From: Bill Eyer (beyer@optonline.net)
Date: Wed Jul 23 2008 - 07:02:45 ART
David,
SecurePlatform is likely the direction we will go at the next hardware
refresh.
Bill
David Tran wrote:
> "
> But there are downsides. It is software running on a computer, so you
> have some form of Linux or Windows under the hood. We run ours on a
> Nokia platform. The model we currently use is diskless, but some of our
> older ones had a harddisk that seem to fail regularly. Plus keeping up
> with patching means not only patching Checkpoint, but also patching
> IPSO, which is Nokia's version of Linux."
>
> You should be using Secureplatform instead of Nokia. With
> Secureplatform, you go to a single vendor, Checkpoint,
> for support with both OS and Checkpoint. Nokia is overprice
> and overrated.
>
> Ins't RAID-1 supposed to resolve this issue? My Secureplatform
> has been up and running for almost five years with two reboot,
> because I upgraded it to HFA_17 and HFA_20.
>
> You will run into the same thing with Cisco as
> well. I can tell
> you from Pix version 7.2(x) alone, there are about 28 different
> versions out there.
>
> Checkpoint FireFly is high-end running on IBM x3650.
>
> Checkpoint can terminate VPN in active/active but Cisco ASA
> can not,
>
> Checkpoint is expensive and cisco is not
>
> Imagine managing a firewall with 20+ interfaces with Cisco, a
> very difficult task indeed. There is no cisco centralized
> management like CP Provider-1 either, unless you count
> Cisco Security Manager which run on crappy windows. This
> product is horrible. Even Cisco TAC recommends Solsoft
> over Cisco CSM.
>
> If you have the money, go with Checkpoint. Otherwise, go
> with Cisco.
>
> As someone put it, Checkpoint firewalls is like driving a Porsche
> or Audi while Cisco is like driving a Ford Pinto. Just like
> everything in life, you get what you pay for.
>
>
> --- On *Tue, 7/22/08, Bill Eyer /<beyer@optonline.net>/* wrote:
>
> From: Bill Eyer <beyer@optonline.net>
> Subject: Re: ASA vs Checkpoint
> To: "dip" <diptanshu.singh@gmail.com>
> Cc: ccielab@groupstudy.com, security@groupstudy.com
> Date: Tuesday, July 22, 2008, 7:34 PM
>
> Dip,
>
> For what it's worth, at our company we use a mix of Checkpoint and Cisco
> firewalls, the ASA, FWSM for 6500 and some older PIX units. This is
> deliberate design solution on my part to provide diversity.
>
> Both manufacturers have advantages and dis-advantages, and I will give
> you my rant on both of them.
>
> The Checkpoint is great for a couple of things. The Management
> interface is still the best. Even I, who have never been to school on
> it can easily configure and push policies. The logging system, while
> proprietory, is really nice.
> If my firewall engineers had their way, we
> would use only Checkpoint firewalls.
>
> But there are downsides. It is software running on a computer, so you
> have some form of Linux or Windows under the hood. We run ours on a
> Nokia platform. The model we currently use is diskless, but some of our
> older ones had a harddisk that seem to fail regularly. Plus keeping up
> with patching means not only patching Checkpoint, but also patching
> IPSO, which is Nokia's version of Linux. Our Checkpoint reps recently
> told me they are coming out with their own appliance, that will feature
> integrated patching.
>
> Checkpoint is also "rental software". To legally keep it running you
>
> have to re-license it periodically. You also have to have a dedicated
> PC as a management server, and yes this has it's own license. Lastly
> Checkpoint support is really expensive, although third party support may
> be available from the
> appliance manufacturer. We get ours from Nokia.
> Unlike Cisco TAC, Nokia does draw the line at some support requests.
> For example I asked them to walk me through installing the R55 patch and
> they told me I had to hire a VAR to do the work. I got around it but it
> was painful.
>
> Smart Defense, which is their version of IPS also adds extra costs and
> since it is implemented in software, has a dramatic effect on throughput.
>
> All and all it adds up to a higher cost than ASA.
>
> ASA wraps good things into a single box, and the cost is lower.
> However, the management gui is not as easy to use (although recent
> generations are definitely better). Logging is also horrible. The logs
> on the built in gui are not nearly as nice as Checkpoints, so you will
> probably find the need for some type of Enterprise logging tool. The
> good new is that it is syslog so any enterprise SIM tool should work.
> We actually
> use CS-MARS, but the staff still doesn't like it as much as
> Checkpoint.
>
> That's my rant anyway. If you have the money to pay for it, Checkpoint
> is really nice, but support is higher, both in cost and in time.
>
> In our case in the Data Center we use Checkpoint as a perimeter
> firewall, then sandwich our DMZ between the outside and inside
> firewalls. The theory is that if there is a vulnerability in one
> manufacturer a hacker can't exploit it to get all the way inside the
> enterprise. The inside firewalls are FWSM blades. For small sites we
> use ASA because cost is the driving factor there.
>
> Long post, and maybe off topic, but I am certain that other engineers
> will have their own opinions.
>
> Sincerely,
>
> Bill
>
> dip wrote:
> > Hi Guys,
> >
> > i have to evaluate between Cisco ASA and Checkpoint for a big enterprise.
> I
> > think this is a better place to ask since lot of
> people would have worked
> on
> > both products.
> >
> > Please provide me all the plus points which you saw in checkpoint which
> you
> > think currently Cisco ASA doesn't have or vice versa.
> > Also what feature's checkpoint has which you think should be must in
> cisco
> > Firewalls .
> >
> >
> >
> > Thanks
> > Dip
> >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART