Re: ASA vs Checkpoint

From: WorkerBee (ciscobee@gmail.com)
Date: Tue Jul 22 2008 - 20:50:27 ART

• Next message: Bill Eyer: "Re: ASA vs Checkpoint"
• Previous message: Narbik Kocharians: "Re: RIP route filtering using Extended ACL"
• Maybe in reply to: dip: "ASA vs Checkpoint"
• Next in thread: Bill Eyer: "Re: ASA vs Checkpoint"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You can also run Checkpoint on Crossbeam hardware which lower the
overall cost compare to Nokia box. Crossbeam is also a linux box which
supports virtualization with Checkpoint. Checkpoint is not only
Enterprise grade but also Carrier-grade with Provider-1 management
software.

You may also want to evaluate Fortigate or Netscreen as well. As Bill
has mentioned,
remote smaller sites will less policy changes is more suitable to
deploy ASA while
those sites with many changes for daily operation, go for Checkpoint.

I think for Operation guys (Level 1 tier with lesser experience), is
less error prone and more effective in terms of support, training,
audit, etc vs command-line or the dreaded SDM GUI to push down policy
to ASA. ASA object groupings when expanded can be a nightmare.

On Wed, Jul 23, 2008 at 7:34 AM, Bill Eyer <beyer@optonline.net> wrote:
> Dip,
>
> For what it's worth, at our company we use a mix of Checkpoint and Cisco
> firewalls, the ASA, FWSM for 6500 and some older PIX units. This is
> deliberate design solution on my part to provide diversity.
>
> Both manufacturers have advantages and dis-advantages, and I will give you
> my rant on both of them.
>
> The Checkpoint is great for a couple of things. The Management interface is
> still the best. Even I, who have never been to school on it can easily
> configure and push policies. The logging system, while proprietory, is
> really nice. If my firewall engineers had their way, we would use only
> Checkpoint firewalls.
>
> But there are downsides. It is software running on a computer, so you have
> some form of Linux or Windows under the hood. We run ours on a Nokia
> platform. The model we currently use is diskless, but some of our older
> ones had a harddisk that seem to fail regularly. Plus keeping up with
> patching means not only patching Checkpoint, but also patching IPSO, which
> is Nokia's version of Linux. Our Checkpoint reps recently told me they are
> coming out with their own appliance, that will feature integrated patching.
>
> Checkpoint is also "rental software". To legally keep it running you have
> to re-license it periodically. You also have to have a dedicated PC as a
> management server, and yes this has it's own license. Lastly Checkpoint
> support is really expensive, although third party support may be available
> from the appliance manufacturer. We get ours from Nokia. Unlike Cisco TAC,
> Nokia does draw the line at some support requests. For example I asked them
> to walk me through installing the R55 patch and they told me I had to hire a
> VAR to do the work. I got around it but it was painful.
>
> Smart Defense, which is their version of IPS also adds extra costs and since
> it is implemented in software, has a dramatic effect on throughput.
>
> All and all it adds up to a higher cost than ASA.
>
> ASA wraps good things into a single box, and the cost is lower. However,
> the management gui is not as easy to use (although recent generations are
> definitely better). Logging is also horrible. The logs on the built in gui
> are not nearly as nice as Checkpoints, so you will probably find the need
> for some type of Enterprise logging tool. The good new is that it is syslog
> so any enterprise SIM tool should work. We actually use CS-MARS, but the
> staff still doesn't like it as much as Checkpoint.
>
> That's my rant anyway. If you have the money to pay for it, Checkpoint is
> really nice, but support is higher, both in cost and in time.
>
> In our case in the Data Center we use Checkpoint as a perimeter firewall,
> then sandwich our DMZ between the outside and inside firewalls. The theory
> is that if there is a vulnerability in one manufacturer a hacker can't
> exploit it to get all the way inside the enterprise. The inside firewalls
> are FWSM blades. For small sites we use ASA because cost is the driving
> factor there.
>
> Long post, and maybe off topic, but I am certain that other engineers will
> have their own opinions.
>
> Sincerely,
>
> Bill
>
> dip wrote:
>>
>> Hi Guys,
>>
>> i have to evaluate between Cisco ASA and Checkpoint for a big enterprise.
>> I
>> think this is a better place to ask since lot of people would have worked
>> on
>> both products.
>>
>> Please provide me all the plus points which you saw in checkpoint which
>> you
>> think currently Cisco ASA doesn't have or vice versa.
>> Also what feature's checkpoint has which you think should be must in cisco
>> Firewalls .
>>
>>
>>
>> Thanks
>> Dip
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Bill Eyer: "Re: ASA vs Checkpoint"
• Previous message: Narbik Kocharians: "Re: RIP route filtering using Extended ACL"
• Maybe in reply to: dip: "ASA vs Checkpoint"
• Next in thread: Bill Eyer: "Re: ASA vs Checkpoint"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART