From: sushil menon (sushilmenon2001@gmail.com)
Date: Wed Jul 23 2008 - 03:17:18 ART
i think it depends on what are u looking for.
from cisco point of view the few advantages and disadvantages i feel.
cisco is lot cheaper than checkpoint. in checkpoint the biggest pain is the
licensing model. u need license for everything so the cost of it goes very
high.since it;s a pure software u will have to invest on hardware again like
if u are thinking of secure platform then good ibm or hp server plus their
support as well.
checkpoint support sucks big time as compared to cisco. see when u get stuck
in live network all u care of some good guys to help u out of it this is
where no one can touch cisco for sure.
though checkpoint is famous for it;s gui that;s the only best thing i find
in it. because it can be deployed on many different hardware configuration
on different hardware is tough because for most of the hardware u don;t even
get a documentation for free like nokia and crossbeam u need login access to
just view the documentation there are hardly any good configuration examples
that u could use.
there is nothing very great that checkpoint does that cisco cannot do.
except for few things like running vpns and running protocols in
active/active mode.
but whereas vpns are concerned i find cisco vpns much scalable and easy. in
checkpoint u have something called as communities and according to
communities u will have to decide u want to have a mesh or star like vpns.
in asa it;s upto u can configure the way u want need not worry abt any
communities.
ofcourse for good management point of view seeing the logs in nice format
and all u can go for checkpoint.
if u are really looking for options i would say rather try juniper or
fortinet. they are even better than both cisco and checkpoint.
especially fortinet provides everything in a single asic based box. they
have got ips,anti-spam,url-filtering,anti-virus,content-filtering all in a
single box and their license cost is very less . their anti-virus has been
winning 3 consecutive awards in anti-virus bulletin.
they can do souce based routing,., source interface based routing, policy
based routing and many more features .
they have got their fortimanager like checkpoint to manage all the boxes
from a single point and they have a fortilog analyser for consolidating all
the logs at a single place.
On Wed, Jul 23, 2008 at 7:56 AM, David Tran <davidtran_mclean@yahoo.com>
wrote:
> "
> But there are downsides. It is software running on a computer, so you
> have some form of Linux or Windows under the hood. We run ours on a
> Nokia platform. The model we currently use is diskless, but some of our
> older ones had a harddisk that seem to fail regularly. Plus keeping up
> with patching means not only patching Checkpoint, but also patching
> IPSO, which is Nokia's version of Linux."
>
> You should be using Secureplatform instead of Nokia. With
> Secureplatform, you go to a single vendor, Checkpoint,
> for support with both OS and Checkpoint. Nokia is overprice
> and overrated.
>
> Ins't RAID-1 supposed to resolve this issue? My Secureplatform
> has been up and running for almost five years with two reboot,
> because I upgraded it to HFA_17 and HFA_20.
>
> You will run into the same thing with Cisco as well. I can tell
> you from Pix version 7.2(x) alone, there are about 28 different
> versions out there.
>
> Checkpoint FireFly is high-end running on IBM x3650.
>
> Checkpoint can terminate VPN in active/active but Cisco ASA
> can not,
>
> Checkpoint is expensive and cisco is not
>
> Imagine managing a firewall with 20+ interfaces with Cisco, a
> very difficult task indeed. There is no cisco centralized
> management like CP Provider-1 either, unless you count
> Cisco Security Manager which run on crappy windows. This
> product is horrible. Even Cisco TAC recommends Solsoft
> over Cisco CSM.
>
> If you have the money, go with Checkpoint. Otherwise, go
> with Cisco.
>
> As someone put it, Checkpoint firewalls is like driving a Porsche
> or Audi while Cisco is like driving a Ford Pinto. Just like
> everything in life, you get what you pay for.
>
> --- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net> wrote:
> From: Bill Eyer <beyer@optonline.net>
> Subject: Re: ASA vs Checkpoint
> To: "dip" <diptanshu.singh@gmail.com>
> Cc: ccielab@groupstudy.com, security@groupstudy.com
> Date: Tuesday, July 22, 2008, 7:34 PM
>
> Dip,
>
> For what it's worth, at our company we use a mix of Checkpoint and Cisco
> firewalls, the ASA, FWSM for 6500 and some older PIX units. This is
> deliberate design solution on my part to provide diversity.
>
> Both manufacturers have advantages and dis-advantages, and I will give
> you my rant on both of them.
>
> The Checkpoint is great for a couple of things. The Management
> interface is still the best. Even I, who have never been to school on
> it can easily configure and push policies. The logging system, while
> proprietory, is really nice. If my firewall engineers had their way, we
> would use only Checkpoint firewalls.
>
> But there are downsides. It is software running on a computer, so you
> have some form of Linux or Windows under the hood. We run ours on a
> Nokia platform. The model we currently use is diskless, but some of our
> older ones had a harddisk that seem to fail regularly. Plus keeping up
> with patching means not only patching Checkpoint, but also patching
> IPSO, which is Nokia's version of Linux. Our Checkpoint reps recently
> told me they are coming out with their own appliance, that will feature
> integrated patching.
>
> Checkpoint is also "rental software". To legally keep it running you
>
> have to re-license it periodically. You also have to have a dedicated
> PC as a management server, and yes this has it's own license. Lastly
> Checkpoint support is really expensive, although third party support may
> be available from the appliance manufacturer. We get ours from Nokia.
> Unlike Cisco TAC, Nokia does draw the line at some support requests.
> For example I asked them to walk me through installing the R55 patch and
> they told me I had to hire a VAR to do the work. I got around it but it
> was painful.
>
> Smart Defense, which is their version of IPS also adds extra costs and
> since it is implemented in software, has a dramatic effect on throughput.
>
> All and all it adds up to a higher cost than ASA.
>
> ASA wraps good things into a single box, and the cost is lower.
> However, the management gui is not as easy to use (although recent
> generations are definitely better). Logging is also horrible. The logs
> on the built in gui are not nearly as nice as Checkpoints, so you will
> probably find the need for some type of Enterprise logging tool. The
> good new is that it is syslog so any enterprise SIM tool should work.
> We actually use CS-MARS, but the staff still doesn't like it as much as
> Checkpoint.
>
> That's my rant anyway. If you have the money to pay for it, Checkpoint
> is really nice, but support is higher, both in cost and in time.
>
> In our case in the Data Center we use Checkpoint as a perimeter
> firewall, then sandwich our DMZ between the outside and inside
> firewalls. The theory is that if there is a vulnerability in one
> manufacturer a hacker can't exploit it to get all the way inside the
> enterprise. The inside firewalls are FWSM blades. For small sites we
> use ASA because cost is the driving factor there.
>
> Long post, and maybe off topic, but I am certain that other engineers
> will have their own opinions.
>
> Sincerely,
>
> Bill
>
> dip wrote:
> > Hi Guys,
> >
> > i have to evaluate between Cisco ASA and Checkpoint for a big
> enterprise.
> I
> > think this is a better place to ask since lot of people would have worked
> on
> > both products.
> >
> > Please provide me all the plus points which you saw in checkpoint which
> you
> > think currently Cisco ASA doesn't have or vice versa.
> > Also what feature's checkpoint has which you think should be must in
> cisco
> > Firewalls .
> >
> >
> >
> > Thanks
> > Dip
> >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART