From: Aun Raza (aun.raza@gmail.com)
Date: Wed Jul 23 2008 - 19:24:08 ART
I think Cisco is starting to delve into the larger enterprise market with
the 5580. Might be worth a check.
On Wed, Jul 23, 2008 at 5:41 PM, David Tran <davidtran_mclean@yahoo.com>
wrote:
> "Recently I had a meeting with a large blue chip company that had been
> using checkpoint exclusively, As they were purchasing various Cisco
> Routers and switches from us, I was asked to attend a meeting were there
> security manager, who had Checkpoint believer wanted to ask a few
> questions about the ASA. After the Q&A session I could see that lots of
> what he said were related to the old Pix limitations, I then opened my
> laptop and connected to a ASA we have in a lab and demonstrated the ASA
> and let him play...They just purchased two ASA's to replace their
> Checkpoints."
>
> I don't know if you ever work in a large enterprise or a Managed
> Security Service Provider (MSSP) but I would like to know if you can
> convert a Checkpoint security policy with over 25,000 objects and
> 800 security rules on a Secureplatform gateways with 20+ interfaces.
> Add about 100+ crazy NAT rules in the policy and let see if you can
> convert this CP security policy into ASA security policy.
>
> Think you can do it? By the way, cisco TAC couldn't do it either.
>
> I had a meeting with a Cisco SE in 2005 and that he really touted
> both ASA and MARS on how this product are much better than CP
> and Juniper. After I sat him down and showed Checkpoint Provider-1
> and requirements for my environment. ASA and CSM could not meet
> the requirements.
>
> Checkpoint has lots of drawback as well but overall it is much
> better firewall than Cisco, especially for large enterprise and
> Service Providers.
>
> It's like owning a Porsche and owning a Honda Civic. Owning a Chevy is
> very easy. You just need to change oil, for the most part and everything
> will
> be fine. Owning a Porsche is much different. You need to have the money
> and the time to take care of that car. It is not that simple. Checkpoint
> is
> the
> same way. Checkpoint is like a Porsche and ASA is like a Honda Civic.
>
>
>
>
> --- On Wed, 7/23/08, gabriel.bryson@minx.com <gabriel.bryson@minx.com>
> wrote:
>
> From: gabriel.bryson@minx.com <gabriel.bryson@minx.com>
> Subject: RE: ASA vs Checkpoint
> To: joe@affirmedsystems.com, davidtran_mclean@yahoo.com,
> sushilmenon2001@gmail.com, Kevin.Phillips@FTIConsulting.com
> Cc: diptanshu.singh@gmail.com, beyer@optonline.net, ccielab@groupstudy.com
> ,
> security@groupstudy.com
> Date: Wednesday, July 23, 2008, 4:08 PM
>
> After reading along all day at what people had to say about the ASA vs
> Checkpoint, If I was a complete novice that went exclusively on what was
> said in this forum, I think I might go with the ASA?? There is a plenty
> said on the checkpoint side about licensing, hardware, patching
> problems, more expensive, not great support from the manufacturers, and
> all that was said about the ASA is that does not have a fantastic
> enterprise management solution, oh and the ASA vpn solution is rock
> solid???
> I think from my own experience the vast majority of people are put off
> the ASA because of the old PIX, its command line and horrible GUI (PDM),
> which the ASA have now revamped and replaced, making it just as easy as
> the Checkpoint to configure.
> Recently I had a meeting with a large blue chip company that had been
> using checkpoint exclusively, As they were purchasing various Cisco
> Routers and switches from us, I was asked to attend a meeting were there
> security manager, who had Checkpoint believer wanted to ask a few
> questions about the ASA. After the Q&A session I could see that lots of
> what he said were related to the old Pix limitations, I then opened my
> laptop and connected to a ASA we have in a lab and demonstrated the ASA
> and let him play...They just purchased two ASA's to replace their
> Checkpoints.
> PS check out the Miercom report on the ASA compared to its
> competitors??? Just google Miercom ASA
>
> My 2p worth
>
>
> Gabriel
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Joseph Brunner
> Sent: 23 July 2008 17:49
> To: 'David Tran'; 'sushil menon'; 'Phillips, Kevin'
> Cc: 'dip'; 'Bill Eyer'; ccielab@groupstudy.com;
> security@groupstudy.com
> Subject: RE: ASA vs Checkpoint
>
> David,
>
> Time and time again you save me millions of brain cells. Thank you...
>
> God Cisco has its sh*t in a twist... that server is massive to not be
> able
> to run CSM like google.com...
>
> WOW
>
> ;)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> David Tran
> Sent: Wednesday, July 23, 2008 10:30 AM
> To: sushil menon; Phillips, Kevin
> Cc: dip; Bill Eyer; ccielab@groupstudy.com; security@groupstudy.com
> Subject: RE: ASA vs Checkpoint
>
> "CSM is still new but yet another piece that Checkpoint and Juniper have
> been doing for a while. Cisco never really offered a solution to manage
> firewalls, maintain objects, and standard policies across and
> enterprise."
>
> This product is absolutely horrendous. I installed it on a Windows 2003
> Enterprise
> Edition with 16GB RAM and quad processors with quad-core and it is
> extremely
> slow.
> Totally unworkable across the VPN. The system becomes very slugglish
> after
> 5
> users
> logging into the system. At the moment, I am having issues with
> installing
> Performance Monitor on the CSM. In other words, it is a broken product.
>
> "Companies may
> not be ready to jump into buying a SIM as it may not be a requirement
> for that company but being able to store firewall logs and search for
> them is a core function of an enterprise firewall product"
>
> Could not disagree with you more on this. The good thing about
> Checkpoint
> centralize
> management is that the management piece can manage multiple firewalls.
> If
> you
> have
> multiple firewalls between the source and destination, the log, in real
> time,
> can tell you
> which firewalls accept the traffics and which one drop the traffics.
> When
> it comes to trouble shooting, nothing beat tcpdump. Cisco capture
> function
> is
> no where near tcpdump capabilities.
>
> "MARS is a great product if you want a SIM"
>
> If you have a "cisco" shop, then MARS is a great solution for you.
> However,
> if you
> have a heterogeneous environment, ArcSight or EIQ is a much superior
> solution.
>
>
>
>
> --- On Wed, 7/23/08, Phillips, Kevin <Kevin.Phillips@FTIConsulting.com>
> wrote:
>
> From: Phillips, Kevin <Kevin.Phillips@FTIConsulting.com>
> Subject: RE: ASA vs Checkpoint
> To: "David Tran" <davidtran_mclean@yahoo.com>, "sushil
> menon"
> <sushilmenon2001@gmail.com>
> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer"
> <beyer@optonline.net>,
> ccielab@groupstudy.com, security@groupstudy.com
> Date: Wednesday, July 23, 2008, 9:41 AM
>
> This is quite a funny post as I have been beating up my Cisco SE's on
> exactly this point. I think they get it, but Cisco doesn't.
>
> A few years ago if you wanted a firewall, hands down it was Checkpoint
> partly because of their AI. Today they all do the same, they pass or
> deny traffic based on defined criteria. Sure one firewall may be faster
> than the next vendors, but what is setting it apart for me is the
> management.
>
> MARS is a great product if you want a SIM, but if you want firewall
> events then you just need logs, Checkpoint and Juniper get this and have
> been doing this for years. Cisco never really offered this in their
> product line and when they decided to add it they went leaps and bounds
> ahead by going to MARS. MARS is not a firewall log tool, it is a SIM,
> it does event correlation and a lot of other features. Companies may
> not be ready to jump into buying a SIM as it may not be a requirement
> for that company but being able to store firewall logs and search for
> them is a core function of an enterprise firewall product.
>
> CSM is still new but yet another piece that Checkpoint and Juniper have
> been doing for a while. Cisco never really offered a solution to manage
> firewalls, maintain objects, and standard policies across and
> enterprise.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> David Tran
> Sent: Wednesday, July 23, 2008 7:01 AM
> To: sushil menon
> Cc: dip; Bill Eyer; ccielab@groupstudy.com; security@groupstudy.com
> Subject: Re: ASA vs Checkpoint
>
> "checkpoint support sucks big time as compared to cisco. see when u get
> stuck
> in live network all u care of some good guys to help u out of it this is
> where
> no one can touch cisco for sure."
>
> This part I completely agree with you. Checkpoint TAC supports suck big
> time. This is
> one area where Cisco is really good at.
>
> --- On Wed, 7/23/08, sushil menon <sushilmenon2001@gmail.com> wrote:
>
> From: sushil menon <sushilmenon2001@gmail.com>
> Subject: Re: ASA vs Checkpoint
> To: "David Tran" <davidtran_mclean@yahoo.com>
> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer"
> <beyer@optonline.net>,
> ccielab@groupstudy.com, security@groupstudy.com
> Date: Wednesday, July 23, 2008, 2:17 AM
>
>
>
> i think it depends on what are u looking for.
>
> from cisco point of view the few advantages and disadvantages i feel.
>
> cisco is lot cheaper than checkpoint. in checkpoint the biggest pain is
> the
> licensing model. u need license for everything so the cost of it goes
> very
> high.since it;s a pure software u will have to invest on hardware again
> like
> if u are thinking of secure platform then good ibm or hp server plus
> their
> support as well.
>
> checkpoint support sucks big time as compared to cisco. see when u get
> stuck
> in live network all u care of some good guys to help u out of it this is
> where
> no one can touch cisco for sure.
>
> though checkpoint is famous for it;s gui that;s the only best thing i
> find in
> it. because it can be deployed on many different hardware configuration
> on
> different hardware is tough because for most of the hardware u don;t
> even get
> a documentation for free like nokia and crossbeam u need login access to
> just
> view the documentation there are hardly any good configuration examples
> that u
> could use.
>
> there is nothing very great that checkpoint does that cisco cannot do.
> except
> for few things like running vpns and running protocols in active/active
> mode.
>
> but whereas vpns are concerned i find cisco vpns much scalable and easy.
> in
> checkpoint u have something called as communities and according to
> communities
> u will have to decide u want to have a mesh or star like vpns. in asa
> it;s
> upto u can configure the way u want need not worry abt any communities.
>
> ofcourse for good management point of view seeing the logs in nice
> format and
> all u can go for checkpoint.
>
> if u are really looking for options i would say rather try juniper or
> fortinet. they are even better than both cisco and checkpoint.
>
> especially fortinet provides everything in a single asic based box. they
> have
> got ips,anti-spam,url-filtering,anti-virus,content-filtering all in a
> single
> box and their license cost is very less . their anti-virus has been
> winning 3
> consecutive awards in anti-virus bulletin.
> they can do souce based routing,., source interface based routing,
> policy
> based routing and many more features .
>
> they have got their fortimanager like checkpoint to manage all the boxes
> from
> a single point and they have a fortilog analyser for consolidating all
> the
> logs at a single place.
>
>
>
>
>
>
>
>
> On Wed, Jul 23, 2008 at 7:56 AM, David Tran <davidtran_mclean@yahoo.com>
> wrote:
>
>
> "
> But there are downsides. It is software running on a computer, so you
> have some form of Linux or Windows under the hood. We run ours on a
> Nokia platform. The model we currently use is diskless, but some of our
> older ones had a harddisk that seem to fail regularly. Plus keeping up
> with patching means not only patching Checkpoint, but also patching
> IPSO, which is Nokia's version of Linux."
>
> You should be using Secureplatform instead of Nokia. With
> Secureplatform, you go to a single vendor, Checkpoint,
> for support with both OS and Checkpoint. Nokia is overprice
> and overrated.
>
> Ins't RAID-1 supposed to resolve this issue? My Secureplatform
> has been up and running for almost five years with two reboot,
> because I upgraded it to HFA_17 and HFA_20.
>
> You will run into the same thing with Cisco as well. I can tell
> you from Pix version 7.2(x) alone, there are about 28 different
> versions out there.
>
> Checkpoint FireFly is high-end running on IBM x3650.
>
> Checkpoint can terminate VPN in active/active but Cisco ASA
> can not,
>
> Checkpoint is expensive and cisco is not
>
> Imagine managing a firewall with 20+ interfaces with Cisco, a
> very difficult task indeed. There is no cisco centralized
> management like CP Provider-1 either, unless you count
> Cisco Security Manager which run on crappy windows. This
> product is horrible. Even Cisco TAC recommends Solsoft
> over Cisco CSM.
>
> If you have the money, go with Checkpoint. Otherwise, go
> with Cisco.
>
> As someone put it, Checkpoint firewalls is like driving a Porsche
> or Audi while Cisco is like driving a Ford Pinto. Just like
> everything in life, you get what you pay for.
>
> --- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net> wrote:
> From: Bill Eyer <beyer@optonline.net>
> Subject: Re: ASA vs Checkpoint
> To: "dip" <diptanshu.singh@gmail.com>
> Cc: ccielab@groupstudy.com, security@groupstudy.com
> Date: Tuesday, July 22, 2008, 7:34 PM
>
>
>
>
> Dip,
>
> For what it's worth, at our company we use a mix of Checkpoint and Cisco
> firewalls, the ASA, FWSM for 6500 and some older PIX units. This is
> deliberate design solution on my part to provide diversity.
>
> Both manufacturers have advantages and dis-advantages, and I will give
> you my rant on both of them.
>
> The Checkpoint is great for a couple of things. The Management
> interface is still the best. Even I, who have never been to school on
> it can easily configure and push policies. The logging system, while
> proprietory, is really nice. If my firewall engineers had their way, we
> would use only Checkpoint firewalls.
>
> But there are downsides. It is software running on a computer, so you
> have some form of Linux or Windows under the hood. We run ours on a
> Nokia platform. The model we currently use is diskless, but some of our
> older ones had a harddisk that seem to fail regularly. Plus keeping up
> with patching means not only patching Checkpoint, but also patching
> IPSO, which is Nokia's version of Linux. Our Checkpoint reps recently
> told me they are coming out with their own appliance, that will feature
> integrated patching.
>
> Checkpoint is also "rental software". To legally keep it running you
>
> have to re-license it periodically. You also have to have a dedicated
> PC as a management server, and yes this has it's own license. Lastly
> Checkpoint support is really expensive, although third party support may
> be available from the appliance manufacturer. We get ours from Nokia.
> Unlike Cisco TAC, Nokia does draw the line at some support requests.
> For example I asked them to walk me through installing the R55 patch and
> they told me I had to hire a VAR to do the work. I got around it but it
> was painful.
>
> Smart Defense, which is their version of IPS also adds extra costs and
> since it is implemented in software, has a dramatic effect on
> throughput.
>
> All and all it adds up to a higher cost than ASA.
>
> ASA wraps good things into a single box, and the cost is lower.
> However, the management gui is not as easy to use (although recent
> generations are definitely better). Logging is also horrible. The logs
> on the built in gui are not nearly as nice as Checkpoints, so you will
> probably find the need for some type of Enterprise logging tool. The
> good new is that it is syslog so any enterprise SIM tool should work.
> We actually use CS-MARS, but the staff still doesn't like it as much as
> Checkpoint.
>
> That's my rant anyway. If you have the money to pay for it, Checkpoint
> is really nice, but support is higher, both in cost and in time.
>
> In our case in the Data Center we use Checkpoint as a perimeter
> firewall, then sandwich our DMZ between the outside and inside
> firewalls. The theory is that if there is a vulnerability in one
> manufacturer a hacker can't exploit it to get all the way inside the
> enterprise. The inside firewalls are FWSM blades. For small sites we
> use ASA because cost is the driving factor there.
>
> Long post, and maybe off topic, but I am certain that other engineers
> will have their own opinions.
>
> Sincerely,
>
> Bill
>
> dip wrote:
> > Hi Guys,
> >
> > i have to evaluate between Cisco ASA and Checkpoint for a big
> enterprise.
> I
> > think this is a better place to ask since lot of people would have
> worked
> on
> > both products.
> >
> > Please provide me all the plus points which you saw in checkpoint
> which
> you
> > think currently Cisco ASA doesn't have or vice versa.
> > Also what feature's checkpoint has which you think should be must in
> cisco
> > Firewalls .
> >
> >
> >
> > Thanks
> > Dip
> >
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> This message has been scanned for malware by SurfControl plc.
> www.surfcontrol.com
>
>
-- aun raza pgp: 0x95A74924 (pgp.mit.edu) web: aunraza.com
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART