From: Sam Munzani (sam@munzani.com)
Date: Wed Feb 26 2003 - 16:53:55 GMT-3
My 2c.
Checkpoint has some plus points. Checkpoint's CVP feature is missing in PIX.
For antivirus. Hopefully Cisco will realize it soon enough to include it on
pix.
Other than that, Checkpoint is not a bad system either. My Security
background is 90% pix and 10% Checkpoint. I still don't think Checkpoint is
a bad product at all.
Sam Munzani
CCIE # 6479 (R&S, Security)
> "GUI management puts too much
> power in the hands of people who shouldn't have it".
>
> Very good comment!
> -Jimmy CCIE #8177 (Security, R&S)
> Scott Morris <swm@emanon.com> wrote:I didn't say Checkpoint sucked. I
said it wasn't in the same arena. :)
>
> Management: You apparantly haven't paid much attention to the PDM or
> the Security Management Center/Monitoring Center. The management of the
> PIX is a lot more intuitive for large deployment policy management than
> Checkpoints is.
>
> Features: AES, blah, blah, blah. They adopted it before it was
> standardized on the format. So you're running beta code. And just how
> many AES deployments have you NEEDED to do anyway? As for the VPN
> stuff, the client side firewall policies are MUCH better on the Cisco
> side. Oh wait, you're going to say but that's with the 3000
> concentrators.. Oh wait, but you had to purchase separate Checkpoint
> software anyway to do this. It's much better to intelligently disperse
> separate critical functions rather than put your eggs all in one (not so
> fast) basket.
>
> Price: Checkpoint is getting better, but the support costs are still
> high, and not exactly what I'd term as high quality support either (my
> experiences).
>
> Performance: Think again. If you're going to compare the new slick
> stuff, at least stay with is. Over 5gig on the FWSM. And a WHOLE heck
> of a lot cheaper than Checkpoint at this price too!
>
> Security: Boy, you listen to marketing well. Take a look at the
> quantity of patches needed to begin with, then look at the timeframe
> from public release (general) to the release on their "hardened" system.
> Nokia has this same problem. 2-3 months behind general release in order
> to "optimize" (and make sure there are no other hidden issues as well).
> Wait months? Do you need to? Fixes or minor enhancements are fairly
> quick in coming from Cisco. Major releases you wait longer, but that's
> no different for anyone else. How long did it take to get NG out the
> door?
>
> A lot of it boils down to what you are comfortable with or what you
> like. Checkpoint's GUI has more colors than Cisco's. So if you're a
> colorful person, go for it. If you like the big icons thinking that's
> easier to read your policies, go for it. GUI management puts too much
> power in the hands of people who shouldn't have it.
>
> I never have liked Checkpoint because of their support quality and their
> difficulty in pointing fingers at their strategic partners for HW vs. SW
> problems. PIX processing (IMHO) is faster given the same set of rules.
> The PIX is not trying to be everything to everyone. With Checkpoint,
> they like you to keep adding software because 'we can do that' and soon
> you're doing everything really slowly.
>
> Perhaps it's all part of good security design on larger installations.
> Perhaps I'm not a colorful guy. Whatever, but have the details
> necessary to pass judgement though.
>
> Scott
>
> -----Original Message-----
> From: GSRouting@dualccie.com [mailto:GSRouting@dualccie.com]
> Sent: Wednesday, February 26, 2003 10:24 AM
> To: 'Scott Morris'; 'Brian Dennis'; ccielab@groupstudy.com
> Subject: RE: OT : PIX Firewall !
>
>
> It would help if people actually mentioned their reasons for
> liking/disliking a product. Just saying CheckPoint sucks is not really
> enough to convince me.
>
> I personally will choose CheckPoint over PIX in most situations. I have
> not used Netscreen, but I've heard good things about it as well. My
> reasoning for preferring CheckPoint over PIX is:
>
>
> Management: The CheckPoint hands down has easier management in large
> environments. One console can manage all of your devices. It is also
> easy to understand for not-so-technical admins and NOC staff.
>
> Feature availability: Not including 6.3, which is not officially
> released yet, PIX does not have any of the following features that
> CheckPoint has had for quite some time: -AES -TCP/UDP encapsulation for
> client VPNs through PAT/NAT firewalls -Client side firewall policies (to
> allow selective split-tunneling) -Active-Active clustering
>
> Price: I have generally gone with PIX for lower costs, but factoring in
> the support staff makes its TCO much higher. Also, CheckPoint has become
> quite price-competitive with high end models.
>
> Performance: CheckPoint now hits higher top speeds than PIX with the 535
> at "over 1gbps" and CheckPoint over 3gbps.
>
> Upgradeability: In the future, if you are unhappy with your performance
> with a CheckPoint, you need only buy new hardware. The license cost
> carries over.
>
> Security: I throw this in there for the "PIX is more secure because it
> doesn't have an OS to hack" people. Checkpoint now has "SecurePlatform"
> which is their proprietary, hardened bastardization of a UNIX OS, pretty
> much the same as Finesse on the PIX. That said, I would choose running a
> mainstream OS any day, since the patches are available immediately,
> rather than waiting months for a new release of software.
>
> The single biggest pitfall to CheckPoint IMO is maintenance costs. It is
> much more cost-effective to pay for software maintenance and skip the
> support fees.
>
>
> If anyone has any hard facts why they feel PIX is better than
> CheckPoint, I'd love to hear them, because I haven't heard many pressing
> arguments yet. Also, there is no right answer. Every client has
> different requirements. As a consultant for a vendor-independent
> consulting firm, I was in the position of getting to choose what product
> was best for the client, and sometimes it was a PIX. However, almost all
> of the people I've talked to that swear PIX is better than CheckPoint
> also happen to work somewhere that can not sell CheckPoint but can sell
> PIX. At the very least, many of them have not used CheckPoint.
>
> -Eric
>
> -----Original Message-----
> From: Scott Morris [mailto:swm@emanon.com]
> Sent: Wednesday, February 26, 2003 6:34 AM
> To: 'Brian Dennis'; ccielab@groupstudy.com
> Subject: RE: OT : PIX Firewall !
>
>
> Tolly juse doesn't like Cisco because they won't pay money for
> "independent testing" to be done.... So Tolly = Anything But Cisco.
>
> The PIX is very good. NetScreen is very good. CheckPoint is not.
>
> Be aware that each and every one of them has their quirks, or potential
> problem areas. That's the beauty of healthy competition! :)
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Brian Dennis
> Sent: Wednesday, February 26, 2003 4:23 AM
> To: ccielab@groupstudy.com
> Subject: RE: OT : PIX Firewall !
>
>
> I'm not saying that the Tolly Group is a bad source of information but I
> won't put 100% into everything that they write. Any idea who pays for
> them to run those tests? Companies pay for those tests and may times
> they know the results before hand.
>
> Lastly remember its www.tolly.com not www.tolly.org ;-)
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security)
> brian@labforge.com
> http://www.labforge.com
>
> -----Original Message-----
> From: Ong Boon Hui [mailto:ongbh@cet.st.com.sg]
> Sent: Wednesday, February 26, 2003 12:33 AM
> To: Brian Dennis; 'ccie done'; ccielab@groupstudy.com
> Subject: Re: OT : PIX Firewall !
>
> Hil,
>
> Is Tolly group a good source ?
>
> http://www.tolly.com/News/NewsDesk/TS201111NetScreenJul01.asp
> http://www.tolly.com/News/NewsDesk/TS202121NetScreenMar02.asp
>
> Debarros
>
> ----- Original Message -----
> From: "Brian Dennis"
>
> To: "'ccie done'" ;
> Sent: Wednesday, February 26, 2003 3:32 PM
> Subject: RE: OT : PIX Firewall !
>
>
> > You can get that information right here:
> >
> > PIX - Good
> > CheckPoint - Bad
> > NetScreen - Bad
> >
> > The way to tell if a networking device should or shouldn't go in your
> > network is by checking to see if it says "Cisco Systems" on the
> outside.
> > If it says Cisco Systems on the outside, it's all good ;-)
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security) brian@labforge.com
> > http://www.labforge.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > ccie done
> > Sent: Tuesday, February 25, 2003 10:25 PM
> > To: ccielab@groupstudy.com
> > Subject: OT : PIX Firewall !
> >
> > Hello folks ;
> > can anyone refer to site where i can found technical comparison
> between
> > PIX firewall and other Firewalls like netscreen and checkpoint !!
> >
> > appreciate your help .
> >
> >
> >
> >
> >
> > _____________________________________________________________
> > Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for $19.95/year.
> > http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus
>
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Tax Center - forms, calculators, tips, and more
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:37 GMT-3