From: Muhammad Nasim (muhammad.nasim@gmail.com)
Date: Wed Jul 23 2008 - 10:06:55 ART
ho Brother
After getting my CCIE on first attempt : ) people are asking me for
recommendations and how can I give them wrong recommendations : )
Somehow let see : )
2008/7/23 dip <diptanshu.singh@gmail.com>:
> Hi Nasim, dont worry we have lot of plans in the future.. and w8 for next
> 2yrs if thing goes right definitely you will see some good things.
>
> Thanks
> Dip
> CCIE#20679
>
>
> On Wed, Jul 23, 2008 at 4:46 PM, Muhammad Nasim <muhammad.nasim@gmail.com>
> wrote:
>
>> Hey Dip,
>>
>> If u can convey my message to Cisco it to please please leave the tail of
>> JAVA for making Graphical interfaces.
>>
>> 1. Juniper and Fortinet Graphical interfaces are awesome based on html.
>> Cisco should do this.
>>
>> 2. Please remove the bugs in version 7.2.X AND 8.0 before ADDING new
>> features : ) .
>>
>> 3. Inculde DMVPN support on CISCO ASA : ) ( Juniper firewalls supports
>> this kind of VPN from version 6.0)
>>
>> 4.Make CISCO ASA a real UTM device (which can support
>> IPS+ANTISPAM+ANTIVIRUS+URL Filtertin on one BOX. Right now it is not
>> possible )
>>
>> HTH
>>
>>
>>
>>
>> 2008/7/23 David Tran <davidtran_mclean@yahoo.com>:
>>
>> "checkpoint support sucks big time as compared to cisco. see when u get
>>> stuck
>>> in live network all u care of some good guys to help u out of it this is
>>> where
>>> no one can touch cisco for sure."
>>>
>>> This part I completely agree with you. Checkpoint TAC supports suck big
>>> time. This is
>>> one area where Cisco is really good at.
>>>
>>> --- On Wed, 7/23/08, sushil menon <sushilmenon2001@gmail.com> wrote:
>>>
>>> From: sushil menon <sushilmenon2001@gmail.com>
>>> Subject: Re: ASA vs Checkpoint
>>> To: "David Tran" <davidtran_mclean@yahoo.com>
>>> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer" <beyer@optonline.net
>>> >,
>>> ccielab@groupstudy.com, security@groupstudy.com
>>> Date: Wednesday, July 23, 2008, 2:17 AM
>>>
>>>
>>>
>>> i think it depends on what are u looking for.
>>>
>>> from cisco point of view the few advantages and disadvantages i feel.
>>>
>>> cisco is lot cheaper than checkpoint. in checkpoint the biggest pain is
>>> the
>>> licensing model. u need license for everything so the cost of it goes
>>> very
>>> high.since it;s a pure software u will have to invest on hardware again
>>> like
>>> if u are thinking of secure platform then good ibm or hp server plus
>>> their
>>> support as well.
>>>
>>> checkpoint support sucks big time as compared to cisco. see when u get
>>> stuck
>>> in live network all u care of some good guys to help u out of it this is
>>> where
>>> no one can touch cisco for sure.
>>>
>>> though checkpoint is famous for it;s gui that;s the only best thing i
>>> find in
>>> it. because it can be deployed on many different hardware configuration
>>> on
>>> different hardware is tough because for most of the hardware u don;t even
>>> get
>>> a documentation for free like nokia and crossbeam u need login access to
>>> just
>>> view the documentation there are hardly any good configuration examples
>>> that u
>>> could use.
>>>
>>> there is nothing very great that checkpoint does that cisco cannot do.
>>> except
>>> for few things like running vpns and running protocols in active/active
>>> mode.
>>>
>>> but whereas vpns are concerned i find cisco vpns much scalable and easy.
>>> in
>>> checkpoint u have something called as communities and according to
>>> communities
>>> u will have to decide u want to have a mesh or star like vpns. in asa
>>> it;s
>>> upto u can configure the way u want need not worry abt any communities.
>>>
>>> ofcourse for good management point of view seeing the logs in nice format
>>> and
>>> all u can go for checkpoint.
>>>
>>> if u are really looking for options i would say rather try juniper or
>>> fortinet. they are even better than both cisco and checkpoint.
>>>
>>> especially fortinet provides everything in a single asic based box. they
>>> have
>>> got ips,anti-spam,url-filtering,anti-virus,content-filtering all in a
>>> single
>>> box and their license cost is very less . their anti-virus has been
>>> winning 3
>>> consecutive awards in anti-virus bulletin.
>>> they can do souce based routing,., source interface based routing, policy
>>> based routing and many more features .
>>>
>>> they have got their fortimanager like checkpoint to manage all the boxes
>>> from
>>> a single point and they have a fortilog analyser for consolidating all
>>> the
>>> logs at a single place.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Jul 23, 2008 at 7:56 AM, David Tran <davidtran_mclean@yahoo.com>
>>> wrote:
>>>
>>>
>>> "
>>> But there are downsides. It is software running on a computer, so you
>>> have some form of Linux or Windows under the hood. We run ours on a
>>> Nokia platform. The model we currently use is diskless, but some of our
>>> older ones had a harddisk that seem to fail regularly. Plus keeping up
>>> with patching means not only patching Checkpoint, but also patching
>>> IPSO, which is Nokia's version of Linux."
>>>
>>> You should be using Secureplatform instead of Nokia. With
>>> Secureplatform, you go to a single vendor, Checkpoint,
>>> for support with both OS and Checkpoint. Nokia is overprice
>>> and overrated.
>>>
>>> Ins't RAID-1 supposed to resolve this issue? My Secureplatform
>>> has been up and running for almost five years with two reboot,
>>> because I upgraded it to HFA_17 and HFA_20.
>>>
>>> You will run into the same thing with Cisco as well. I can tell
>>> you from Pix version 7.2(x) alone, there are about 28 different
>>> versions out there.
>>>
>>> Checkpoint FireFly is high-end running on IBM x3650.
>>>
>>> Checkpoint can terminate VPN in active/active but Cisco ASA
>>> can not,
>>>
>>> Checkpoint is expensive and cisco is not
>>>
>>> Imagine managing a firewall with 20+ interfaces with Cisco, a
>>> very difficult task indeed. There is no cisco centralized
>>> management like CP Provider-1 either, unless you count
>>> Cisco Security Manager which run on crappy windows. This
>>> product is horrible. Even Cisco TAC recommends Solsoft
>>> over Cisco CSM.
>>>
>>> If you have the money, go with Checkpoint. Otherwise, go
>>> with Cisco.
>>>
>>> As someone put it, Checkpoint firewalls is like driving a Porsche
>>> or Audi while Cisco is like driving a Ford Pinto. Just like
>>> everything in life, you get what you pay for.
>>>
>>> --- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net> wrote:
>>> From: Bill Eyer <beyer@optonline.net>
>>> Subject: Re: ASA vs Checkpoint
>>> To: "dip" <diptanshu.singh@gmail.com>
>>> Cc: ccielab@groupstudy.com, security@groupstudy.com
>>> Date: Tuesday, July 22, 2008, 7:34 PM
>>>
>>>
>>>
>>>
>>> Dip,
>>>
>>> For what it's worth, at our company we use a mix of Checkpoint and Cisco
>>> firewalls, the ASA, FWSM for 6500 and some older PIX units. This is
>>> deliberate design solution on my part to provide diversity.
>>>
>>> Both manufacturers have advantages and dis-advantages, and I will give
>>> you my rant on both of them.
>>>
>>> The Checkpoint is great for a couple of things. The Management
>>> interface is still the best. Even I, who have never been to school on
>>> it can easily configure and push policies. The logging system, while
>>> proprietory, is really nice. If my firewall engineers had their way, we
>>> would use only Checkpoint firewalls.
>>>
>>> But there are downsides. It is software running on a computer, so you
>>> have some form of Linux or Windows under the hood. We run ours on a
>>> Nokia platform. The model we currently use is diskless, but some of our
>>> older ones had a harddisk that seem to fail regularly. Plus keeping up
>>> with patching means not only patching Checkpoint, but also patching
>>> IPSO, which is Nokia's version of Linux. Our Checkpoint reps recently
>>> told me they are coming out with their own appliance, that will feature
>>> integrated patching.
>>>
>>> Checkpoint is also "rental software". To legally keep it running you
>>>
>>> have to re-license it periodically. You also have to have a dedicated
>>> PC as a management server, and yes this has it's own license. Lastly
>>> Checkpoint support is really expensive, although third party support may
>>> be available from the appliance manufacturer. We get ours from Nokia.
>>> Unlike Cisco TAC, Nokia does draw the line at some support requests.
>>> For example I asked them to walk me through installing the R55 patch and
>>> they told me I had to hire a VAR to do the work. I got around it but it
>>> was painful.
>>>
>>> Smart Defense, which is their version of IPS also adds extra costs and
>>> since it is implemented in software, has a dramatic effect on throughput.
>>>
>>> All and all it adds up to a higher cost than ASA.
>>>
>>> ASA wraps good things into a single box, and the cost is lower.
>>> However, the management gui is not as easy to use (although recent
>>> generations are definitely better). Logging is also horrible. The logs
>>> on the built in gui are not nearly as nice as Checkpoints, so you will
>>> probably find the need for some type of Enterprise logging tool. The
>>> good new is that it is syslog so any enterprise SIM tool should work.
>>> We actually use CS-MARS, but the staff still doesn't like it as much as
>>> Checkpoint.
>>>
>>> That's my rant anyway. If you have the money to pay for it, Checkpoint
>>> is really nice, but support is higher, both in cost and in time.
>>>
>>> In our case in the Data Center we use Checkpoint as a perimeter
>>> firewall, then sandwich our DMZ between the outside and inside
>>> firewalls. The theory is that if there is a vulnerability in one
>>> manufacturer a hacker can't exploit it to get all the way inside the
>>> enterprise. The inside firewalls are FWSM blades. For small sites we
>>> use ASA because cost is the driving factor there.
>>>
>>> Long post, and maybe off topic, but I am certain that other engineers
>>> will have their own opinions.
>>>
>>> Sincerely,
>>>
>>> Bill
>>>
>>> dip wrote:
>>> > Hi Guys,
>>> >
>>> > i have to evaluate between Cisco ASA and Checkpoint for a big
>>> enterprise.
>>> I
>>> > think this is a better place to ask since lot of people would have
>>> worked
>>> on
>>> > both products.
>>> >
>>> > Please provide me all the plus points which you saw in checkpoint which
>>> you
>>> > think currently Cisco ASA doesn't have or vice versa.
>>> > Also what feature's checkpoint has which you think should be must in
>>> cisco
>>> > Firewalls .
>>> >
>>> >
>>> >
>>> > Thanks
>>> > Dip
>>> >
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Muhammad Nasim
>> Network Engineer
>> Saudi Arabia
>>
>
>
-- Muhammad Nasim Network Engineer Saudi Arabia
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART