From: David Tran (davidtran_mclean@yahoo.com)
Date: Thu Jul 24 2008 - 01:00:04 ART
Say what? What do do you call this:
CiscoPix# conf t
CiscoPix(config)# sh ver
Cisco PIX Security Appliance Software Version 7.0(7)
Compiled on Fri 06-Jul-07 10:37 by builders
System image file is "flash:/pix707.bin"
Config file at boot was "startup-config"
CiscoPix up 15 hours 48 mins
Hardware: PIX-515, 256 MB RAM, CPU Pentium 200 MHz
Flash xxxxxxxx @ 0x300, 16MB
BIOS Flash xxxxxxxx @ xxxxxxx, 32KB
0: Ext: Ethernet0 : address is xxxxxxxxxxxxx, irq 11
1: Ext: Ethernet1 : address is xxxxxxxxxxxxx, irq 10
Licensed features for this platform:
Maximum Physical Interfaces : 3
Maximum VLANs : 10
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has a Restricted (R) license.
Serial Number: xxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Configuration last modified by enable_15 at 01:42:06.417 UTC Thu Jul 24 2008
CiscoPix(config)# fixup protocol ftp 21
INFO: converting 'fixup protocol ftp 21' to MPF commands
CiscoPix(config)#
--- On Wed, 7/23/08, Brandon Carroll <brandon.j.carroll@gmail.com> wrote:
From: Brandon Carroll <brandon.j.carroll@gmail.com>
Subject: Re: Firewalls - Sidewinder
To: istong@stong.org
Cc: Reza.Sharifi@gdit.com, ccielab@groupstudy.com, security@groupstudy.com
Date: Wednesday, July 23, 2008, 10:12 PM
The pix and asa no longer use the "fixup" protocol....
On Jul 23, 2008, at 6:16 PM, istong@stong.org wrote:
> If you need that level of horsepower then it's a great
> firewall. True application proxies versus the "fixup"
> protocols used on the ASA and PIX.
>
>
> Ian
> www.ccie4u.com
>
>
>
>> Since we are on the subject of firewall comparison, can
>> you guys comment on G2 Sidewinder 10G firewalls? I have a
>> customer that requires Proxy, and Sidewinder is one of
>> very few venders that can do that. BTW, what are the
>> benefits and advantages of proxy?
>>
>> Thanks,
>> Reza
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
>> On Behalf Of David Tran
>> Sent: Wednesday, July 23, 2008 5:42 PM
>> To: joe@affirmedsystems.com; sushilmenon2001@gmail.com;
>> Kevin.Phillips@FTIConsulting.com; gabriel.bryson@minx.com
>> Cc: diptanshu.singh@gmail.com; beyer@optonline.net;
>> ccielab@groupstudy.com; security@groupstudy.com
>> Subject: RE: ASA vs Checkpoint
>>
>> "Recently I had a meeting with a large blue chip company
>> that had been using checkpoint exclusively, As they were
>> purchasing various Cisco Routers and switches from us, I
>> was asked to attend a meeting were there security manager,
>> who had Checkpoint believer wanted to ask a few questions
>> about the ASA. After the Q&A session I could see that lots
>> of what he said were related to the old Pix limitations, I
>> then opened my laptop and connected to a ASA we have in a
>> lab and demonstrated the ASA and let him play...They just
>> purchased two ASA's to replace their Checkpoints."
>>
>> I don't know if you ever work in a large enterprise or a
>> Managed Security Service Provider (MSSP) but I would like
>> to know if you can convert a Checkpoint security policy
>> with over 25,000 objects and 800 security rules on a
>> Secureplatform gateways with 20+ interfaces. Add about
>> 100+ crazy NAT rules in the policy and let see if you can
>> convert this CP security policy into ASA security policy.
>>
>> Think you can do it? By the way, cisco TAC couldn't do it
>> either.
>>
>> I had a meeting with a Cisco SE in 2005 and that he really
>> touted both ASA and MARS on how this product are much
>> better than CP and Juniper. After I sat him down and
>> showed Checkpoint Provider-1 and requirements for my
>> environment. ASA and CSM could not meet the requirements.
>>
>> Checkpoint has lots of drawback as well but overall it is
>> much better firewall than Cisco, especially for large
>> enterprise and Service Providers.
>>
>> It's like owning a Porsche and owning a Honda Civic.
>> Owning a Chevy is very easy. You just need to change oil,
>> for the most part and everything
>> will
>> be fine. Owning a Porsche is much different. You need to
>> have the money
>> and the time to take care of that car. It is not that
>> simple. Checkpoint is
>> the
>> same way. Checkpoint is like a Porsche and ASA is like a
>> Honda Civic.
>>
>>
>>
>>
>> --- On Wed, 7/23/08, gabriel.bryson@minx.com
>> <gabriel.bryson@minx.com> wrote:
>>
>> From: gabriel.bryson@minx.com <gabriel.bryson@minx.com>
>> Subject: RE: ASA vs Checkpoint
>> To: joe@affirmedsystems.com, davidtran_mclean@yahoo.com,
>> sushilmenon2001@gmail.com,
>> Kevin.Phillips@FTIConsulting.com Cc:
>> diptanshu.singh@gmail.com, beyer@optonline.net,
>> ccielab@groupstudy.com, security@groupstudy.com
>> Date: Wednesday, July 23, 2008, 4:08 PM
>>
>> After reading along all day at what people had to say
>> about the ASA vs Checkpoint, If I was a complete novice
>> that went exclusively on what was said in this forum, I
>> think I might go with the ASA?? There is a plenty said on
>> the checkpoint side about licensing, hardware, patching
>> problems, more expensive, not great support from the
>> manufacturers, and all that was said about the ASA is that
>> does not have a fantastic enterprise management solution,
>> oh and the ASA vpn solution is rock solid???
>> I think from my own experience the vast majority of people
>> are put off the ASA because of the old PIX, its command
>> line and horrible GUI (PDM), which the ASA have now
>> revamped and replaced, making it just as easy as the
>> Checkpoint to configure. Recently I had a meeting with a
>> large blue chip company that had been using checkpoint
>> exclusively, As they were purchasing various Cisco Routers
>> and switches from us, I was asked to attend a meeting were
>> there security manager, who had Checkpoint believer wanted
>> to ask a few questions about the ASA. After the Q&A
>> session I could see that lots of what he said were related
>> to the old Pix limitations, I then opened my laptop and
>> connected to a ASA we have in a lab and demonstrated the
>> ASA and let him play...They just purchased two ASA's to
>> replace their Checkpoints.
>> PS check out the Miercom report on the ASA compared to
>> its competitors??? Just google Miercom ASA
>>
>> My 2p worth
>>
>>
>> Gabriel
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
>> On Behalf Of Joseph Brunner
>> Sent: 23 July 2008 17:49
>> To: 'David Tran'; 'sushil menon'; 'Phillips,
Kevin'
>> Cc: 'dip'; 'Bill Eyer'; ccielab@groupstudy.com;
>> security@groupstudy.com
>> Subject: RE: ASA vs Checkpoint
>>
>> David,
>>
>> Time and time again you save me millions of brain cells.
>> Thank you...
>>
>> God Cisco has its sh*t in a twist... that server is
>> massive to not be able
>> to run CSM like google.com...
>>
>> WOW
>>
>> ;)
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
>> On Behalf Of David Tran
>> Sent: Wednesday, July 23, 2008 10:30 AM
>> To: sushil menon; Phillips, Kevin
>> Cc: dip; Bill Eyer; ccielab@groupstudy.com;
>> security@groupstudy.com Subject: RE: ASA vs Checkpoint
>>
>> "CSM is still new but yet another piece that Checkpoint
>> and Juniper have been doing for a while. Cisco never
>> really offered a solution to manage firewalls, maintain
>> objects, and standard policies across and enterprise."
>>
>> This product is absolutely horrendous. I installed it on
>> a Windows 2003 Enterprise
>> Edition with 16GB RAM and quad processors with quad-core
>> and it is extremely
>> slow.
>> Totally unworkable across the VPN. The system becomes
>> very slugglish after
>> 5
>> users
>> logging into the system. At the moment, I am having
>> issues with installing
>> Performance Monitor on the CSM. In other words, it is a
>> broken product.
>>
>> "Companies may
>> not be ready to jump into buying a SIM as it may not be a
>> requirement for that company but being able to store
>> firewall logs and search for them is a core function of an
>> enterprise firewall product"
>>
>> Could not disagree with you more on this. The good thing
>> about Checkpoint
>> centralize
>> management is that the management piece can manage
>> multiple firewalls. If
>> you
>> have
>> multiple firewalls between the source and destination, the
>> log, in real time,
>> can tell you
>> which firewalls accept the traffics and which one drop
>> the traffics. When
>> it comes to trouble shooting, nothing beat tcpdump. Cisco
>> capture function
>> is
>> no where near tcpdump capabilities.
>>
>> "MARS is a great product if you want a SIM"
>>
>> If you have a "cisco" shop, then MARS is a great solution
>> for you. However,
>> if you
>> have a heterogeneous environment, ArcSight or EIQ is a
>> much superior solution.
>>
>>
>>
>>
>> --- On Wed, 7/23/08, Phillips, Kevin
>> <Kevin.Phillips@FTIConsulting.com> wrote:
>>
>> From: Phillips, Kevin <Kevin.Phillips@FTIConsulting.com>
>> Subject: RE: ASA vs Checkpoint
>> To: "David Tran" <davidtran_mclean@yahoo.com>,
"sushil
>> menon"
>> <sushilmenon2001@gmail.com>
>> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill
Eyer"
>> <beyer@optonline.net>,
>> ccielab@groupstudy.com, security@groupstudy.com
>> Date: Wednesday, July 23, 2008, 9:41 AM
>>
>> This is quite a funny post as I have been beating up my
>> Cisco SE's on exactly this point. I think they get it,
>> but Cisco doesn't.
>>
>> A few years ago if you wanted a firewall, hands down it
>> was Checkpoint partly because of their AI. Today they all
>> do the same, they pass or deny traffic based on defined
>> criteria. Sure one firewall may be faster than the next
>> vendors, but what is setting it apart for me is the
>> management.
>>
>> MARS is a great product if you want a SIM, but if you want
>> firewall events then you just need logs, Checkpoint and
>> Juniper get this and have been doing this for years.
>> Cisco never really offered this in their product line and
>> when they decided to add it they went leaps and bounds
>> ahead by going to MARS. MARS is not a firewall log tool,
>> it is a SIM, it does event correlation and a lot of other
>> features. Companies may not be ready to jump into buying
>> a SIM as it may not be a requirement for that company but
>> being able to store firewall logs and search for them is a
>> core function of an enterprise firewall product.
>>
>> CSM is still new but yet another piece that Checkpoint and
>> Juniper have been doing for a while. Cisco never really
>> offered a solution to manage firewalls, maintain objects,
>> and standard policies across and enterprise.
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
>> On Behalf Of David Tran
>> Sent: Wednesday, July 23, 2008 7:01 AM
>> To: sushil menon
>> Cc: dip; Bill Eyer; ccielab@groupstudy.com;
>> security@groupstudy.com Subject: Re: ASA vs Checkpoint
>>
>> "checkpoint support sucks big time as compared to cisco.
>> see when u get stuck
>> in live network all u care of some good guys to help u out
>> of it this is where
>> no one can touch cisco for sure."
>>
>> This part I completely agree with you. Checkpoint TAC
>> supports suck big time. This is
>> one area where Cisco is really good at.
>>
>> --- On Wed, 7/23/08, sushil menon
>> <sushilmenon2001@gmail.com> wrote:
>>
>> From: sushil menon <sushilmenon2001@gmail.com>
>> Subject: Re: ASA vs Checkpoint
>> To: "David Tran" <davidtran_mclean@yahoo.com>
>> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill
Eyer"
>> <beyer@optonline.net>,
>> ccielab@groupstudy.com, security@groupstudy.com
>> Date: Wednesday, July 23, 2008, 2:17 AM
>>
>>
>>
>> i think it depends on what are u looking for.
>>
>> from cisco point of view the few advantages and
>> disadvantages i feel.
>>
>> cisco is lot cheaper than checkpoint. in checkpoint the
>> biggest pain is the
>> licensing model. u need license for everything so the cost
>> of it goes very
>> high.since it;s a pure software u will have to invest on
>> hardware again like
>> if u are thinking of secure platform then good ibm or hp
>> server plus their
>> support as well.
>>
>> checkpoint support sucks big time as compared to cisco.
>> see when u get stuck
>> in live network all u care of some good guys to help u out
>> of it this is where
>> no one can touch cisco for sure.
>>
>> though checkpoint is famous for it;s gui that;s the only
>> best thing i find in
>> it. because it can be deployed on many different hardware
>> configuration on
>> different hardware is tough because for most of the
>> hardware u don;t even get
>> a documentation for free like nokia and crossbeam u need
>> login access to just
>> view the documentation there are hardly any good
>> configuration examples that u
>> could use.
>>
>> there is nothing very great that checkpoint does that
>> cisco cannot do. except
>> for few things like running vpns and running protocols in
>> active/active mode.
>>
>> but whereas vpns are concerned i find cisco vpns much
>> scalable and easy. in
>> checkpoint u have something called as communities and
>> according to communities
>> u will have to decide u want to have a mesh or star like
>> vpns. in asa it;s
>> upto u can configure the way u want need not worry abt any
>> communities.
>>
>> ofcourse for good management point of view seeing the logs
>> in nice format and
>> all u can go for checkpoint.
>>
>> if u are really looking for options i would say rather try
>> juniper or fortinet. they are even better than both cisco
>> and checkpoint.
>>
>> especially fortinet provides everything in a single asic
>> based box. they have
>> got ips,anti-spam,url-filtering,anti-virus
>> ,content-filtering all in a single
>> box and their license cost is very less . their anti-virus
>> has been winning 3
>> consecutive awards in anti-virus bulletin.
>> they can do souce based routing,., source interface based
>> routing, policy
>> based routing and many more features .
>>
>> they have got their fortimanager like checkpoint to manage
>> all the boxes from
>> a single point and they have a fortilog analyser for
>> consolidating all the
>> logs at a single place.
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Jul 23, 2008 at 7:56 AM, David Tran
>> <davidtran_mclean@yahoo.com> wrote:
>>
>>
>> "
>> But there are downsides. It is software running on a
>> computer, so you have some form of Linux or Windows under
>> the hood. We run ours on a Nokia platform. The model we
>> currently use is diskless, but some of our older ones had
>> a harddisk that seem to fail regularly. Plus keeping up
>> with patching means not only patching Checkpoint, but also
>> patching IPSO, which is Nokia's version of Linux."
>>
>> You should be using Secureplatform instead of Nokia. With
>> Secureplatform, you go to a single vendor, Checkpoint,
>> for support with both OS and Checkpoint. Nokia is
>> overprice and overrated.
>>
>> Ins't RAID-1 supposed to resolve this issue? My
>> Secureplatform has been up and running for almost five
>> years with two reboot, because I upgraded it to HFA_17 and
>> HFA_20.
>>
>> You will run into the same thing with Cisco as well. I
>> can tell you from Pix version 7.2(x) alone, there are
>> about 28 different versions out there.
>>
>> Checkpoint FireFly is high-end running on IBM x3650.
>>
>> Checkpoint can terminate VPN in active/active but Cisco
>> ASA can not,
>>
>> Checkpoint is expensive and cisco is not
>>
>> Imagine managing a firewall with 20+ interfaces with Cisco
>> , a very difficult task indeed. There is no cisco
>> centralized management like CP Provider-1 either, unless
>> you count Cisco Security Manager which run on crappy
>> windows. This product is horrible. Even Cisco TAC
>> recommends Solsoft over Cisco CSM.
>>
>> If you have the money, go with Checkpoint. Otherwise, go
>> with Cisco.
>>
>> As someone put it, Checkpoint firewalls is like driving a
>> Porsche or Audi while Cisco is like driving a Ford Pinto.
>> Just like everything in life, you get what you pay for.
>>
>> --- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net>
>> wrote: From: Bill Eyer <beyer@optonline.net>
>> Subject: Re: ASA vs Checkpoint
>> To: "dip" <diptanshu.singh@gmail.com>
>> Cc: ccielab@groupstudy.com, security@groupstudy.com
>> Date: Tuesday, July 22, 2008, 7:34 PM
>>
>>
>>
>>
>> Dip,
>>
>> For what it's worth, at our company we use a mix of
>> Checkpoint and Cisco firewalls, the ASA, FWSM for 6500 and
>> some older PIX units. This is deliberate design solution
>> on my part to provide diversity.
>>
>> Both manufacturers have advantages and dis-advantages, and
>> I will give you my rant on both of them.
>>
>> The Checkpoint is great for a couple of things. The
>> Management interface is still the best. Even I, who have
>> never been to school on it can easily configure and push
>> policies. The logging system, while proprietory, is
>> really nice. If my firewall engineers had their way, we
>> would use only Checkpoint firewalls.
>>
>> But there are downsides. It is software running on a
>> computer, so you have some form of Linux or Windows under
>> the hood. We run ours on a Nokia platform. The model we
>> currently use is diskless, but some of our older ones had
>> a harddisk that seem to fail regularly. Plus keeping up
>> with patching means not only patching Checkpoint, but also
>> patching IPSO, which is Nokia's version of Linux. Our
>> Checkpoint reps recently told me they are coming out with
>> their own appliance, that will feature integrated
>> patching.
>>
>> Checkpoint is also "rental software". To legally keep it
>> running you
>>
>> have to re-license it periodically. You also have to have
>> a dedicated PC as a management server, and yes this has
>> it's own license. Lastly Checkpoint support is really
>> expensive, although third party support may be available
>> from the appliance manufacturer. We get ours from Nokia.
>> Unlike Cisco TAC, Nokia does draw the line at some support
>> requests. For example I asked them to walk me through
>> installing the R55 patch and they told me I had to hire a
>> VAR to do the work. I got around it but it was painful.
>>
>> Smart Defense, which is their version of IPS also adds
>> extra costs and since it is implemented in software, has a
>> dramatic effect on throughput.
>>
>> All and all it adds up to a higher cost than ASA.
>>
>> ASA wraps good things into a single box, and the cost is
>> lower. However, the management gui is not as easy to use
>> (although recent generations are definitely better).
>> Logging is also horrible. The logs on the built in gui
>> are not nearly as nice as Checkpoints, so you will
>> probably find the need for some type of Enterprise logging
>> tool. The good new is that it is syslog so any enterprise
>> SIM tool should work. We actually use CS-MARS, but the
>> staff still doesn't like it as much as Checkpoint.
>>
>> That's my rant anyway. If you have the money to pay for
>> it, Checkpoint is really nice, but support is higher, both
>> in cost and in time.
>>
>> In our case in the Data Center we use Checkpoint as a
>> perimeter firewall, then sandwich our DMZ between the
>> outside and inside firewalls. The theory is that if there
>> is a vulnerability in one manufacturer a hacker can't
>> exploit it to get all the way inside the enterprise. The
>> inside firewalls are FWSM blades. For small sites we use
>> ASA because cost is the driving factor there.
>>
>> Long post, and maybe off topic, but I am certain that
>> other engineers will have their own opinions.
>>
>> Sincerely,
>>
>> Bill
>>
>> dip wrote:
>>> Hi Guys,
>>>
>>> i have to evaluate between Cisco ASA and Checkpoint for
>> a big enterprise.
>> I
>>> think this is a better place to ask since lot of people
>> would have worked
>> on
>>> both products.
>>>
>>> Please provide me all the plus points which you saw in
>> checkpoint which
>> you
>>> think currently Cisco ASA doesn't have or vice versa.
>>> Also what feature's checkpoint has which you think
>> should be must in cisco
>>> Firewalls .
>>>
>>>
>>>
>>> Thanks
>>> Dip
>>>
>>>
>>>
>> __________________________________________________________
>>> _____________ Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> __________________________________________________________
>> _____________ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> __________________________________________________________
>> _____________ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>> This message has been scanned for malware by SurfControl
>> plc. www.surfcontrol.com
>>
>>
>> __________________________________________________________
>> _____________ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> __________________________________________________________
>> _____________ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>
>
>
> _________________________________________
>
> Check your Email accounts at http://www.MyEmail.com
>
> Login from home, work, school. Anywhere!
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART