From: Muhammad Nasim (muhammad.nasim@gmail.com)
Date: Wed Jul 23 2008 - 10:07:42 ART
Sorry guys this email was only intended to Mr. Dip
I and DIP know each other
: )
2008/7/23 Muhammad Nasim <muhammad.nasim@gmail.com>:
> ho Brother
>
> After getting my CCIE on first attempt : ) people are asking me for
> recommendations and how can I give them wrong recommendations : )
>
> Somehow let see : )
>
>
> 2008/7/23 dip <diptanshu.singh@gmail.com>:
>
> Hi Nasim, dont worry we have lot of plans in the future.. and w8 for next
>> 2yrs if thing goes right definitely you will see some good things.
>>
>> Thanks
>> Dip
>> CCIE#20679
>>
>>
>> On Wed, Jul 23, 2008 at 4:46 PM, Muhammad Nasim <muhammad.nasim@gmail.com>
>> wrote:
>>
>>> Hey Dip,
>>>
>>> If u can convey my message to Cisco it to please please leave the tail of
>>> JAVA for making Graphical interfaces.
>>>
>>> 1. Juniper and Fortinet Graphical interfaces are awesome based on html.
>>> Cisco should do this.
>>>
>>> 2. Please remove the bugs in version 7.2.X AND 8.0 before ADDING new
>>> features : ) .
>>>
>>> 3. Inculde DMVPN support on CISCO ASA : ) ( Juniper firewalls supports
>>> this kind of VPN from version 6.0)
>>>
>>> 4.Make CISCO ASA a real UTM device (which can support
>>> IPS+ANTISPAM+ANTIVIRUS+URL Filtertin on one BOX. Right now it is not
>>> possible )
>>>
>>> HTH
>>>
>>>
>>>
>>>
>>> 2008/7/23 David Tran <davidtran_mclean@yahoo.com>:
>>>
>>> "checkpoint support sucks big time as compared to cisco. see when u get
>>>> stuck
>>>> in live network all u care of some good guys to help u out of it this is
>>>> where
>>>> no one can touch cisco for sure."
>>>>
>>>> This part I completely agree with you. Checkpoint TAC supports suck big
>>>> time. This is
>>>> one area where Cisco is really good at.
>>>>
>>>> --- On Wed, 7/23/08, sushil menon <sushilmenon2001@gmail.com> wrote:
>>>>
>>>> From: sushil menon <sushilmenon2001@gmail.com>
>>>> Subject: Re: ASA vs Checkpoint
>>>> To: "David Tran" <davidtran_mclean@yahoo.com>
>>>> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer" <beyer@optonline.net
>>>> >,
>>>> ccielab@groupstudy.com, security@groupstudy.com
>>>> Date: Wednesday, July 23, 2008, 2:17 AM
>>>>
>>>>
>>>>
>>>> i think it depends on what are u looking for.
>>>>
>>>> from cisco point of view the few advantages and disadvantages i feel.
>>>>
>>>> cisco is lot cheaper than checkpoint. in checkpoint the biggest pain is
>>>> the
>>>> licensing model. u need license for everything so the cost of it goes
>>>> very
>>>> high.since it;s a pure software u will have to invest on hardware again
>>>> like
>>>> if u are thinking of secure platform then good ibm or hp server plus
>>>> their
>>>> support as well.
>>>>
>>>> checkpoint support sucks big time as compared to cisco. see when u get
>>>> stuck
>>>> in live network all u care of some good guys to help u out of it this is
>>>> where
>>>> no one can touch cisco for sure.
>>>>
>>>> though checkpoint is famous for it;s gui that;s the only best thing i
>>>> find in
>>>> it. because it can be deployed on many different hardware configuration
>>>> on
>>>> different hardware is tough because for most of the hardware u don;t
>>>> even get
>>>> a documentation for free like nokia and crossbeam u need login access to
>>>> just
>>>> view the documentation there are hardly any good configuration examples
>>>> that u
>>>> could use.
>>>>
>>>> there is nothing very great that checkpoint does that cisco cannot do.
>>>> except
>>>> for few things like running vpns and running protocols in active/active
>>>> mode.
>>>>
>>>> but whereas vpns are concerned i find cisco vpns much scalable and easy.
>>>> in
>>>> checkpoint u have something called as communities and according to
>>>> communities
>>>> u will have to decide u want to have a mesh or star like vpns. in asa
>>>> it;s
>>>> upto u can configure the way u want need not worry abt any communities.
>>>>
>>>> ofcourse for good management point of view seeing the logs in nice
>>>> format and
>>>> all u can go for checkpoint.
>>>>
>>>> if u are really looking for options i would say rather try juniper or
>>>> fortinet. they are even better than both cisco and checkpoint.
>>>>
>>>> especially fortinet provides everything in a single asic based box. they
>>>> have
>>>> got ips,anti-spam,url-filtering,anti-virus,content-filtering all in a
>>>> single
>>>> box and their license cost is very less . their anti-virus has been
>>>> winning 3
>>>> consecutive awards in anti-virus bulletin.
>>>> they can do souce based routing,., source interface based routing,
>>>> policy
>>>> based routing and many more features .
>>>>
>>>> they have got their fortimanager like checkpoint to manage all the boxes
>>>> from
>>>> a single point and they have a fortilog analyser for consolidating all
>>>> the
>>>> logs at a single place.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Jul 23, 2008 at 7:56 AM, David Tran <davidtran_mclean@yahoo.com
>>>> >
>>>> wrote:
>>>>
>>>>
>>>> "
>>>> But there are downsides. It is software running on a computer, so you
>>>> have some form of Linux or Windows under the hood. We run ours on a
>>>> Nokia platform. The model we currently use is diskless, but some of our
>>>> older ones had a harddisk that seem to fail regularly. Plus keeping up
>>>> with patching means not only patching Checkpoint, but also patching
>>>> IPSO, which is Nokia's version of Linux."
>>>>
>>>> You should be using Secureplatform instead of Nokia. With
>>>> Secureplatform, you go to a single vendor, Checkpoint,
>>>> for support with both OS and Checkpoint. Nokia is overprice
>>>> and overrated.
>>>>
>>>> Ins't RAID-1 supposed to resolve this issue? My Secureplatform
>>>> has been up and running for almost five years with two reboot,
>>>> because I upgraded it to HFA_17 and HFA_20.
>>>>
>>>> You will run into the same thing with Cisco as well. I can tell
>>>> you from Pix version 7.2(x) alone, there are about 28 different
>>>> versions out there.
>>>>
>>>> Checkpoint FireFly is high-end running on IBM x3650.
>>>>
>>>> Checkpoint can terminate VPN in active/active but Cisco ASA
>>>> can not,
>>>>
>>>> Checkpoint is expensive and cisco is not
>>>>
>>>> Imagine managing a firewall with 20+ interfaces with Cisco, a
>>>> very difficult task indeed. There is no cisco centralized
>>>> management like CP Provider-1 either, unless you count
>>>> Cisco Security Manager which run on crappy windows. This
>>>> product is horrible. Even Cisco TAC recommends Solsoft
>>>> over Cisco CSM.
>>>>
>>>> If you have the money, go with Checkpoint. Otherwise, go
>>>> with Cisco.
>>>>
>>>> As someone put it, Checkpoint firewalls is like driving a Porsche
>>>> or Audi while Cisco is like driving a Ford Pinto. Just like
>>>> everything in life, you get what you pay for.
>>>>
>>>> --- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net> wrote:
>>>> From: Bill Eyer <beyer@optonline.net>
>>>> Subject: Re: ASA vs Checkpoint
>>>> To: "dip" <diptanshu.singh@gmail.com>
>>>> Cc: ccielab@groupstudy.com, security@groupstudy.com
>>>> Date: Tuesday, July 22, 2008, 7:34 PM
>>>>
>>>>
>>>>
>>>>
>>>> Dip,
>>>>
>>>> For what it's worth, at our company we use a mix of Checkpoint and Cisco
>>>> firewalls, the ASA, FWSM for 6500 and some older PIX units. This is
>>>> deliberate design solution on my part to provide diversity.
>>>>
>>>> Both manufacturers have advantages and dis-advantages, and I will give
>>>> you my rant on both of them.
>>>>
>>>> The Checkpoint is great for a couple of things. The Management
>>>> interface is still the best. Even I, who have never been to school on
>>>> it can easily configure and push policies. The logging system, while
>>>> proprietory, is really nice. If my firewall engineers had their way, we
>>>> would use only Checkpoint firewalls.
>>>>
>>>> But there are downsides. It is software running on a computer, so you
>>>> have some form of Linux or Windows under the hood. We run ours on a
>>>> Nokia platform. The model we currently use is diskless, but some of our
>>>> older ones had a harddisk that seem to fail regularly. Plus keeping up
>>>> with patching means not only patching Checkpoint, but also patching
>>>> IPSO, which is Nokia's version of Linux. Our Checkpoint reps recently
>>>> told me they are coming out with their own appliance, that will feature
>>>> integrated patching.
>>>>
>>>> Checkpoint is also "rental software". To legally keep it running you
>>>>
>>>> have to re-license it periodically. You also have to have a dedicated
>>>> PC as a management server, and yes this has it's own license. Lastly
>>>> Checkpoint support is really expensive, although third party support may
>>>> be available from the appliance manufacturer. We get ours from Nokia.
>>>> Unlike Cisco TAC, Nokia does draw the line at some support requests.
>>>> For example I asked them to walk me through installing the R55 patch and
>>>> they told me I had to hire a VAR to do the work. I got around it but it
>>>> was painful.
>>>>
>>>> Smart Defense, which is their version of IPS also adds extra costs and
>>>> since it is implemented in software, has a dramatic effect on
>>>> throughput.
>>>>
>>>> All and all it adds up to a higher cost than ASA.
>>>>
>>>> ASA wraps good things into a single box, and the cost is lower.
>>>> However, the management gui is not as easy to use (although recent
>>>> generations are definitely better). Logging is also horrible. The logs
>>>> on the built in gui are not nearly as nice as Checkpoints, so you will
>>>> probably find the need for some type of Enterprise logging tool. The
>>>> good new is that it is syslog so any enterprise SIM tool should work.
>>>> We actually use CS-MARS, but the staff still doesn't like it as much as
>>>> Checkpoint.
>>>>
>>>> That's my rant anyway. If you have the money to pay for it, Checkpoint
>>>> is really nice, but support is higher, both in cost and in time.
>>>>
>>>> In our case in the Data Center we use Checkpoint as a perimeter
>>>> firewall, then sandwich our DMZ between the outside and inside
>>>> firewalls. The theory is that if there is a vulnerability in one
>>>> manufacturer a hacker can't exploit it to get all the way inside the
>>>> enterprise. The inside firewalls are FWSM blades. For small sites we
>>>> use ASA because cost is the driving factor there.
>>>>
>>>> Long post, and maybe off topic, but I am certain that other engineers
>>>> will have their own opinions.
>>>>
>>>> Sincerely,
>>>>
>>>> Bill
>>>>
>>>> dip wrote:
>>>> > Hi Guys,
>>>> >
>>>> > i have to evaluate between Cisco ASA and Checkpoint for a big
>>>> enterprise.
>>>> I
>>>> > think this is a better place to ask since lot of people would have
>>>> worked
>>>> on
>>>> > both products.
>>>> >
>>>> > Please provide me all the plus points which you saw in checkpoint
>>>> which
>>>> you
>>>> > think currently Cisco ASA doesn't have or vice versa.
>>>> > Also what feature's checkpoint has which you think should be must in
>>>> cisco
>>>> > Firewalls .
>>>> >
>>>> >
>>>> >
>>>> > Thanks
>>>> > Dip
>>>> >
>>>> >
>>>> >
>>>> _______________________________________________________________________
>>>> > Subscription information may be found at:
>>>> > http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Muhammad Nasim
>>> Network Engineer
>>> Saudi Arabia
>>>
>>
>>
>
>
> --
> Muhammad Nasim
> Network Engineer
> Saudi Arabia
>
-- Muhammad Nasim Network Engineer Saudi Arabia
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART