From: Muhammad Nasim (muhammad.nasim@gmail.com)
Date: Wed Jul 23 2008 - 08:16:47 ART
Hey Dip,
If u can convey my message to Cisco it to please please leave the tail of
JAVA for making Graphical interfaces.
1. Juniper and Fortinet Graphical interfaces are awesome based on html.
Cisco should do this.
2. Please remove the bugs in version 7.2.X AND 8.0 before ADDING new
features : ) .
3. Inculde DMVPN support on CISCO ASA : ) ( Juniper firewalls supports this
kind of VPN from version 6.0)
4.Make CISCO ASA a real UTM device (which can support
IPS+ANTISPAM+ANTIVIRUS+URL Filtertin on one BOX. Right now it is not
possible )
HTH
2008/7/23 David Tran <davidtran_mclean@yahoo.com>:
> "checkpoint support sucks big time as compared to cisco. see when u get
> stuck
> in live network all u care of some good guys to help u out of it this is
> where
> no one can touch cisco for sure."
>
> This part I completely agree with you. Checkpoint TAC supports suck big
> time. This is
> one area where Cisco is really good at.
>
> --- On Wed, 7/23/08, sushil menon <sushilmenon2001@gmail.com> wrote:
>
> From: sushil menon <sushilmenon2001@gmail.com>
> Subject: Re: ASA vs Checkpoint
> To: "David Tran" <davidtran_mclean@yahoo.com>
> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer" <beyer@optonline.net>,
> ccielab@groupstudy.com, security@groupstudy.com
> Date: Wednesday, July 23, 2008, 2:17 AM
>
>
>
> i think it depends on what are u looking for.
>
> from cisco point of view the few advantages and disadvantages i feel.
>
> cisco is lot cheaper than checkpoint. in checkpoint the biggest pain is the
> licensing model. u need license for everything so the cost of it goes very
> high.since it;s a pure software u will have to invest on hardware again
> like
> if u are thinking of secure platform then good ibm or hp server plus their
> support as well.
>
> checkpoint support sucks big time as compared to cisco. see when u get
> stuck
> in live network all u care of some good guys to help u out of it this is
> where
> no one can touch cisco for sure.
>
> though checkpoint is famous for it;s gui that;s the only best thing i find
> in
> it. because it can be deployed on many different hardware configuration on
> different hardware is tough because for most of the hardware u don;t even
> get
> a documentation for free like nokia and crossbeam u need login access to
> just
> view the documentation there are hardly any good configuration examples
> that u
> could use.
>
> there is nothing very great that checkpoint does that cisco cannot do.
> except
> for few things like running vpns and running protocols in active/active
> mode.
>
> but whereas vpns are concerned i find cisco vpns much scalable and easy. in
> checkpoint u have something called as communities and according to
> communities
> u will have to decide u want to have a mesh or star like vpns. in asa it;s
> upto u can configure the way u want need not worry abt any communities.
>
> ofcourse for good management point of view seeing the logs in nice format
> and
> all u can go for checkpoint.
>
> if u are really looking for options i would say rather try juniper or
> fortinet. they are even better than both cisco and checkpoint.
>
> especially fortinet provides everything in a single asic based box. they
> have
> got ips,anti-spam,url-filtering,anti-virus,content-filtering all in a
> single
> box and their license cost is very less . their anti-virus has been winning
> 3
> consecutive awards in anti-virus bulletin.
> they can do souce based routing,., source interface based routing, policy
> based routing and many more features .
>
> they have got their fortimanager like checkpoint to manage all the boxes
> from
> a single point and they have a fortilog analyser for consolidating all the
> logs at a single place.
>
>
>
>
>
>
>
>
> On Wed, Jul 23, 2008 at 7:56 AM, David Tran <davidtran_mclean@yahoo.com>
> wrote:
>
>
> "
> But there are downsides. It is software running on a computer, so you
> have some form of Linux or Windows under the hood. We run ours on a
> Nokia platform. The model we currently use is diskless, but some of our
> older ones had a harddisk that seem to fail regularly. Plus keeping up
> with patching means not only patching Checkpoint, but also patching
> IPSO, which is Nokia's version of Linux."
>
> You should be using Secureplatform instead of Nokia. With
> Secureplatform, you go to a single vendor, Checkpoint,
> for support with both OS and Checkpoint. Nokia is overprice
> and overrated.
>
> Ins't RAID-1 supposed to resolve this issue? My Secureplatform
> has been up and running for almost five years with two reboot,
> because I upgraded it to HFA_17 and HFA_20.
>
> You will run into the same thing with Cisco as well. I can tell
> you from Pix version 7.2(x) alone, there are about 28 different
> versions out there.
>
> Checkpoint FireFly is high-end running on IBM x3650.
>
> Checkpoint can terminate VPN in active/active but Cisco ASA
> can not,
>
> Checkpoint is expensive and cisco is not
>
> Imagine managing a firewall with 20+ interfaces with Cisco, a
> very difficult task indeed. There is no cisco centralized
> management like CP Provider-1 either, unless you count
> Cisco Security Manager which run on crappy windows. This
> product is horrible. Even Cisco TAC recommends Solsoft
> over Cisco CSM.
>
> If you have the money, go with Checkpoint. Otherwise, go
> with Cisco.
>
> As someone put it, Checkpoint firewalls is like driving a Porsche
> or Audi while Cisco is like driving a Ford Pinto. Just like
> everything in life, you get what you pay for.
>
> --- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net> wrote:
> From: Bill Eyer <beyer@optonline.net>
> Subject: Re: ASA vs Checkpoint
> To: "dip" <diptanshu.singh@gmail.com>
> Cc: ccielab@groupstudy.com, security@groupstudy.com
> Date: Tuesday, July 22, 2008, 7:34 PM
>
>
>
>
> Dip,
>
> For what it's worth, at our company we use a mix of Checkpoint and Cisco
> firewalls, the ASA, FWSM for 6500 and some older PIX units. This is
> deliberate design solution on my part to provide diversity.
>
> Both manufacturers have advantages and dis-advantages, and I will give
> you my rant on both of them.
>
> The Checkpoint is great for a couple of things. The Management
> interface is still the best. Even I, who have never been to school on
> it can easily configure and push policies. The logging system, while
> proprietory, is really nice. If my firewall engineers had their way, we
> would use only Checkpoint firewalls.
>
> But there are downsides. It is software running on a computer, so you
> have some form of Linux or Windows under the hood. We run ours on a
> Nokia platform. The model we currently use is diskless, but some of our
> older ones had a harddisk that seem to fail regularly. Plus keeping up
> with patching means not only patching Checkpoint, but also patching
> IPSO, which is Nokia's version of Linux. Our Checkpoint reps recently
> told me they are coming out with their own appliance, that will feature
> integrated patching.
>
> Checkpoint is also "rental software". To legally keep it running you
>
> have to re-license it periodically. You also have to have a dedicated
> PC as a management server, and yes this has it's own license. Lastly
> Checkpoint support is really expensive, although third party support may
> be available from the appliance manufacturer. We get ours from Nokia.
> Unlike Cisco TAC, Nokia does draw the line at some support requests.
> For example I asked them to walk me through installing the R55 patch and
> they told me I had to hire a VAR to do the work. I got around it but it
> was painful.
>
> Smart Defense, which is their version of IPS also adds extra costs and
> since it is implemented in software, has a dramatic effect on throughput.
>
> All and all it adds up to a higher cost than ASA.
>
> ASA wraps good things into a single box, and the cost is lower.
> However, the management gui is not as easy to use (although recent
> generations are definitely better). Logging is also horrible. The logs
> on the built in gui are not nearly as nice as Checkpoints, so you will
> probably find the need for some type of Enterprise logging tool. The
> good new is that it is syslog so any enterprise SIM tool should work.
> We actually use CS-MARS, but the staff still doesn't like it as much as
> Checkpoint.
>
> That's my rant anyway. If you have the money to pay for it, Checkpoint
> is really nice, but support is higher, both in cost and in time.
>
> In our case in the Data Center we use Checkpoint as a perimeter
> firewall, then sandwich our DMZ between the outside and inside
> firewalls. The theory is that if there is a vulnerability in one
> manufacturer a hacker can't exploit it to get all the way inside the
> enterprise. The inside firewalls are FWSM blades. For small sites we
> use ASA because cost is the driving factor there.
>
> Long post, and maybe off topic, but I am certain that other engineers
> will have their own opinions.
>
> Sincerely,
>
> Bill
>
> dip wrote:
> > Hi Guys,
> >
> > i have to evaluate between Cisco ASA and Checkpoint for a big
> enterprise.
> I
> > think this is a better place to ask since lot of people would have worked
> on
> > both products.
> >
> > Please provide me all the plus points which you saw in checkpoint which
> you
> > think currently Cisco ASA doesn't have or vice versa.
> > Also what feature's checkpoint has which you think should be must in
> cisco
> > Firewalls .
> >
> >
> >
> > Thanks
> > Dip
> >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
-- Muhammad Nasim Network Engineer Saudi Arabia
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART