quote by one of my coworkers. If you're easily offended, stop reading now. "This thing may look tiny, but it's got a cock that's 8 feet long." > -----Original Message----- > From: Austad, Jay [mailto:austad at marketwatch.com] > Sent: Friday, April 12, 2002 12:28 PM > To: 'tclug-list at mn-linux.org' > Subject: [TCLUG] The best firewall ever made. :) > > > Ok, I just got ahold of some Netscreen > (http://www.netscreen.com) firewalls. I have some of their > big ones, but I also got myself a 5xp for home. > > The 5xp is $495, and it's barely more than the size of 2 > decks of playing cards side by side. This thing is amazing. > Everything is implemented on chip, including the firewalling > engine and the IPSec stuff. The chip is the same chip they > put in their big firewalls, which supports 700Mbit of > throughput, and 270Mbit of IPSec throughput. > > They've limited the 5xp to 10 tunnels, and stuck 10Mbit > interfaces on it to limit it. It will support 2000 separate > sessions, can act as a VPN server and a client. Has OSPF and > BGP routing, a nice web interface, cisco style command line, > built in ssh and https, dhcp client for cable modem/dsl > users, and you can map outside ports to different internal > servers (great for if you only have one public ip and > multiple servers on the inside). It can run in transparent > mode, where you just plug it inline with one of your ethernet > cables and it acts as a filtering bridge, or you can do route > or nat mode. Route mode is probably the most robust, as you > can still add NAT policies to take care of NAT if you need > it. Oh, I almost forgot, it also has a captive gateway > functionality. So if you have a wireless net, and you try to > go somewhere, the browser (or telnet session) will bring up a > user/pass prompt generated by the firewall, and you have to > login with a valid id before it will pass traffic for you. It > can authenticate via a local database, or using RADIUS or > LDAP. You can give varying degrees of access based on usernames also. > > Their bigger firewalls support up to 99 VLANS, and each one > can be in a different security zone (99 DMZ's). You don't > have the typical "security levels" associated with each zone > either. Each one can have varying degrees of access to each > other. They also have Virtual routers, where you can tell it > to only route between certain VLAN's/Zones, so your office > network can be completely independent of your production > environment. For ISP's, it supports Virtual Systems. You > can sell firewall services to clients, and they get their own > virtual firewall with their own login. They can only see and > modify settings for their stuff, but they can manage it > themselves with no risk of screwing up the rest of your network. > > In any case, the $495 5xp has more features than most $30,000 > firewalls, and also has better performance (though it only > has 10Mbit interfaces). If you're looking for a great home > firewall or something for remote offices, this thing is > definitely the way to go. > > Jay > _______________________________________________ > Twin Cities Linux Users Group Mailing List - Minneapolis/St. > Paul, Minnesota http://www.mn-linux.org > tclug-list at mn-linux.org > https://mailman.mn-> linux.org/mailman/listinfo/tclug-list >