From: istong@stong.org
Date: Tue Jul 22 2008 - 21:44:56 ART
Yeah crossbeam is expensive and more geared to ISP levels.
One additional firewall to consider is the Sidewinder (old
Cyberguard). I'm quite fond of their firewalls as they have
a fairly good list of proxied applications. The GUI
interface is quite good and it uses object based rules so
you can reuse rules to keep the total rules down to a
minumum. I remember swapping out a PIX that had over 3000
lines of ACL's and was able to provide the same level of
security using only 50 rule/object combinations on the
Sidewinder.
Thanks,
Ian
www.CCIE4u.com
> Crossbeam does lower the cost if you are really at a
> really high throughput site. For remotes, at least last
> time we investigated them, the Crossbeam was just way
> overkill. Great product for service providers or really
> large enterprises though.
>
> Bill
>
> WorkerBee wrote:
> > You can also run Checkpoint on Crossbeam hardware which
> > lower the overall cost compare to Nokia box. Crossbeam
> > is also a linux box which supports virtualization with
> > Checkpoint. Checkpoint is not only Enterprise grade but
> > also Carrier-grade with Provider-1 management software.
> >
> > You may also want to evaluate Fortigate or Netscreen as
> > well. As Bill has mentioned,
> > remote smaller sites will less policy changes is more
> > suitable to deploy ASA while
> > those sites with many changes for daily operation, go
> for Checkpoint. >
> > I think for Operation guys (Level 1 tier with lesser
> > experience), is less error prone and more effective in
> > terms of support, training, audit, etc vs command-line
> > or the dreaded SDM GUI to push down policy to ASA. ASA
> object groupings when expanded can be a nightmare. >
> >
> >
> > On Wed, Jul 23, 2008 at 7:34 AM, Bill Eyer
> > <beyer@optonline.net> wrote:
> >> Dip,
> >>
> >> For what it's worth, at our company we use a mix of
> Checkpoint and Cisco >> firewalls, the ASA, FWSM for 6500
> and some older PIX units. This is >> deliberate design
> solution on my part to provide diversity. >>
> >> Both manufacturers have advantages and dis-advantages,
> and I will give you >> my rant on both of them.
> >>
> >> The Checkpoint is great for a couple of things. The
> Management interface is >> still the best. Even I, who
> have never been to school on it can easily >> configure
> and push policies. The logging system, while proprietory,
> is >> really nice. If my firewall engineers had their way
> , we would use only >> Checkpoint firewalls.
> >>
> >> But there are downsides. It is software running on a
> computer, so you have >> some form of Linux or Windows
> under the hood. We run ours on a Nokia >> platform. The
> model we currently use is diskless, but some of our older
> >> ones had a harddisk that seem to fail regularly. Plus
> keeping up with >> patching means not only patching
> Checkpoint, but also patching IPSO, which >> is Nokia's
> version of Linux. Our Checkpoint reps recently told me
> they are >> coming out with their own appliance, that will
> feature integrated patching. >>
> >> Checkpoint is also "rental software". To legally keep
> it running you have >> to re-license it periodically. You
> also have to have a dedicated PC as a >> management server
> , and yes this has it's own license. Lastly Checkpoint >>
> support is really expensive, although third party support
> may be available >> from the appliance manufacturer. We
> get ours from Nokia. Unlike Cisco TAC, >> Nokia does draw
> the line at some support requests. For example I asked
> them >> to walk me through installing the R55 patch and
> they told me I had to hire a >> VAR to do the work. I got
> around it but it was painful. >>
> >> Smart Defense, which is their version of IPS also adds
> extra costs and since >> it is implemented in software,
> has a dramatic effect on throughput. >>
> >> All and all it adds up to a higher cost than ASA.
> >>
> >> ASA wraps good things into a single box, and the cost
> is lower. However, >> the management gui is not as easy
> to use (although recent generations are >> definitely
> better). Logging is also horrible. The logs on the built
> in gui >> are not nearly as nice as Checkpoints, so you
> will probably find the need >> for some type of Enterprise
> logging tool. The good new is that it is syslog >> so any
> enterprise SIM tool should work. We actually use CS-MARS,
> but the >> staff still doesn't like it as much as
> Checkpoint. >>
> >> That's my rant anyway. If you have the money to pay
> for it, Checkpoint is >> really nice, but support is
> higher, both in cost and in time. >>
> >> In our case in the Data Center we use Checkpoint as a
> perimeter firewall, >> then sandwich our DMZ between the
> outside and inside firewalls. The theory >> is that if
> there is a vulnerability in one manufacturer a hacker
> can't >> exploit it to get all the way inside the
> enterprise. The inside firewalls >> are FWSM blades. For
> small sites we use ASA because cost is the driving >>
> factor there. >>
> >> Long post, and maybe off topic, but I am certain that
> other engineers will >> have their own opinions.
> >>
> >> Sincerely,
> >>
> >> Bill
> >>
> >> dip wrote:
> >>
> >>> Hi Guys,
> >>>
> >>> i have to evaluate between Cisco ASA and Checkpoint
> for a big enterprise. >>> I
> >>> think this is a better place to ask since lot of
> people would have worked >>> on
> >>> both products.
> >>>
> >>> Please provide me all the plus points which you saw in
> checkpoint which >>> you
> >>> think currently Cisco ASA doesn't have or vice versa.
> >>> Also what feature's checkpoint has which you think
> should be must in cisco >>> Firewalls .
> >>>
> >>>
> >>>
> >>> Thanks
> >>> Dip
> >>>
> >>>
> >>>
> __________________________________________________________
> _____________ >>> Subscription information may be found
> at: >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>
> __________________________________________________________
> _____________ >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> __________________________________________________________
> _____________ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
_________________________________________
Check your Email accounts at http://www.MyEmail.com
Login from home, work, school. Anywhere!
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART