RE: OT : PIX Firewall !

From: GSRouting@dualccie.com
Date: Wed Feb 26 2003 - 21:40:51 GMT-3

Ack. This bounced back the first time.
--------------------------------------

I know you didn't say CheckPoint sucks. A lot of people do though.

Management: PDM/MC - Have you tried using them?!? I got as far as importing
our configs, and when it didn't support half of the commands we use, I
pitched it. As of when I tried it, there was no support for conduits, and I
believe there were issues with some VPN commands (I don't remember which)

Features: Every install I do is AES(when available). It kicks the crap out
of 3DES for performance, and is more secure. CP released NG after AES was
released, so it is not beta. Cisco has taken over a year to release it. As
for the concentrators, I don't agree their policy management is better, but
you would also need to buy two to stay redundant. If I am using PIX, I do
this, but it adds a lot to the cost. Again, using CheckPoint for the VPNs
allows you to add more active nodes to the firewall cluster to disperse the
load.

Price: I can't argue the support costs. As I said, I don't think it's worth
it. Most of the hardware vendors offer a cheaper alternative with better
support. Otherwise, most VARs will help out when you need it.

Performance: The FWSM Also requires a 6500 or 7600 to plug it in to, which
aren't cheap. For the cost of that, you can add CheckPoint ClusterXL and a
second node and be at 6gbps+.

Security: As for time to release patches, my point was that IF having a
proprietary OS that you can't patch yourself was important to you, they
offer one. I would choose an OS I can control if given a choice.

I don't prefer the pretty pictures for myself. Most of the time I deploy
solutions it is for someone else. When given a choice between deploying a
solution they can use, or deploying a solution that I will get called about
constantly asking me to add a static to their firewall, or to change an ACL,
I'd choose the former.

I agree that we will not agree on the "best" solution. I respect that you at
least seem to know enough to make the decision for yourself. A lot of people
out there don't.

-Eric

-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Wednesday, February 26, 2003 8:32 AM
To: GSRouting@dualccie.com; 'Brian Dennis'; ccielab@groupstudy.com
Subject: RE: OT : PIX Firewall !

I didn't say Checkpoint sucked. I said it wasn't in the same arena. :)

Management: You apparantly haven't paid much attention to the PDM or the
Security Management Center/Monitoring Center. The management of the PIX is
a lot more intuitive for large deployment policy management than Checkpoints
is.

Features: AES, blah, blah, blah. They adopted it before it was
standardized on the format. So you're running beta code. And just how many
AES deployments have you NEEDED to do anyway? As for the VPN stuff, the
client side firewall policies are MUCH better on the Cisco side. Oh wait,
you're going to say but that's with the 3000 concentrators.. Oh wait, but
you had to purchase separate Checkpoint software anyway to do this. It's
much better to intelligently disperse separate critical functions rather
than put your eggs all in one (not so
fast) basket.

Price: Checkpoint is getting better, but the support costs are still high,
and not exactly what I'd term as high quality support either (my
experiences).

Performance: Think again. If you're going to compare the new slick stuff,
at least stay with is. Over 5gig on the FWSM. And a WHOLE heck of a lot
cheaper than Checkpoint at this price too!

Security: Boy, you listen to marketing well. Take a look at the quantity
of patches needed to begin with, then look at the timeframe from public
release (general) to the release on their "hardened" system. Nokia has this
same problem. 2-3 months behind general release in order to "optimize" (and
make sure there are no other hidden issues as well). Wait months? Do you
need to? Fixes or minor enhancements are fairly quick in coming from Cisco.
Major releases you wait longer, but that's no different for anyone else. How
long did it take to get NG out the door?

A lot of it boils down to what you are comfortable with or what you like.
Checkpoint's GUI has more colors than Cisco's. So if you're a colorful
person, go for it. If you like the big icons thinking that's easier to read
your policies, go for it. GUI management puts too much power in the hands
of people who shouldn't have it.

I never have liked Checkpoint because of their support quality and their
difficulty in pointing fingers at their strategic partners for HW vs. SW
problems. PIX processing (IMHO) is faster given the same set of rules. The
PIX is not trying to be everything to everyone. With Checkpoint, they like
you to keep adding software because 'we can do that' and soon you're doing
everything really slowly.

Perhaps it's all part of good security design on larger installations.
Perhaps I'm not a colorful guy. Whatever, but have the details necessary to
pass judgement though.

Scott

-----Original Message-----
From: GSRouting@dualccie.com [mailto:GSRouting@dualccie.com]
Sent: Wednesday, February 26, 2003 10:24 AM
To: 'Scott Morris'; 'Brian Dennis'; ccielab@groupstudy.com
Subject: RE: OT : PIX Firewall !

It would help if people actually mentioned their reasons for
liking/disliking a product. Just saying CheckPoint sucks is not really
enough to convince me.

I personally will choose CheckPoint over PIX in most situations. I have not
used Netscreen, but I've heard good things about it as well. My reasoning
for preferring CheckPoint over PIX is:

Management: The CheckPoint hands down has easier management in large
environments. One console can manage all of your devices. It is also easy to
understand for not-so-technical admins and NOC staff.

Feature availability: Not including 6.3, which is not officially released
yet, PIX does not have any of the following features that CheckPoint has had
for quite some time: -AES -TCP/UDP encapsulation for client VPNs through
PAT/NAT firewalls -Client side firewall policies (to allow selective
split-tunneling) -Active-Active clustering

Price: I have generally gone with PIX for lower costs, but factoring in the
support staff makes its TCO much higher. Also, CheckPoint has become quite
price-competitive with high end models.

Performance: CheckPoint now hits higher top speeds than PIX with the 535 at
"over 1gbps" and CheckPoint over 3gbps.

Upgradeability: In the future, if you are unhappy with your performance with
a CheckPoint, you need only buy new hardware. The license cost carries over.

Security: I throw this in there for the "PIX is more secure because it
doesn't have an OS to hack" people. Checkpoint now has "SecurePlatform"
which is their proprietary, hardened bastardization of a UNIX OS, pretty
much the same as Finesse on the PIX. That said, I would choose running a
mainstream OS any day, since the patches are available immediately, rather
than waiting months for a new release of software.

The single biggest pitfall to CheckPoint IMO is maintenance costs. It is
much more cost-effective to pay for software maintenance and skip the
support fees.

If anyone has any hard facts why they feel PIX is better than CheckPoint,
I'd love to hear them, because I haven't heard many pressing arguments yet.
Also, there is no right answer. Every client has different requirements. As
a consultant for a vendor-independent consulting firm, I was in the position
of getting to choose what product was best for the client, and sometimes it
was a PIX. However, almost all of the people I've talked to that swear PIX
is better than CheckPoint also happen to work somewhere that can not sell
CheckPoint but can sell PIX. At the very least, many of them have not used
CheckPoint.

-Eric

-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Wednesday, February 26, 2003 6:34 AM
To: 'Brian Dennis'; ccielab@groupstudy.com
Subject: RE: OT : PIX Firewall !

Tolly juse doesn't like Cisco because they won't pay money for "independent
testing" to be done.... So Tolly = Anything But Cisco.

The PIX is very good. NetScreen is very good. CheckPoint is not.

Be aware that each and every one of them has their quirks, or potential
problem areas. That's the beauty of healthy competition! :)

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian Dennis
Sent: Wednesday, February 26, 2003 4:23 AM
To: ccielab@groupstudy.com
Subject: RE: OT : PIX Firewall !

I'm not saying that the Tolly Group is a bad source of information but I
won't put 100% into everything that they write. Any idea who pays for them
to run those tests? Companies pay for those tests and may times they know
the results before hand.

Lastly remember its www.tolly.com not www.tolly.org ;-)

Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security)
brian@labforge.com
http://www.labforge.com

-----Original Message-----
From: Ong Boon Hui [mailto:ongbh@cet.st.com.sg]
Sent: Wednesday, February 26, 2003 12:33 AM
To: Brian Dennis; 'ccie done'; ccielab@groupstudy.com
Subject: Re: OT : PIX Firewall !

Hil,

Is Tolly group a good source ?

http://www.tolly.com/News/NewsDesk/TS201111NetScreenJul01.asp
http://www.tolly.com/News/NewsDesk/TS202121NetScreenMar02.asp

Debarros

----- Original Message -----
From: "Brian Dennis" <brian@labforge.com>
To: "'ccie done'" <ccie1@lycos.com>; <ccielab@groupstudy.com>
Sent: Wednesday, February 26, 2003 3:32 PM
Subject: RE: OT : PIX Firewall !

> You can get that information right here:
>
> PIX - Good
> CheckPoint - Bad
> NetScreen - Bad
>
> The way to tell if a networking device should or shouldn't go in your
> network is by checking to see if it says "Cisco Systems" on the
outside.
> If it says Cisco Systems on the outside, it's all good ;-)
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security) brian@labforge.com
> http://www.labforge.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie done
> Sent: Tuesday, February 25, 2003 10:25 PM
> To: ccielab@groupstudy.com
> Subject: OT : PIX Firewall !
>
> Hello folks ;
> can anyone refer to site where i can found technical comparison
between
> PIX firewall and other Firewalls like netscreen and checkpoint !!
>
> appreciate your help .
>
>
>
>
>
> _____________________________________________________________
> Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for $19.95/year.
> http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:37 GMT-3