This is a summary of the responses I received for an informed comparison
between Livingston "Firewall IRX" and Morning Star Express Plus routers.
In the interest of brevity and privacy, I've removed most information
which might identify the source, and otherwise trimmed at will. I believe
I was careful to keep the substance of the response.
I wish to express my appreciation to everyone who took the time to send
me your comments. They were very helpful.
Richard
--
#2. We use a MorningStar Express Router on a 56k Frame Relay and I
have had no problems with it (barring that one electrical storm) so
far. Reliability is much better than 95% to date.
--
I am using a Livingston Firewall IRX router to setup
a firewall for a company I do consulting for. We replaced our older
model IRX router with the new Firewall IRX router because it has two
ethernet connectors instead on just one. The Firewall IRX model seem to have
all of the features people on this list talk about.
It drops source routed packets by default.
Packets can be filtered by source and destination address,
source and destination port and connection status.
It is possible to log activity to a host on the internal
net.
--
> Just set up a Livingston Router. It was shipped with obsolete software
> that didn't work with the LMI protocol, and can NOT have more than one
> subnet mask type. This is a FATAL flaw. My frame relay service provider
> had to provide me with an entire class C address just so they could have
> a dedicated circuit to our Livingston router. IE:
> Insinc (frame relay service provider) netmask (router-router) was
> 255.255.255.252. Perfect, gate the routers their own little net - 1,2
> for the routers and 0 and 3 for network and broadcast address. The
> Livingston IRX portmaster could not do this as I required a netmask of
> 255.255.255.0 for my internal network.
> In short, I needed the frm1 interface to have a netmask of 255.255.255.252.
> I needed my ether0 interface to have a netmask of 255.255.255.0.
> The Livingston portmaster could not handle this. Yuck.
Funny thing, I just replaced my Livingston with Cisco 2500, the Livingston
was grabbing my internal packets and bouncing it off the router at my service
provider. What I actually had to do was create permanent arp entries in my
bastion host to get around this problem.
Granted I have had the Cisco for about an hour but it seems to be handling
the routing much better.
--
Our MorningStar Express is now at SW version 1.1.85, in which they seem to
have finally plugged the mbuf leak that was causing the older versions of
their software to crash. It's been up for a couple of months now without
further hiccups. I have no experience with Livingstone equipment, so I'll
skip the compare-and-contrast part of the test...
--
I haven't used the Livingston products but was impressed that I could FTP
a PostScript version of the manual from them.
--
> Informed opinion welcomed. I've invited MorningStar in on this, as well,
> since I'm not sure if they normally pick up this list.
Actually, it might have been useful to send it to "support @
MorningStar .
Com".
Some Morning Star employees are on (and read) firewalls [I am one of them].
You won't tend to see much posted by me about Express routers since I feel
that firewalls is not a marketing list.
> God forgive me for opening the doors to a Firewalls opinionfest.
As long as you specify to reply only to you [as you did] you do not
need to be forgiven.
> I need to hear from folks who actually build firewalls (you know
> who you are) regarding any experience they may have with the
> Livingston "FireWall IRX" and/or MorningStar Express Plus routers.
You won't find anyone with an Express Plus router at this time.
We have not officially released the Express Plus router.
The filtering capabilities will be the same as the Express router.
> I've used an earlier model of the MSE, and while I found its filtering
> and logging facilities to excellent (ICMP by type, etc.) I'll also say
> it seemed to choke on a Switched 56 Frame Relay data link. I'll head
> off any potential flamage and just say I couldn't figure out how to get
> it to work with 95% + reliability.
Do you remember what software release you had? I cannot find any
communications from you since February. We've gone through a few
software revisions since then and feel the product is higher than
95% reliable at this point. You can obtain the RELEASE-NOTES for the
Express via anonymous FTP.
We feel the Express can keep up with a switched 56K frame relay link
(in fact we use Express routers at T1 speeds).
> The MSE+ is said to be improved immensely, and I'm certainly willing
> to give it a shot.
The Express Plus will have much better performance. The Express Plus
is more expandable than the Express router and can support more interfaces.
> I know nothing about Livingston except that, as I recall, Brent likes 'em.
Livingston makes fine products and Morning Star has always had good
relations with them. We would of course prefer you bought our product
but you should be happy either way.
We would be interested in any feedback you receive. If your correspondents
would not mind, we would like to see how people with experience compare
the two routers and how our customers feel we are doing. Thanks.
--
I'm interested in any responses you get. I too have primarily installed
CISCOs, but I have installed 2 MorningStar PPP links to remote sites
which required high confidentiality (Hospital/Med School related).
--
While not precisely the same thing, we are using MST PPP on a BSDI box for a
firewall. The box is a lowly 386 and we stripped BSDI to its bare minimum.
We are connected at 38,400 to start so we could get things settled down
before we dealt with any potential transimssion issues. At this speed we
are achieving close to theoretical max on throughput. Will be moving to 56k
either this week or next and will let you know about performance at a later
date.
As to its effectiveness, we chose this route because we liked the ability to
do a lot of logging and real-time monitoring. So far its a good choice (Our
provider couldn't find us on the net and so took 4 weeks to re-direct our
domain to us!)
More to your question, I am very satisfied with MST PPP's filtering
capabilities and understand them to be the same in their router product. My
conversations with Kate Murphy at MST also indicated that their router now
handles up to T1 so 56k _should_ be no problem :)
--
> I need to hear from folks who actually build firewalls (you know
> who you are) regarding any experience they may have with the
> Livingston "FireWall IRX" and/or MorningStar Express Plus routers.
>
Just set up a Livingston Router. It was shipped with obsolete software
that didn't work with the LMI protocol, and can NOT have more than one
subnet mask type. This is a FATAL flaw. My frame relay service provider
had to provide me with an entire class C address just so they could have
a dedicated circuit to our Livingston router. IE:
Insinc (frame relay service provider) netmask (router-router) was
255.255.255.252. Perfect, gate the routers their own little net - 1,2
for the routers and 0 and 3 for network and broadcast address. The
Livingston IRX portmaster could not do this as I required a netmask of
255.255.255.0 for my internal network.
In short, I needed the frm1 interface to have a netmask of 255.255.255.252.
I needed my ether0 interface to have a netmask of 255.255.255.0.
The Livingston portmaster could not handle this. Yuck.
--
|
|
