From: istong@stong.org
Date: Wed Jul 23 2008 - 22:16:05 ART
If you need that level of horsepower then it's a great
firewall. True application proxies versus the "fixup"
protocols used on the ASA and PIX.
Ian
www.ccie4u.com
> Since we are on the subject of firewall comparison, can
> you guys comment on G2 Sidewinder 10G firewalls? I have a
> customer that requires Proxy, and Sidewinder is one of
> very few venders that can do that. BTW, what are the
> benefits and advantages of proxy?
>
> Thanks,
> Reza
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On Behalf Of David Tran
> Sent: Wednesday, July 23, 2008 5:42 PM
> To: joe@affirmedsystems.com; sushilmenon2001@gmail.com;
> Kevin.Phillips@FTIConsulting.com; gabriel.bryson@minx.com
> Cc: diptanshu.singh@gmail.com; beyer@optonline.net;
> ccielab@groupstudy.com; security@groupstudy.com
> Subject: RE: ASA vs Checkpoint
>
> "Recently I had a meeting with a large blue chip company
> that had been using checkpoint exclusively, As they were
> purchasing various Cisco Routers and switches from us, I
> was asked to attend a meeting were there security manager,
> who had Checkpoint believer wanted to ask a few questions
> about the ASA. After the Q&A session I could see that lots
> of what he said were related to the old Pix limitations, I
> then opened my laptop and connected to a ASA we have in a
> lab and demonstrated the ASA and let him play...They just
> purchased two ASA's to replace their Checkpoints."
>
> I don't know if you ever work in a large enterprise or a
> Managed Security Service Provider (MSSP) but I would like
> to know if you can convert a Checkpoint security policy
> with over 25,000 objects and 800 security rules on a
> Secureplatform gateways with 20+ interfaces. Add about
> 100+ crazy NAT rules in the policy and let see if you can
> convert this CP security policy into ASA security policy.
>
> Think you can do it? By the way, cisco TAC couldn't do it
> either.
>
> I had a meeting with a Cisco SE in 2005 and that he really
> touted both ASA and MARS on how this product are much
> better than CP and Juniper. After I sat him down and
> showed Checkpoint Provider-1 and requirements for my
> environment. ASA and CSM could not meet the requirements.
>
> Checkpoint has lots of drawback as well but overall it is
> much better firewall than Cisco, especially for large
> enterprise and Service Providers.
>
> It's like owning a Porsche and owning a Honda Civic.
> Owning a Chevy is very easy. You just need to change oil,
> for the most part and everything
> will
> be fine. Owning a Porsche is much different. You need to
> have the money
> and the time to take care of that car. It is not that
> simple. Checkpoint is
> the
> same way. Checkpoint is like a Porsche and ASA is like a
> Honda Civic.
>
>
>
>
> --- On Wed, 7/23/08, gabriel.bryson@minx.com
> <gabriel.bryson@minx.com> wrote:
>
> From: gabriel.bryson@minx.com <gabriel.bryson@minx.com>
> Subject: RE: ASA vs Checkpoint
> To: joe@affirmedsystems.com, davidtran_mclean@yahoo.com,
> sushilmenon2001@gmail.com,
> Kevin.Phillips@FTIConsulting.com Cc:
> diptanshu.singh@gmail.com, beyer@optonline.net,
> ccielab@groupstudy.com, security@groupstudy.com
> Date: Wednesday, July 23, 2008, 4:08 PM
>
> After reading along all day at what people had to say
> about the ASA vs Checkpoint, If I was a complete novice
> that went exclusively on what was said in this forum, I
> think I might go with the ASA?? There is a plenty said on
> the checkpoint side about licensing, hardware, patching
> problems, more expensive, not great support from the
> manufacturers, and all that was said about the ASA is that
> does not have a fantastic enterprise management solution,
> oh and the ASA vpn solution is rock solid???
> I think from my own experience the vast majority of people
> are put off the ASA because of the old PIX, its command
> line and horrible GUI (PDM), which the ASA have now
> revamped and replaced, making it just as easy as the
> Checkpoint to configure. Recently I had a meeting with a
> large blue chip company that had been using checkpoint
> exclusively, As they were purchasing various Cisco Routers
> and switches from us, I was asked to attend a meeting were
> there security manager, who had Checkpoint believer wanted
> to ask a few questions about the ASA. After the Q&A
> session I could see that lots of what he said were related
> to the old Pix limitations, I then opened my laptop and
> connected to a ASA we have in a lab and demonstrated the
> ASA and let him play...They just purchased two ASA's to
> replace their Checkpoints.
> PS check out the Miercom report on the ASA compared to
> its competitors??? Just google Miercom ASA
>
> My 2p worth
>
>
> Gabriel
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On Behalf Of Joseph Brunner
> Sent: 23 July 2008 17:49
> To: 'David Tran'; 'sushil menon'; 'Phillips, Kevin'
> Cc: 'dip'; 'Bill Eyer'; ccielab@groupstudy.com;
> security@groupstudy.com
> Subject: RE: ASA vs Checkpoint
>
> David,
>
> Time and time again you save me millions of brain cells.
> Thank you...
>
> God Cisco has its sh*t in a twist... that server is
> massive to not be able
> to run CSM like google.com...
>
> WOW
>
> ;)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On Behalf Of David Tran
> Sent: Wednesday, July 23, 2008 10:30 AM
> To: sushil menon; Phillips, Kevin
> Cc: dip; Bill Eyer; ccielab@groupstudy.com;
> security@groupstudy.com Subject: RE: ASA vs Checkpoint
>
> "CSM is still new but yet another piece that Checkpoint
> and Juniper have been doing for a while. Cisco never
> really offered a solution to manage firewalls, maintain
> objects, and standard policies across and enterprise."
>
> This product is absolutely horrendous. I installed it on
> a Windows 2003 Enterprise
> Edition with 16GB RAM and quad processors with quad-core
> and it is extremely
> slow.
> Totally unworkable across the VPN. The system becomes
> very slugglish after
> 5
> users
> logging into the system. At the moment, I am having
> issues with installing
> Performance Monitor on the CSM. In other words, it is a
> broken product.
>
> "Companies may
> not be ready to jump into buying a SIM as it may not be a
> requirement for that company but being able to store
> firewall logs and search for them is a core function of an
> enterprise firewall product"
>
> Could not disagree with you more on this. The good thing
> about Checkpoint
> centralize
> management is that the management piece can manage
> multiple firewalls. If
> you
> have
> multiple firewalls between the source and destination, the
> log, in real time,
> can tell you
> which firewalls accept the traffics and which one drop
> the traffics. When
> it comes to trouble shooting, nothing beat tcpdump. Cisco
> capture function
> is
> no where near tcpdump capabilities.
>
> "MARS is a great product if you want a SIM"
>
> If you have a "cisco" shop, then MARS is a great solution
> for you. However,
> if you
> have a heterogeneous environment, ArcSight or EIQ is a
> much superior solution.
>
>
>
>
> --- On Wed, 7/23/08, Phillips, Kevin
> <Kevin.Phillips@FTIConsulting.com> wrote:
>
> From: Phillips, Kevin <Kevin.Phillips@FTIConsulting.com>
> Subject: RE: ASA vs Checkpoint
> To: "David Tran" <davidtran_mclean@yahoo.com>, "sushil
> menon"
> <sushilmenon2001@gmail.com>
> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer"
> <beyer@optonline.net>,
> ccielab@groupstudy.com, security@groupstudy.com
> Date: Wednesday, July 23, 2008, 9:41 AM
>
> This is quite a funny post as I have been beating up my
> Cisco SE's on exactly this point. I think they get it,
> but Cisco doesn't.
>
> A few years ago if you wanted a firewall, hands down it
> was Checkpoint partly because of their AI. Today they all
> do the same, they pass or deny traffic based on defined
> criteria. Sure one firewall may be faster than the next
> vendors, but what is setting it apart for me is the
> management.
>
> MARS is a great product if you want a SIM, but if you want
> firewall events then you just need logs, Checkpoint and
> Juniper get this and have been doing this for years.
> Cisco never really offered this in their product line and
> when they decided to add it they went leaps and bounds
> ahead by going to MARS. MARS is not a firewall log tool,
> it is a SIM, it does event correlation and a lot of other
> features. Companies may not be ready to jump into buying
> a SIM as it may not be a requirement for that company but
> being able to store firewall logs and search for them is a
> core function of an enterprise firewall product.
>
> CSM is still new but yet another piece that Checkpoint and
> Juniper have been doing for a while. Cisco never really
> offered a solution to manage firewalls, maintain objects,
> and standard policies across and enterprise.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On Behalf Of David Tran
> Sent: Wednesday, July 23, 2008 7:01 AM
> To: sushil menon
> Cc: dip; Bill Eyer; ccielab@groupstudy.com;
> security@groupstudy.com Subject: Re: ASA vs Checkpoint
>
> "checkpoint support sucks big time as compared to cisco.
> see when u get stuck
> in live network all u care of some good guys to help u out
> of it this is where
> no one can touch cisco for sure."
>
> This part I completely agree with you. Checkpoint TAC
> supports suck big time. This is
> one area where Cisco is really good at.
>
> --- On Wed, 7/23/08, sushil menon
> <sushilmenon2001@gmail.com> wrote:
>
> From: sushil menon <sushilmenon2001@gmail.com>
> Subject: Re: ASA vs Checkpoint
> To: "David Tran" <davidtran_mclean@yahoo.com>
> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer"
> <beyer@optonline.net>,
> ccielab@groupstudy.com, security@groupstudy.com
> Date: Wednesday, July 23, 2008, 2:17 AM
>
>
>
> i think it depends on what are u looking for.
>
> from cisco point of view the few advantages and
> disadvantages i feel.
>
> cisco is lot cheaper than checkpoint. in checkpoint the
> biggest pain is the
> licensing model. u need license for everything so the cost
> of it goes very
> high.since it;s a pure software u will have to invest on
> hardware again like
> if u are thinking of secure platform then good ibm or hp
> server plus their
> support as well.
>
> checkpoint support sucks big time as compared to cisco.
> see when u get stuck
> in live network all u care of some good guys to help u out
> of it this is where
> no one can touch cisco for sure.
>
> though checkpoint is famous for it;s gui that;s the only
> best thing i find in
> it. because it can be deployed on many different hardware
> configuration on
> different hardware is tough because for most of the
> hardware u don;t even get
> a documentation for free like nokia and crossbeam u need
> login access to just
> view the documentation there are hardly any good
> configuration examples that u
> could use.
>
> there is nothing very great that checkpoint does that
> cisco cannot do. except
> for few things like running vpns and running protocols in
> active/active mode.
>
> but whereas vpns are concerned i find cisco vpns much
> scalable and easy. in
> checkpoint u have something called as communities and
> according to communities
> u will have to decide u want to have a mesh or star like
> vpns. in asa it;s
> upto u can configure the way u want need not worry abt any
> communities.
>
> ofcourse for good management point of view seeing the logs
> in nice format and
> all u can go for checkpoint.
>
> if u are really looking for options i would say rather try
> juniper or fortinet. they are even better than both cisco
> and checkpoint.
>
> especially fortinet provides everything in a single asic
> based box. they have
> got ips,anti-spam,url-filtering,anti-virus
> ,content-filtering all in a single
> box and their license cost is very less . their anti-virus
> has been winning 3
> consecutive awards in anti-virus bulletin.
> they can do souce based routing,., source interface based
> routing, policy
> based routing and many more features .
>
> they have got their fortimanager like checkpoint to manage
> all the boxes from
> a single point and they have a fortilog analyser for
> consolidating all the
> logs at a single place.
>
>
>
>
>
>
>
>
> On Wed, Jul 23, 2008 at 7:56 AM, David Tran
> <davidtran_mclean@yahoo.com> wrote:
>
>
> "
> But there are downsides. It is software running on a
> computer, so you have some form of Linux or Windows under
> the hood. We run ours on a Nokia platform. The model we
> currently use is diskless, but some of our older ones had
> a harddisk that seem to fail regularly. Plus keeping up
> with patching means not only patching Checkpoint, but also
> patching IPSO, which is Nokia's version of Linux."
>
> You should be using Secureplatform instead of Nokia. With
> Secureplatform, you go to a single vendor, Checkpoint,
> for support with both OS and Checkpoint. Nokia is
> overprice and overrated.
>
> Ins't RAID-1 supposed to resolve this issue? My
> Secureplatform has been up and running for almost five
> years with two reboot, because I upgraded it to HFA_17 and
> HFA_20.
>
> You will run into the same thing with Cisco as well. I
> can tell you from Pix version 7.2(x) alone, there are
> about 28 different versions out there.
>
> Checkpoint FireFly is high-end running on IBM x3650.
>
> Checkpoint can terminate VPN in active/active but Cisco
> ASA can not,
>
> Checkpoint is expensive and cisco is not
>
> Imagine managing a firewall with 20+ interfaces with Cisco
> , a very difficult task indeed. There is no cisco
> centralized management like CP Provider-1 either, unless
> you count Cisco Security Manager which run on crappy
> windows. This product is horrible. Even Cisco TAC
> recommends Solsoft over Cisco CSM.
>
> If you have the money, go with Checkpoint. Otherwise, go
> with Cisco.
>
> As someone put it, Checkpoint firewalls is like driving a
> Porsche or Audi while Cisco is like driving a Ford Pinto.
> Just like everything in life, you get what you pay for.
>
> --- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net>
> wrote: From: Bill Eyer <beyer@optonline.net>
> Subject: Re: ASA vs Checkpoint
> To: "dip" <diptanshu.singh@gmail.com>
> Cc: ccielab@groupstudy.com, security@groupstudy.com
> Date: Tuesday, July 22, 2008, 7:34 PM
>
>
>
>
> Dip,
>
> For what it's worth, at our company we use a mix of
> Checkpoint and Cisco firewalls, the ASA, FWSM for 6500 and
> some older PIX units. This is deliberate design solution
> on my part to provide diversity.
>
> Both manufacturers have advantages and dis-advantages, and
> I will give you my rant on both of them.
>
> The Checkpoint is great for a couple of things. The
> Management interface is still the best. Even I, who have
> never been to school on it can easily configure and push
> policies. The logging system, while proprietory, is
> really nice. If my firewall engineers had their way, we
> would use only Checkpoint firewalls.
>
> But there are downsides. It is software running on a
> computer, so you have some form of Linux or Windows under
> the hood. We run ours on a Nokia platform. The model we
> currently use is diskless, but some of our older ones had
> a harddisk that seem to fail regularly. Plus keeping up
> with patching means not only patching Checkpoint, but also
> patching IPSO, which is Nokia's version of Linux. Our
> Checkpoint reps recently told me they are coming out with
> their own appliance, that will feature integrated
> patching.
>
> Checkpoint is also "rental software". To legally keep it
> running you
>
> have to re-license it periodically. You also have to have
> a dedicated PC as a management server, and yes this has
> it's own license. Lastly Checkpoint support is really
> expensive, although third party support may be available
> from the appliance manufacturer. We get ours from Nokia.
> Unlike Cisco TAC, Nokia does draw the line at some support
> requests. For example I asked them to walk me through
> installing the R55 patch and they told me I had to hire a
> VAR to do the work. I got around it but it was painful.
>
> Smart Defense, which is their version of IPS also adds
> extra costs and since it is implemented in software, has a
> dramatic effect on throughput.
>
> All and all it adds up to a higher cost than ASA.
>
> ASA wraps good things into a single box, and the cost is
> lower. However, the management gui is not as easy to use
> (although recent generations are definitely better).
> Logging is also horrible. The logs on the built in gui
> are not nearly as nice as Checkpoints, so you will
> probably find the need for some type of Enterprise logging
> tool. The good new is that it is syslog so any enterprise
> SIM tool should work. We actually use CS-MARS, but the
> staff still doesn't like it as much as Checkpoint.
>
> That's my rant anyway. If you have the money to pay for
> it, Checkpoint is really nice, but support is higher, both
> in cost and in time.
>
> In our case in the Data Center we use Checkpoint as a
> perimeter firewall, then sandwich our DMZ between the
> outside and inside firewalls. The theory is that if there
> is a vulnerability in one manufacturer a hacker can't
> exploit it to get all the way inside the enterprise. The
> inside firewalls are FWSM blades. For small sites we use
> ASA because cost is the driving factor there.
>
> Long post, and maybe off topic, but I am certain that
> other engineers will have their own opinions.
>
> Sincerely,
>
> Bill
>
> dip wrote:
> > Hi Guys,
> >
> > i have to evaluate between Cisco ASA and Checkpoint for
> a big enterprise.
> I
> > think this is a better place to ask since lot of people
> would have worked
> on
> > both products.
> >
> > Please provide me all the plus points which you saw in
> checkpoint which
> you
> > think currently Cisco ASA doesn't have or vice versa.
> > Also what feature's checkpoint has which you think
> should be must in cisco
> > Firewalls .
> >
> >
> >
> > Thanks
> > Dip
> >
> >
> >
> __________________________________________________________
> > _____________ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> __________________________________________________________
> _____________ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> __________________________________________________________
> _____________ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> This message has been scanned for malware by SurfControl
> plc. www.surfcontrol.com
>
>
> __________________________________________________________
> _____________ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> __________________________________________________________
> _____________ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
_________________________________________
Check your Email accounts at http://www.MyEmail.com
Login from home, work, school. Anywhere!
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART