Re: ASA vs Checkpoint

From: Ina&Laurean (ina.laurean@gmail.com)
Date: Wed Jul 23 2008 - 13:07:54 ART

I work in an environmet where we have about 35 Checkpoint FW running on
Nokia platform; I don't manage these firewalls but I do often troubleshoot
problems related to the firewall issues.

The Checkoint management interface is great and is very easy to manage
multiple firewalls but I have to say that hardware reliability is not so
good, we've had many hard drives failing and many the file system got
corrupted.

What I don't like alos with Checkpoint is the VPN client which I have to say
it is very unstable with
lots of connectivity problems.

I worked before with Nortel Contivity VPN and it worked way way better.

Laurean

On Wed, Jul 23, 2008 at 9:07 AM, Muhammad Nasim <muhammad.nasim@gmail.com>
wrote:

> Sorry guys this email was only intended to Mr. Dip
>
> I and DIP know each other
> : )
>
>
>
> 2008/7/23 Muhammad Nasim <muhammad.nasim@gmail.com>:
>
> > ho Brother
> >
> > After getting my CCIE on first attempt : ) people are asking me for
> > recommendations and how can I give them wrong recommendations : )
> >
> > Somehow let see : )
> >
> >
> > 2008/7/23 dip <diptanshu.singh@gmail.com>:
> >
> > Hi Nasim, dont worry we have lot of plans in the future.. and w8 for next
> >> 2yrs if thing goes right definitely you will see some good things.
> >>
> >> Thanks
> >> Dip
> >> CCIE#20679
> >>
> >>
> >> On Wed, Jul 23, 2008 at 4:46 PM, Muhammad Nasim <
> muhammad.nasim@gmail.com>
> >> wrote:
> >>
> >>> Hey Dip,
> >>>
> >>> If u can convey my message to Cisco it to please please leave the tail
> of
> >>> JAVA for making Graphical interfaces.
> >>>
> >>> 1. Juniper and Fortinet Graphical interfaces are awesome based on html.
> >>> Cisco should do this.
> >>>
> >>> 2. Please remove the bugs in version 7.2.X AND 8.0 before ADDING new
> >>> features : ) .
> >>>
> >>> 3. Inculde DMVPN support on CISCO ASA : ) ( Juniper firewalls supports
> >>> this kind of VPN from version 6.0)
> >>>
> >>> 4.Make CISCO ASA a real UTM device (which can support
> >>> IPS+ANTISPAM+ANTIVIRUS+URL Filtertin on one BOX. Right now it is not
> >>> possible )
> >>>
> >>> HTH
> >>>
> >>>
> >>>
> >>>
> >>> 2008/7/23 David Tran <davidtran_mclean@yahoo.com>:
> >>>
> >>> "checkpoint support sucks big time as compared to cisco. see when u get
> >>>> stuck
> >>>> in live network all u care of some good guys to help u out of it this
> is
> >>>> where
> >>>> no one can touch cisco for sure."
> >>>>
> >>>> This part I completely agree with you. Checkpoint TAC supports suck
> big
> >>>> time. This is
> >>>> one area where Cisco is really good at.
> >>>>
> >>>> --- On Wed, 7/23/08, sushil menon <sushilmenon2001@gmail.com> wrote:
> >>>>
> >>>> From: sushil menon <sushilmenon2001@gmail.com>
> >>>> Subject: Re: ASA vs Checkpoint
> >>>> To: "David Tran" <davidtran_mclean@yahoo.com>
> >>>> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer" <
> beyer@optonline.net
> >>>> >,
> >>>> ccielab@groupstudy.com, security@groupstudy.com
> >>>> Date: Wednesday, July 23, 2008, 2:17 AM
> >>>>
> >>>>
> >>>>
> >>>> i think it depends on what are u looking for.
> >>>>
> >>>> from cisco point of view the few advantages and disadvantages i feel.
> >>>>
> >>>> cisco is lot cheaper than checkpoint. in checkpoint the biggest pain
> is
> >>>> the
> >>>> licensing model. u need license for everything so the cost of it goes
> >>>> very
> >>>> high.since it;s a pure software u will have to invest on hardware
> again
> >>>> like
> >>>> if u are thinking of secure platform then good ibm or hp server plus
> >>>> their
> >>>> support as well.
> >>>>
> >>>> checkpoint support sucks big time as compared to cisco. see when u get
> >>>> stuck
> >>>> in live network all u care of some good guys to help u out of it this
> is
> >>>> where
> >>>> no one can touch cisco for sure.
> >>>>
> >>>> though checkpoint is famous for it;s gui that;s the only best thing i
> >>>> find in
> >>>> it. because it can be deployed on many different hardware
> configuration
> >>>> on
> >>>> different hardware is tough because for most of the hardware u don;t
> >>>> even get
> >>>> a documentation for free like nokia and crossbeam u need login access
> to
> >>>> just
> >>>> view the documentation there are hardly any good configuration
> examples
> >>>> that u
> >>>> could use.
> >>>>
> >>>> there is nothing very great that checkpoint does that cisco cannot do.
> >>>> except
> >>>> for few things like running vpns and running protocols in
> active/active
> >>>> mode.
> >>>>
> >>>> but whereas vpns are concerned i find cisco vpns much scalable and
> easy.
> >>>> in
> >>>> checkpoint u have something called as communities and according to
> >>>> communities
> >>>> u will have to decide u want to have a mesh or star like vpns. in asa
> >>>> it;s
> >>>> upto u can configure the way u want need not worry abt any
> communities.
> >>>>
> >>>> ofcourse for good management point of view seeing the logs in nice
> >>>> format and
> >>>> all u can go for checkpoint.
> >>>>
> >>>> if u are really looking for options i would say rather try juniper or
> >>>> fortinet. they are even better than both cisco and checkpoint.
> >>>>
> >>>> especially fortinet provides everything in a single asic based box.
> they
> >>>> have
> >>>> got ips,anti-spam,url-filtering,anti-virus,content-filtering all in a
> >>>> single
> >>>> box and their license cost is very less . their anti-virus has been
> >>>> winning 3
> >>>> consecutive awards in anti-virus bulletin.
> >>>> they can do souce based routing,., source interface based routing,
> >>>> policy
> >>>> based routing and many more features .
> >>>>
> >>>> they have got their fortimanager like checkpoint to manage all the
> boxes
> >>>> from
> >>>> a single point and they have a fortilog analyser for consolidating all
> >>>> the
> >>>> logs at a single place.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On Wed, Jul 23, 2008 at 7:56 AM, David Tran <
> davidtran_mclean@yahoo.com
> >>>> >
> >>>> wrote:
> >>>>
> >>>>
> >>>> "
> >>>> But there are downsides. It is software running on a computer, so you
> >>>> have some form of Linux or Windows under the hood. We run ours on a
> >>>> Nokia platform. The model we currently use is diskless, but some of
> our
> >>>> older ones had a harddisk that seem to fail regularly. Plus keeping
> up
> >>>> with patching means not only patching Checkpoint, but also patching
> >>>> IPSO, which is Nokia's version of Linux."
> >>>>
> >>>> You should be using Secureplatform instead of Nokia. With
> >>>> Secureplatform, you go to a single vendor, Checkpoint,
> >>>> for support with both OS and Checkpoint. Nokia is overprice
> >>>> and overrated.
> >>>>
> >>>> Ins't RAID-1 supposed to resolve this issue? My Secureplatform
> >>>> has been up and running for almost five years with two reboot,
> >>>> because I upgraded it to HFA_17 and HFA_20.
> >>>>
> >>>> You will run into the same thing with Cisco as well. I can tell
> >>>> you from Pix version 7.2(x) alone, there are about 28 different
> >>>> versions out there.
> >>>>
> >>>> Checkpoint FireFly is high-end running on IBM x3650.
> >>>>
> >>>> Checkpoint can terminate VPN in active/active but Cisco ASA
> >>>> can not,
> >>>>
> >>>> Checkpoint is expensive and cisco is not
> >>>>
> >>>> Imagine managing a firewall with 20+ interfaces with Cisco, a
> >>>> very difficult task indeed. There is no cisco centralized
> >>>> management like CP Provider-1 either, unless you count
> >>>> Cisco Security Manager which run on crappy windows. This
> >>>> product is horrible. Even Cisco TAC recommends Solsoft
> >>>> over Cisco CSM.
> >>>>
> >>>> If you have the money, go with Checkpoint. Otherwise, go
> >>>> with Cisco.
> >>>>
> >>>> As someone put it, Checkpoint firewalls is like driving a Porsche
> >>>> or Audi while Cisco is like driving a Ford Pinto. Just like
> >>>> everything in life, you get what you pay for.
> >>>>
> >>>> --- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net> wrote:
> >>>> From: Bill Eyer <beyer@optonline.net>
> >>>> Subject: Re: ASA vs Checkpoint
> >>>> To: "dip" <diptanshu.singh@gmail.com>
> >>>> Cc: ccielab@groupstudy.com, security@groupstudy.com
> >>>> Date: Tuesday, July 22, 2008, 7:34 PM
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Dip,
> >>>>
> >>>> For what it's worth, at our company we use a mix of Checkpoint and
> Cisco
> >>>> firewalls, the ASA, FWSM for 6500 and some older PIX units. This is
> >>>> deliberate design solution on my part to provide diversity.
> >>>>
> >>>> Both manufacturers have advantages and dis-advantages, and I will give
> >>>> you my rant on both of them.
> >>>>
> >>>> The Checkpoint is great for a couple of things. The Management
> >>>> interface is still the best. Even I, who have never been to school on
> >>>> it can easily configure and push policies. The logging system, while
> >>>> proprietory, is really nice. If my firewall engineers had their way,
> we
> >>>> would use only Checkpoint firewalls.
> >>>>
> >>>> But there are downsides. It is software running on a computer, so you
> >>>> have some form of Linux or Windows under the hood. We run ours on a
> >>>> Nokia platform. The model we currently use is diskless, but some of
> our
> >>>> older ones had a harddisk that seem to fail regularly. Plus keeping
> up
> >>>> with patching means not only patching Checkpoint, but also patching
> >>>> IPSO, which is Nokia's version of Linux. Our Checkpoint reps recently
> >>>> told me they are coming out with their own appliance, that will
> feature
> >>>> integrated patching.
> >>>>
> >>>> Checkpoint is also "rental software". To legally keep it running you
> >>>>
> >>>> have to re-license it periodically. You also have to have a dedicated
> >>>> PC as a management server, and yes this has it's own license. Lastly
> >>>> Checkpoint support is really expensive, although third party support
> may
> >>>> be available from the appliance manufacturer. We get ours from Nokia.
> >>>> Unlike Cisco TAC, Nokia does draw the line at some support requests.
> >>>> For example I asked them to walk me through installing the R55 patch
> and
> >>>> they told me I had to hire a VAR to do the work. I got around it but
> it
> >>>> was painful.
> >>>>
> >>>> Smart Defense, which is their version of IPS also adds extra costs and
> >>>> since it is implemented in software, has a dramatic effect on
> >>>> throughput.
> >>>>
> >>>> All and all it adds up to a higher cost than ASA.
> >>>>
> >>>> ASA wraps good things into a single box, and the cost is lower.
> >>>> However, the management gui is not as easy to use (although recent
> >>>> generations are definitely better). Logging is also horrible. The
> logs
> >>>> on the built in gui are not nearly as nice as Checkpoints, so you will
> >>>> probably find the need for some type of Enterprise logging tool. The
> >>>> good new is that it is syslog so any enterprise SIM tool should work.
> >>>> We actually use CS-MARS, but the staff still doesn't like it as much
> as
> >>>> Checkpoint.
> >>>>
> >>>> That's my rant anyway. If you have the money to pay for it,
> Checkpoint
> >>>> is really nice, but support is higher, both in cost and in time.
> >>>>
> >>>> In our case in the Data Center we use Checkpoint as a perimeter
> >>>> firewall, then sandwich our DMZ between the outside and inside
> >>>> firewalls. The theory is that if there is a vulnerability in one
> >>>> manufacturer a hacker can't exploit it to get all the way inside the
> >>>> enterprise. The inside firewalls are FWSM blades. For small sites we
> >>>> use ASA because cost is the driving factor there.
> >>>>
> >>>> Long post, and maybe off topic, but I am certain that other engineers
> >>>> will have their own opinions.
> >>>>
> >>>> Sincerely,
> >>>>
> >>>> Bill
> >>>>
> >>>> dip wrote:
> >>>> > Hi Guys,
> >>>> >
> >>>> > i have to evaluate between Cisco ASA and Checkpoint for a big
> >>>> enterprise.
> >>>> I
> >>>> > think this is a better place to ask since lot of people would have
> >>>> worked
> >>>> on
> >>>> > both products.
> >>>> >
> >>>> > Please provide me all the plus points which you saw in checkpoint
> >>>> which
> >>>> you
> >>>> > think currently Cisco ASA doesn't have or vice versa.
> >>>> > Also what feature's checkpoint has which you think should be must in
> >>>> cisco
> >>>> > Firewalls .
> >>>> >
> >>>> >
> >>>> >
> >>>> > Thanks
> >>>> > Dip
> >>>> >
> >>>> >
> >>>> >
> >>>>
> _______________________________________________________________________
> >>>> > Subscription information may be found at:
> >>>> > http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> Muhammad Nasim
> >>> Network Engineer
> >>> Saudi Arabia
> >>>
> >>
> >>
> >
> >
> > --
> > Muhammad Nasim
> > Network Engineer
> > Saudi Arabia
> >
>
>
>
> --
> Muhammad Nasim
> Network Engineer
> Saudi Arabia
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART