From: David Tran (davidtran_mclean@yahoo.com)
Date: Tue Jul 22 2008 - 23:26:51 ART
"
But there are downsides. It is software running on a computer, so you
have some form of Linux or Windows under the hood. We run ours on a
Nokia platform. The model we currently use is diskless, but some of our
older ones had a harddisk that seem to fail regularly. Plus keeping up
with patching means not only patching Checkpoint, but also patching
IPSO, which is Nokia's version of Linux."
You should be using Secureplatform instead of Nokia. With
Secureplatform, you go to a single vendor, Checkpoint,
for support with both OS and Checkpoint. Nokia is overprice
and overrated.
Ins't RAID-1 supposed to resolve this issue? My Secureplatform
has been up and running for almost five years with two reboot,
because I upgraded it to HFA_17 and HFA_20.
You will run into the same thing with Cisco as well. I can tell
you from Pix version 7.2(x) alone, there are about 28 different
versions out there.
Checkpoint FireFly is high-end running on IBM x3650.
Checkpoint can terminate VPN in active/active but Cisco ASA
can not,
Checkpoint is expensive and cisco is not
Imagine managing a firewall with 20+ interfaces with Cisco, a
very difficult task indeed. There is no cisco centralized
management like CP Provider-1 either, unless you count
Cisco Security Manager which run on crappy windows. This
product is horrible. Even Cisco TAC recommends Solsoft
over Cisco CSM.
If you have the money, go with Checkpoint. Otherwise, go
with Cisco.
As someone put it, Checkpoint firewalls is like driving a Porsche
or Audi while Cisco is like driving a Ford Pinto. Just like
everything in life, you get what you pay for.
--- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net> wrote:
From: Bill Eyer <beyer@optonline.net>
Subject: Re: ASA vs Checkpoint
To: "dip" <diptanshu.singh@gmail.com>
Cc: ccielab@groupstudy.com, security@groupstudy.com
Date: Tuesday, July 22, 2008, 7:34 PM
Dip,
For what it's worth, at our company we use a mix of Checkpoint and Cisco
firewalls, the ASA, FWSM for 6500 and some older PIX units. This is
deliberate design solution on my part to provide diversity.
Both manufacturers have advantages and dis-advantages, and I will give
you my rant on both of them.
The Checkpoint is great for a couple of things. The Management
interface is still the best. Even I, who have never been to school on
it can easily configure and push policies. The logging system, while
proprietory, is really nice. If my firewall engineers had their way, we
would use only Checkpoint firewalls.
But there are downsides. It is software running on a computer, so you
have some form of Linux or Windows under the hood. We run ours on a
Nokia platform. The model we currently use is diskless, but some of our
older ones had a harddisk that seem to fail regularly. Plus keeping up
with patching means not only patching Checkpoint, but also patching
IPSO, which is Nokia's version of Linux. Our Checkpoint reps recently
told me they are coming out with their own appliance, that will feature
integrated patching.
Checkpoint is also "rental software". To legally keep it running you
have to re-license it periodically. You also have to have a dedicated
PC as a management server, and yes this has it's own license. Lastly
Checkpoint support is really expensive, although third party support may
be available from the appliance manufacturer. We get ours from Nokia.
Unlike Cisco TAC, Nokia does draw the line at some support requests.
For example I asked them to walk me through installing the R55 patch and
they told me I had to hire a VAR to do the work. I got around it but it
was painful.
Smart Defense, which is their version of IPS also adds extra costs and
since it is implemented in software, has a dramatic effect on throughput.
All and all it adds up to a higher cost than ASA.
ASA wraps good things into a single box, and the cost is lower.
However, the management gui is not as easy to use (although recent
generations are definitely better). Logging is also horrible. The logs
on the built in gui are not nearly as nice as Checkpoints, so you will
probably find the need for some type of Enterprise logging tool. The
good new is that it is syslog so any enterprise SIM tool should work.
We actually use CS-MARS, but the staff still doesn't like it as much as
Checkpoint.
That's my rant anyway. If you have the money to pay for it, Checkpoint
is really nice, but support is higher, both in cost and in time.
In our case in the Data Center we use Checkpoint as a perimeter
firewall, then sandwich our DMZ between the outside and inside
firewalls. The theory is that if there is a vulnerability in one
manufacturer a hacker can't exploit it to get all the way inside the
enterprise. The inside firewalls are FWSM blades. For small sites we
use ASA because cost is the driving factor there.
Long post, and maybe off topic, but I am certain that other engineers
will have their own opinions.
Sincerely,
Bill
dip wrote:
> Hi Guys,
>
> i have to evaluate between Cisco ASA and Checkpoint for a big enterprise.
I
> think this is a better place to ask since lot of people would have worked
on
> both products.
>
> Please provide me all the plus points which you saw in checkpoint which
you
> think currently Cisco ASA doesn't have or vice versa.
> Also what feature's checkpoint has which you think should be must in
cisco
> Firewalls .
>
>
>
> Thanks
> Dip
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART