From: istong@stong.org
Date: Wed Jul 23 2008 - 23:22:29 ART
I suppose you are talking about the commands such as the
following:
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
I think if you research it a bit you will find out the level
of application proxying a Sidewinder does versus an ASA is
quite a bit more extensive.
Thanks,
Ian
www.ccie4u.com
> The pix and asa no longer use the "fixup" protocol....
>
>
> On Jul 23, 2008, at 6:16 PM, istong@stong.org wrote:
>
> > If you need that level of horsepower then it's a great
> > firewall. True application proxies versus the "fixup"
> > protocols used on the ASA and PIX.
> >
> >
> > Ian
> > www.ccie4u.com
> >
> >
> >
> >> Since we are on the subject of firewall comparison, can
> >> you guys comment on G2 Sidewinder 10G firewalls? I
> have a >> customer that requires Proxy, and Sidewinder is
> one of >> very few venders that can do that. BTW, what are
> the >> benefits and advantages of proxy?
> >>
> >> Thanks,
> >> Reza
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] >> On Behalf Of David Tran
> >> Sent: Wednesday, July 23, 2008 5:42 PM
> >> To: joe@affirmedsystems.com; sushilmenon2001@gmail.com;
> >> Kevin.Phillips@FTIConsulting.com;
> gabriel.bryson@minx.com >> Cc: diptanshu.singh@gmail.com;
> beyer@optonline.net; >> ccielab@groupstudy.com;
> security@groupstudy.com >> Subject: RE: ASA vs Checkpoint
> >>
> >> "Recently I had a meeting with a large blue chip
> company >> that had been using checkpoint exclusively, As
> they were >> purchasing various Cisco Routers and switches
> from us, I >> was asked to attend a meeting were there
> security manager, >> who had Checkpoint believer wanted to
> ask a few questions >> about the ASA. After the Q&A
> session I could see that lots >> of what he said were
> related to the old Pix limitations, I >> then opened my
> laptop and connected to a ASA we have in a >> lab and
> demonstrated the ASA and let him play...They just >>
> purchased two ASA's to replace their Checkpoints." >>
> >> I don't know if you ever work in a large enterprise or
> a >> Managed Security Service Provider (MSSP) but I would
> like >> to know if you can convert a Checkpoint security
> policy >> with over 25,000 objects and 800 security rules
> on a >> Secureplatform gateways with 20+ interfaces. Add
> about >> 100+ crazy NAT rules in the policy and let see if
> you can >> convert this CP security policy into ASA
> security policy. >>
> >> Think you can do it? By the way, cisco TAC couldn't do
> it >> either.
> >>
> >> I had a meeting with a Cisco SE in 2005 and that he
> really >> touted both ASA and MARS on how this product are
> much >> better than CP and Juniper. After I sat him down
> and >> showed Checkpoint Provider-1 and requirements for
> my >> environment. ASA and CSM could not meet the
> requirements. >>
> >> Checkpoint has lots of drawback as well but overall it
> is >> much better firewall than Cisco, especially for
> large >> enterprise and Service Providers.
> >>
> >> It's like owning a Porsche and owning a Honda Civic.
> >> Owning a Chevy is very easy. You just need to change
> oil, >> for the most part and everything
> >> will
> >> be fine. Owning a Porsche is much different. You need
> to >> have the money
> >> and the time to take care of that car. It is not that
> >> simple. Checkpoint is
> >> the
> >> same way. Checkpoint is like a Porsche and ASA is like
> a >> Honda Civic.
> >>
> >>
> >>
> >>
> >> --- On Wed, 7/23/08, gabriel.bryson@minx.com
> >> <gabriel.bryson@minx.com> wrote:
> >>
> >> From: gabriel.bryson@minx.com <gabriel.bryson@minx.com>
> >> Subject: RE: ASA vs Checkpoint
> >> To: joe@affirmedsystems.com, davidtran_mclean@yahoo.com
> , >> sushilmenon2001@gmail.com,
> >> Kevin.Phillips@FTIConsulting.com Cc:
> >> diptanshu.singh@gmail.com, beyer@optonline.net,
> >> ccielab@groupstudy.com, security@groupstudy.com
> >> Date: Wednesday, July 23, 2008, 4:08 PM
> >>
> >> After reading along all day at what people had to say
> >> about the ASA vs Checkpoint, If I was a complete novice
> >> that went exclusively on what was said in this forum, I
> >> think I might go with the ASA?? There is a plenty said
> on >> the checkpoint side about licensing, hardware,
> patching >> problems, more expensive, not great support
> from the >> manufacturers, and all that was said about the
> ASA is that >> does not have a fantastic enterprise
> management solution, >> oh and the ASA vpn solution is
> rock solid??? >> I think from my own experience the vast
> majority of people >> are put off the ASA because of the
> old PIX, its command >> line and horrible GUI (PDM), which
> the ASA have now >> revamped and replaced, making it just
> as easy as the >> Checkpoint to configure. Recently I had
> a meeting with a >> large blue chip company that had been
> using checkpoint >> exclusively, As they were purchasing
> various Cisco Routers >> and switches from us, I was asked
> to attend a meeting were >> there security manager, who
> had Checkpoint believer wanted >> to ask a few questions
> about the ASA. After the Q&A >> session I could see that
> lots of what he said were related >> to the old Pix
> limitations, I then opened my laptop and >> connected to a
> ASA we have in a lab and demonstrated the >> ASA and let
> him play...They just purchased two ASA's to >> replace
> their Checkpoints. >> PS check out the Miercom report on
> the ASA compared to >> its competitors??? Just google
> Miercom ASA >>
> >> My 2p worth
> >>
> >>
> >> Gabriel
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] >> On Behalf Of Joseph
> Brunner >> Sent: 23 July 2008 17:49
> >> To: 'David Tran'; 'sushil menon'; 'Phillips, Kevin'
> >> Cc: 'dip'; 'Bill Eyer'; ccielab@groupstudy.com;
> >> security@groupstudy.com
> >> Subject: RE: ASA vs Checkpoint
> >>
> >> David,
> >>
> >> Time and time again you save me millions of brain
> cells. >> Thank you...
> >>
> >> God Cisco has its sh*t in a twist... that server is
> >> massive to not be able
> >> to run CSM like google.com...
> >>
> >> WOW
> >>
> >> ;)
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] >> On Behalf Of David Tran
> >> Sent: Wednesday, July 23, 2008 10:30 AM
> >> To: sushil menon; Phillips, Kevin
> >> Cc: dip; Bill Eyer; ccielab@groupstudy.com;
> >> security@groupstudy.com Subject: RE: ASA vs Checkpoint
> >>
> >> "CSM is still new but yet another piece that Checkpoint
> >> and Juniper have been doing for a while. Cisco never
> >> really offered a solution to manage firewalls, maintain
> >> objects, and standard policies across and enterprise."
> >>
> >> This product is absolutely horrendous. I installed it
> on >> a Windows 2003 Enterprise
> >> Edition with 16GB RAM and quad processors with
> quad-core >> and it is extremely
> >> slow.
> >> Totally unworkable across the VPN. The system becomes
> >> very slugglish after
> >> 5
> >> users
> >> logging into the system. At the moment, I am having
> >> issues with installing
> >> Performance Monitor on the CSM. In other words, it is a
> >> broken product.
> >>
> >> "Companies may
> >> not be ready to jump into buying a SIM as it may not be
> a >> requirement for that company but being able to store
> >> firewall logs and search for them is a core function of
> an >> enterprise firewall product"
> >>
> >> Could not disagree with you more on this. The good
> thing >> about Checkpoint
> >> centralize
> >> management is that the management piece can manage
> >> multiple firewalls. If
> >> you
> >> have
> >> multiple firewalls between the source and destination,
> the >> log, in real time,
> >> can tell you
> >> which firewalls accept the traffics and which one drop
> >> the traffics. When
> >> it comes to trouble shooting, nothing beat tcpdump.
> Cisco >> capture function
> >> is
> >> no where near tcpdump capabilities.
> >>
> >> "MARS is a great product if you want a SIM"
> >>
> >> If you have a "cisco" shop, then MARS is a great
> solution >> for you. However,
> >> if you
> >> have a heterogeneous environment, ArcSight or EIQ is a
> >> much superior solution.
> >>
> >>
> >>
> >>
> >> --- On Wed, 7/23/08, Phillips, Kevin
> >> <Kevin.Phillips@FTIConsulting.com> wrote:
> >>
> >> From: Phillips, Kevin
> <Kevin.Phillips@FTIConsulting.com> >> Subject: RE: ASA vs
> Checkpoint >> To: "David Tran"
> <davidtran_mclean@yahoo.com>, "sushil >> menon"
> >> <sushilmenon2001@gmail.com>
> >> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer"
> >> <beyer@optonline.net>,
> >> ccielab@groupstudy.com, security@groupstudy.com
> >> Date: Wednesday, July 23, 2008, 9:41 AM
> >>
> >> This is quite a funny post as I have been beating up my
> >> Cisco SE's on exactly this point. I think they get it,
> >> but Cisco doesn't.
> >>
> >> A few years ago if you wanted a firewall, hands down it
> >> was Checkpoint partly because of their AI. Today they
> all >> do the same, they pass or deny traffic based on
> defined >> criteria. Sure one firewall may be faster than
> the next >> vendors, but what is setting it apart for me
> is the >> management.
> >>
> >> MARS is a great product if you want a SIM, but if you
> want >> firewall events then you just need logs,
> Checkpoint and >> Juniper get this and have been doing
> this for years. >> Cisco never really offered this in
> their product line and >> when they decided to add it they
> went leaps and bounds >> ahead by going to MARS. MARS is
> not a firewall log tool, >> it is a SIM, it does event
> correlation and a lot of other >> features. Companies may
> not be ready to jump into buying >> a SIM as it may not be
> a requirement for that company but >> being able to store
> firewall logs and search for them is a >> core function of
> an enterprise firewall product. >>
> >> CSM is still new but yet another piece that Checkpoint
> and >> Juniper have been doing for a while. Cisco never
> really >> offered a solution to manage firewalls, maintain
> objects, >> and standard policies across and enterprise.
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] >> On Behalf Of David Tran
> >> Sent: Wednesday, July 23, 2008 7:01 AM
> >> To: sushil menon
> >> Cc: dip; Bill Eyer; ccielab@groupstudy.com;
> >> security@groupstudy.com Subject: Re: ASA vs Checkpoint
> >>
> >> "checkpoint support sucks big time as compared to
> cisco. >> see when u get stuck
> >> in live network all u care of some good guys to help u
> out >> of it this is where
> >> no one can touch cisco for sure."
> >>
> >> This part I completely agree with you. Checkpoint TAC
> >> supports suck big time. This is
> >> one area where Cisco is really good at.
> >>
> >> --- On Wed, 7/23/08, sushil menon
> >> <sushilmenon2001@gmail.com> wrote:
> >>
> >> From: sushil menon <sushilmenon2001@gmail.com>
> >> Subject: Re: ASA vs Checkpoint
> >> To: "David Tran" <davidtran_mclean@yahoo.com>
> >> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer"
> >> <beyer@optonline.net>,
> >> ccielab@groupstudy.com, security@groupstudy.com
> >> Date: Wednesday, July 23, 2008, 2:17 AM
> >>
> >>
> >>
> >> i think it depends on what are u looking for.
> >>
> >> from cisco point of view the few advantages and
> >> disadvantages i feel.
> >>
> >> cisco is lot cheaper than checkpoint. in checkpoint the
> >> biggest pain is the
> >> licensing model. u need license for everything so the
> cost >> of it goes very
> >> high.since it;s a pure software u will have to invest
> on >> hardware again like
> >> if u are thinking of secure platform then good ibm or
> hp >> server plus their
> >> support as well.
> >>
> >> checkpoint support sucks big time as compared to cisco.
> >> see when u get stuck
> >> in live network all u care of some good guys to help u
> out >> of it this is where
> >> no one can touch cisco for sure.
> >>
> >> though checkpoint is famous for it;s gui that;s the
> only >> best thing i find in
> >> it. because it can be deployed on many different
> hardware >> configuration on
> >> different hardware is tough because for most of the
> >> hardware u don;t even get
> >> a documentation for free like nokia and crossbeam u
> need >> login access to just
> >> view the documentation there are hardly any good
> >> configuration examples that u
> >> could use.
> >>
> >> there is nothing very great that checkpoint does that
> >> cisco cannot do. except
> >> for few things like running vpns and running protocols
> in >> active/active mode.
> >>
> >> but whereas vpns are concerned i find cisco vpns much
> >> scalable and easy. in
> >> checkpoint u have something called as communities and
> >> according to communities
> >> u will have to decide u want to have a mesh or star
> like >> vpns. in asa it;s
> >> upto u can configure the way u want need not worry abt
> any >> communities.
> >>
> >> ofcourse for good management point of view seeing the
> logs >> in nice format and
> >> all u can go for checkpoint.
> >>
> >> if u are really looking for options i would say rather
> try >> juniper or fortinet. they are even better than both
> cisco >> and checkpoint.
> >>
> >> especially fortinet provides everything in a single
> asic >> based box. they have
> >> got ips,anti-spam,url-filtering,anti-virus
> >> ,content-filtering all in a single
> >> box and their license cost is very less . their
> anti-virus >> has been winning 3
> >> consecutive awards in anti-virus bulletin.
> >> they can do souce based routing,., source interface
> based >> routing, policy
> >> based routing and many more features .
> >>
> >> they have got their fortimanager like checkpoint to
> manage >> all the boxes from
> >> a single point and they have a fortilog analyser for
> >> consolidating all the
> >> logs at a single place.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Wed, Jul 23, 2008 at 7:56 AM, David Tran
> >> <davidtran_mclean@yahoo.com> wrote:
> >>
> >>
> >> "
> >> But there are downsides. It is software running on a
> >> computer, so you have some form of Linux or Windows
> under >> the hood. We run ours on a Nokia platform. The
> model we >> currently use is diskless, but some of our
> older ones had >> a harddisk that seem to fail regularly.
> Plus keeping up >> with patching means not only patching
> Checkpoint, but also >> patching IPSO, which is Nokia's
> version of Linux." >>
> >> You should be using Secureplatform instead of Nokia.
> With >> Secureplatform, you go to a single vendor,
> Checkpoint, >> for support with both OS and Checkpoint.
> Nokia is >> overprice and overrated.
> >>
> >> Ins't RAID-1 supposed to resolve this issue? My
> >> Secureplatform has been up and running for almost five
> >> years with two reboot, because I upgraded it to HFA_17
> and >> HFA_20.
> >>
> >> You will run into the same thing with Cisco as well. I
> >> can tell you from Pix version 7.2(x) alone, there are
> >> about 28 different versions out there.
> >>
> >> Checkpoint FireFly is high-end running on IBM x3650.
> >>
> >> Checkpoint can terminate VPN in active/active but Cisco
> >> ASA can not,
> >>
> >> Checkpoint is expensive and cisco is not
> >>
> >> Imagine managing a firewall with 20+ interfaces with
> Cisco >> , a very difficult task indeed. There is no
> cisco >> centralized management like CP Provider-1 either,
> unless >> you count Cisco Security Manager which run on
> crappy >> windows. This product is horrible. Even Cisco
> TAC >> recommends Solsoft over Cisco CSM.
> >>
> >> If you have the money, go with Checkpoint. Otherwise,
> go >> with Cisco.
> >>
> >> As someone put it, Checkpoint firewalls is like driving
> a >> Porsche or Audi while Cisco is like driving a Ford
> Pinto. >> Just like everything in life, you get what you
> pay for. >>
> >> --- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net>
> >> wrote: From: Bill Eyer <beyer@optonline.net>
> >> Subject: Re: ASA vs Checkpoint
> >> To: "dip" <diptanshu.singh@gmail.com>
> >> Cc: ccielab@groupstudy.com, security@groupstudy.com
> >> Date: Tuesday, July 22, 2008, 7:34 PM
> >>
> >>
> >>
> >>
> >> Dip,
> >>
> >> For what it's worth, at our company we use a mix of
> >> Checkpoint and Cisco firewalls, the ASA, FWSM for 6500
> and >> some older PIX units. This is deliberate design
> solution >> on my part to provide diversity.
> >>
> >> Both manufacturers have advantages and dis-advantages,
> and >> I will give you my rant on both of them.
> >>
> >> The Checkpoint is great for a couple of things. The
> >> Management interface is still the best. Even I, who
> have >> never been to school on it can easily configure
> and push >> policies. The logging system, while
> proprietory, is >> really nice. If my firewall engineers
> had their way, we >> would use only Checkpoint firewalls.
> >>
> >> But there are downsides. It is software running on a
> >> computer, so you have some form of Linux or Windows
> under >> the hood. We run ours on a Nokia platform. The
> model we >> currently use is diskless, but some of our
> older ones had >> a harddisk that seem to fail regularly.
> Plus keeping up >> with patching means not only patching
> Checkpoint, but also >> patching IPSO, which is Nokia's
> version of Linux. Our >> Checkpoint reps recently told me
> they are coming out with >> their own appliance, that will
> feature integrated >> patching.
> >>
> >> Checkpoint is also "rental software". To legally keep
> it >> running you
> >>
> >> have to re-license it periodically. You also have to
> have >> a dedicated PC as a management server, and yes
> this has >> it's own license. Lastly Checkpoint support
> is really >> expensive, although third party support may
> be available >> from the appliance manufacturer. We get
> ours from Nokia. >> Unlike Cisco TAC, Nokia does draw the
> line at some support >> requests. For example I asked them
> to walk me through >> installing the R55 patch and they
> told me I had to hire a >> VAR to do the work. I got
> around it but it was painful. >>
> >> Smart Defense, which is their version of IPS also adds
> >> extra costs and since it is implemented in software,
> has a >> dramatic effect on throughput.
> >>
> >> All and all it adds up to a higher cost than ASA.
> >>
> >> ASA wraps good things into a single box, and the cost
> is >> lower. However, the management gui is not as easy to
> use >> (although recent generations are definitely
> better). >> Logging is also horrible. The logs on the
> built in gui >> are not nearly as nice as Checkpoints, so
> you will >> probably find the need for some type of
> Enterprise logging >> tool. The good new is that it is
> syslog so any enterprise >> SIM tool should work. We
> actually use CS-MARS, but the >> staff still doesn't like
> it as much as Checkpoint. >>
> >> That's my rant anyway. If you have the money to pay
> for >> it, Checkpoint is really nice, but support is
> higher, both >> in cost and in time.
> >>
> >> In our case in the Data Center we use Checkpoint as a
> >> perimeter firewall, then sandwich our DMZ between the
> >> outside and inside firewalls. The theory is that if
> there >> is a vulnerability in one manufacturer a hacker
> can't >> exploit it to get all the way inside the
> enterprise. The >> inside firewalls are FWSM blades. For
> small sites we use >> ASA because cost is the driving
> factor there. >>
> >> Long post, and maybe off topic, but I am certain that
> >> other engineers will have their own opinions.
> >>
> >> Sincerely,
> >>
> >> Bill
> >>
> >> dip wrote:
> >>> Hi Guys,
> >>>
> >>> i have to evaluate between Cisco ASA and Checkpoint
> for >> a big enterprise.
> >> I
> >>> think this is a better place to ask since lot of
> people >> would have worked
> >> on
> >>> both products.
> >>>
> >>> Please provide me all the plus points which you saw in
> >> checkpoint which
> >> you
> >>> think currently Cisco ASA doesn't have or vice versa.
> >>> Also what feature's checkpoint has which you think
> >> should be must in cisco
> >>> Firewalls .
> >>>
> >>>
> >>>
> >>> Thanks
> >>> Dip
> >>>
> >>>
> >>>
> >>
> __________________________________________________________
> >>> _____________ Subscription information may be found
> at: >>> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> __________________________________________________________
> >> _____________ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html >>
> >>
> >>
> __________________________________________________________
> >> _____________ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html >>
> >>
> >>
> >> This message has been scanned for malware by
> SurfControl >> plc. www.surfcontrol.com
> >>
> >>
> >>
> __________________________________________________________
> >> _____________ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html >>
> >>
> >>
> __________________________________________________________
> >> _____________ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html >>
> >>
> >>
> >>
> >
> >
> >
> > _________________________________________
> >
> > Check your Email accounts at http://www.MyEmail.com
> >
> > Login from home, work, school. Anywhere!
>
>
> __________________________________________________________
> _____________ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
_________________________________________
Check your Email accounts at http://www.MyEmail.com
Login from home, work, school. Anywhere!
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART