From: verb2300@yahoo.com
Date: Thu Jul 24 2008 - 03:29:42 ART
Every vendor has their strengths that's the reason they exist in the market place. What you need to do is figure out which one will work in your architecture best with the budget available and resources that can support your infrastructure (and make sure you demo it before you buy it).
David Tran wrote:
> Say what? What do do you call this:
> CiscoPix# conf t
> CiscoPix(config)# sh ver
> Cisco PIX Security Appliance Software Version 7.0(7)
> Compiled on Fri 06-Jul-07 10:37 by builders
> System image file is "flash:/pix707.bin"
> Config file at boot was "startup-config"
> CiscoPix up 15 hours 48 mins
> Hardware: PIX-515, 256 MB RAM, CPU Pentium 200 MHz
> Flash xxxxxxxx @ 0x300, 16MB
> BIOS Flash xxxxxxxx @ xxxxxxx, 32KB
> 0: Ext: Ethernet0 : address is xxxxxxxxxxxxx, irq 11
> 1: Ext: Ethernet1 : address is xxxxxxxxxxxxx, irq 10
> Licensed features for this platform:
> Maximum Physical Interfaces : 3
> Maximum VLANs : 10
> Inside Hosts : Unlimited
> Failover : Disabled
> VPN-DES : Enabled
> VPN-3DES-AES : Enabled
> Cut-through Proxy : Enabled
> Guards : Enabled
> URL Filtering : Enabled
> Security Contexts : 0
> GTP/GPRS : Disabled
> VPN Peers : Unlimited
> This platform has a Restricted (R) license.
> Serial Number: xxxxxxxxxx
> Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Configuration last modified by enable_15 at 01:42:06.417 UTC Thu Jul 24 2008
> CiscoPix(config)# fixup protocol ftp 21
> INFO: converting 'fixup protocol ftp 21' to MPF commands
> CiscoPix(config)#
> --- On Wed, 7/23/08, Brandon Carroll <brandon.j.carroll@gmail.com> wrote:
> From: Brandon Carroll <brandon.j.carroll@gmail.com>
> Subject: Re: Firewalls - Sidewinder
> To: istong@stong.org
> Cc: Reza.Sharifi@gdit.com, ccielab@groupstudy.com, security@groupstudy.com
> Date: Wednesday, July 23, 2008, 10:12 PM
> The pix and asa no longer use the "fixup" protocol....
> On Jul 23, 2008, at 6:16 PM, istong@stong.org wrote:
>> If you need that level of horsepower then it's a great
>> firewall. True application proxies versus the "fixup"
>> protocols used on the ASA and PIX.
>>
>>
>> Ian
>> www.ccie4u.com
>>
>>
>>
>>> Since we are on the subject of firewall comparison, can
>>> you guys comment on G2 Sidewinder 10G firewalls? I have a
>>> customer that requires Proxy, and Sidewinder is one of
>>> very few venders that can do that. BTW, what are the
>>> benefits and advantages of proxy?
>>>
>>> Thanks,
>>> Reza
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
>>> On Behalf Of David Tran
>>> Sent: Wednesday, July 23, 2008 5:42 PM
>>> To: joe@affirmedsystems.com; sushilmenon2001@gmail.com;
>>> Kevin.Phillips@FTIConsulting.com; gabriel.bryson@minx.com
>>> Cc: diptanshu.singh@gmail.com; beyer@optonline.net;
>>> ccielab@groupstudy.com; security@groupstudy.com
>>> Subject: RE: ASA vs Checkpoint
>>>
>>> "Recently I had a meeting with a large blue chip company
>>> that had been using checkpoint exclusively, As they were
>>> purchasing various Cisco Routers and switches from us, I
>>> was asked to attend a meeting were there security manager,
>>> who had Checkpoint believer wanted to ask a few questions
>>> about the ASA. After the Q&A session I could see that lots
>>> of what he said were related to the old Pix limitations, I
>>> then opened my laptop and connected to a ASA we have in a
>>> lab and demonstrated the ASA and let him play...They just
>>> purchased two ASA's to replace their Checkpoints."
>>>
>>> I don't know if you ever work in a large enterprise or a
>>> Managed Security Service Provider (MSSP) but I would like
>>> to know if you can convert a Checkpoint security policy
>>> with over 25,000 objects and 800 security rules on a
>>> Secureplatform gateways with 20+ interfaces. Add about
>>> 100+ crazy NAT rules in the policy and let see if you can
>>> convert this CP security policy into ASA security policy.
>>>
>>> Think you can do it? By the way, cisco TAC couldn't do it
>>> either.
>>>
>>> I had a meeting with a Cisco SE in 2005 and that he really
>>> touted both ASA and MARS on how this product are much
>>> better than CP and Juniper. After I sat him down and
>>> showed Checkpoint Provider-1 and requirements for my
>>> environment. ASA and CSM could not meet the requirements.
>>>
>>> Checkpoint has lots of drawback as well but overall it is
>>> much better firewall than Cisco, especially for large
>>> enterprise and Service Providers.
>>>
>>> It's like owning a Porsche and owning a Honda Civic.
>>> Owning a Chevy is very easy. You just need to change oil,
>>> for the most part and everything
>>> will
>>> be fine. Owning a Porsche is much different. You need to
>>> have the money
>>> and the time to take care of that car. It is not that
>>> simple. Checkpoint is
>>> the
>>> same way. Checkpoint is like a Porsche and ASA is like a
>>> Honda Civic.
>>>
>>>
>>>
>>>
>>> --- On Wed, 7/23/08, gabriel.bryson@minx.com
>>> <gabriel.bryson@minx.com> wrote:
>>>
>>> From: gabriel.bryson@minx.com <gabriel.bryson@minx.com>
>>> Subject: RE: ASA vs Checkpoint
>>> To: joe@affirmedsystems.com, davidtran_mclean@yahoo.com,
>>> sushilmenon2001@gmail.com,
>>> Kevin.Phillips@FTIConsulting.com Cc:
>>> diptanshu.singh@gmail.com, beyer@optonline.net,
>>> ccielab@groupstudy.com, security@groupstudy.com
>>> Date: Wednesday, July 23, 2008, 4:08 PM
>>>
>>> After reading along all day at what people had to say
>>> about the ASA vs Checkpoint, If I was a complete novice
>>> that went exclusively on what was said in this forum, I
>>> think I might go with the ASA?? There is a plenty said on
>>> the checkpoint side about licensing, hardware, patching
>>> problems, more expensive, not great support from the
>>> manufacturers, and all that was said about the ASA is that
>>> does not have a fantastic enterprise management solution,
>>> oh and the ASA vpn solution is rock solid???
>>> I think from my own experience the vast majority of people
>>> are put off the ASA because of the old PIX, its command
>>> line and horrible GUI (PDM), which the ASA have now
>>> revamped and replaced, making it just as easy as the
>>> Checkpoint to configure. Recently I had a meeting with a
>>> large blue chip company that had been using checkpoint
>>> exclusively, As they were purchasing various Cisco Routers
>>> and switches from us, I was asked to attend a meeting were
>>> there security manager, who had Checkpoint believer wanted
>>> to ask a few questions about the ASA. After the Q&A
>>> session I could see that lots of what he said were related
>>> to the old Pix limitations, I then opened my laptop and
>>> connected to a ASA we have in a lab and demonstrated the
>>> ASA and let him play...They just purchased two ASA's to
>>> replace their Checkpoints.
>>> PS check out the Miercom report on the ASA compared to
>>> its competitors??? Just google Miercom ASA
>>>
>>> My 2p worth
>>>
>>>
>>> Gabriel
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
>>> On Behalf Of Joseph Brunner
>>> Sent: 23 July 2008 17:49
>>> To: 'David Tran'; 'sushil menon'; 'Phillips,
> Kevin'
>>> Cc: 'dip'; 'Bill Eyer'; ccielab@groupstudy.com;
>>> security@groupstudy.com
>>> Subject: RE: ASA vs Checkpoint
>>>
>>> David,
>>>
>>> Time and time again you save me millions of brain cells.
>>> Thank you...
>>>
>>> God Cisco has its sh*t in a twist... that server is
>>> massive to not be able
>>> to run CSM like google.com...
>>>
>>> WOW
>>>
>>> ;)
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
>>> On Behalf Of David Tran
>>> Sent: Wednesday, July 23, 2008 10:30 AM
>>> To: sushil menon; Phillips, Kevin
>>> Cc: dip; Bill Eyer; ccielab@groupstudy.com;
>>> security@groupstudy.com Subject: RE: ASA vs Checkpoint
>>>
>>> "CSM is still new but yet another piece that Checkpoint
>>> and Juniper have been doing for a while. Cisco never
>>> really offered a solution to manage firewalls, maintain
>>> objects, and standard policies across and enterprise."
>>>
>>> This product is absolutely horrendous. I installed it on
>>> a Windows 2003 Enterprise
>>> Edition with 16GB RAM and quad processors with quad-core
>>> and it is extremely
>>> slow.
>>> Totally unworkable across the VPN. The system becomes
>>> very slugglish after
>>> 5
>>> users
>>> logging into the system. At the moment, I am having
>>> issues with installing
>>> Performance Monitor on the CSM. In other words, it is a
>>> broken product.
>>>
>>> "Companies may
>>> not be ready to jump into buying a SIM as it may not be a
>>> requirement for that company but being able to store
>>> firewall logs and search for them is a core function of an
>>> enterprise firewall product"
>>>
>>> Could not disagree with you more on this. The good thing
>>> about Checkpoint
>>> centralize
>>> management is that the management piece can manage
>>> multiple firewalls. If
>>> you
>>> have
>>> multiple firewalls between the source and destination, the
>>> log, in real time,
>>> can tell you
>>> which firewalls accept the traffics and which one drop
>>> the traffics. When
>>> it comes to trouble shooting, nothing beat tcpdump. Cisco
>>> capture function
>>> is
>>> no where near tcpdump capabilities.
>>>
>>> "MARS is a great product if you want a SIM"
>>>
>>> If you have a "cisco" shop, then MARS is a great solution
>>> for you. However,
>>> if you
>>> have a heterogeneous environment, ArcSight or EIQ is a
>>> much superior solution.
>>>
>>>
>>>
>>>
>>> --- On Wed, 7/23/08, Phillips, Kevin
>>> <Kevin.Phillips@FTIConsulting.com> wrote:
>>>
>>> From: Phillips, Kevin <Kevin.Phillips@FTIConsulting.com>
>>> Subject: RE: ASA vs Checkpoint
>>> To: "David Tran" <davidtran_mclean@yahoo.com>,
> "sushil
>>> menon"
>>> <sushilmenon2001@gmail.com>
>>> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill
> Eyer"
>>> <beyer@optonline.net>,
>>> ccielab@groupstudy.com, security@groupstudy.com
>>> Date: Wednesday, July 23, 2008, 9:41 AM
>>>
>>> This is quite a funny post as I have been beating up my
>>> Cisco SE's on exactly this point. I think they get it,
>>> but Cisco doesn't.
>>>
>>> A few years ago if you wanted a firewall, hands down it
>>> was Checkpoint partly because of their AI. Today they all
>>> do the same, they pass or deny traffic based on defined
>>> criteria. Sure one firewall may be faster than the next
>>> vendors, but what is setting it apart for me is the
>>> management.
>>>
>>> MARS is a great product if you want a SIM, but if you want
>>> firewall events then you just need logs, Checkpoint and
>>> Juniper get this and have been doing this for years.
>>> Cisco never really offered this in their product line and
>>> when they decided to add it they went leaps and bounds
>>> ahead by going to MARS. MARS is not a firewall log tool,
>>> it is a SIM, it does event correlation and a lot of other
>>> features. Companies may not be ready to jump into buying
>>> a SIM as it may not be a requirement for that company but
>>> being able to store firewall logs and search for them is a
>>> core function of an enterprise firewall product.
>>>
>>> CSM is still new but yet another piece that Checkpoint and
>>> Juniper have been doing for a while. Cisco never really
>>> offered a solution to manage firewalls, maintain objects,
>>> and standard policies across and enterprise.
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
>>> On Behalf Of David Tran
>>> Sent: Wednesday, July 23, 2008 7:01 AM
>>> To: sushil menon
>>> Cc: dip; Bill Eyer; ccielab@groupstudy.com;
>>> security@groupstudy.com Subject: Re: ASA vs Checkpoint
>>>
>>> "checkpoint support sucks big time as compared to cisco.
>>> see when u get stuck
>>> in live network all u care of some good guys to help u out
>>> of it this is where
>>> no one can touch cisco for sure."
>>>
>>> This part I completely agree with you. Checkpoint TAC
>>> supports suck big time. This is
>>> one area where Cisco is really good at.
>>>
>>> --- On Wed, 7/23/08, sushil menon
>>> <sushilmenon2001@gmail.com> wrote:
>>>
>>> From: sushil menon <sushilmenon2001@gmail.com>
>>> Subject: Re: ASA vs Checkpoint
>>> To: "David Tran" <davidtran_mclean@yahoo.com>
>>> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill
> Eyer"
>>> <beyer@optonline.net>,
>>> ccielab@groupstudy.com, security@groupstudy.com
>>> Date: Wednesday, July 23, 2008, 2:17 AM
>>>
>>>
>>>
>>> i think it depends on what are u looking for.
>>>
>>> from cisco point of view the few advantages and
>>> disadvantages i feel.
>>>
>>> cisco is lot cheaper than checkpoint. in checkpoint the
>>> biggest pain is the
>>> licensing model. u need license for everything so the cost
>>> of it goes very
>>> high.since it;s a pure software u will have to invest on
>>> hardware again like
>>> if u are thinking of secure platform then good ibm or hp
>>> server plus their
>>> support as well.
>>>
>>> checkpoint support sucks big time as compared to cisco.
>>> see when u get stuck
>>> in live network all u care of some good guys to help u out
>>> of it this is where
>>> no one can touch cisco for sure.
>>>
>>> though checkpoint is famous for it;s gui that;s the only
>>> best thing i find in
>>> it. because it can be deployed on many different hardware
>>> configuration on
>>> different hardware is tough because for most of the
>>> hardware u don;t even get
>>> a documentation for free like nokia and crossbeam u need
>>> login access to just
>>> view the documentation there are hardly any good
>>> configuration examples that u
>>> could use.
>>>
>>> there is nothing very great that checkpoint does that
>>> cisco cannot do. except
>>> for few things like running vpns and running protocols in
>>> active/active mode.
>>>
>>> but whereas vpns are concerned i find cisco vpns much
>>> scalable and easy. in
>>> checkpoint u have something called as communities and
>>> according to communities
>>> u will have to decide u want to have a mesh or star like
>>> vpns. in asa it;s
>>> upto u can configure the way u want need not worry abt any
>>> communities.
>>>
>>> ofcourse for good management point of view seeing the logs
>>> in nice format and
>>> all u can go for checkpoint.
>>>
>>> if u are really looking for options i would say rather try
>>> juniper or fortinet. they are even better than both cisco
>>> and checkpoint.
>>>
>>> especially fortinet provides everything in a single asic
>>> based box. they have
>>> got ips,anti-spam,url-filtering,anti-virus
>>> ,content-filtering all in a single
>>> box and their license cost is very less . their anti-virus
>>> has been winning 3
>>> consecutive awards in anti-virus bulletin.
>>> they can do souce based routing,., source interface based
>>> routing, policy
>>> based routing and many more features .
>>>
>>> they have got their fortimanager like checkpoint to manage
>>> all the boxes from
>>> a single point and they have a fortilog analyser for
>>> consolidating all the
>>> logs at a single place.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Jul 23, 2008 at 7:56 AM, David Tran
>>> <davidtran_mclean@yahoo.com> wrote:
>>>
>>>
>>> "
>>> But there are downsides. It is software running on a
>>> computer, so you have some form of Linux or Windows under
>>> the hood. We run ours on a Nokia platform. The model we
>>> currently use is diskless, but some of our older ones had
>>> a harddisk that seem to fail regularly. Plus keeping up
>>> with patching means not only patching Checkpoint, but also
>>> patching IPSO, which is Nokia's version of Linux."
>>>
>>> You should be using Secureplatform instead of Nokia. With
>>> Secureplatform, you go to a single vendor, Checkpoint,
>>> for support with both OS and Checkpoint. Nokia is
>>> overprice and overrated.
>>>
>>> Ins't RAID-1 supposed to resolve this issue? My
>>> Secureplatform has been up and running for almost five
>>> years with two reboot, because I upgraded it to HFA_17 and
>>> HFA_20.
>>>
>>> You will run into the same thing with Cisco as well. I
>>> can tell you from Pix version 7.2(x) alone, there are
>>> about 28 different versions out there.
>>>
>>> Checkpoint FireFly is high-end running on IBM x3650.
>>>
>>> Checkpoint can terminate VPN in active/active but Cisco
>>> ASA can not,
>>>
>>> Checkpoint is expensive and cisco is not
>>>
>>> Imagine managing a firewall with 20+ interfaces with Cisco
>>> , a very difficult task indeed. There is no cisco
>>> centralized management like CP Provider-1 either, unless
>>> you count Cisco Security Manager which run on crappy
>>> windows. This product is horrible. Even Cisco TAC
>>> recommends Solsoft over Cisco CSM.
>>>
>>> If you have the money, go with Checkpoint. Otherwise, go
>>> with Cisco.
>>>
>>> As someone put it, Checkpoint firewalls is like driving a
>>> Porsche or Audi while Cisco is like driving a Ford Pinto.
>>> Just like everything in life, you get what you pay for.
>>>
>>> --- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net>
>>> wrote: From: Bill Eyer <beyer@optonline.net>
>>> Subject: Re: ASA vs Checkpoint
>>> To: "dip" <diptanshu.singh@gmail.com>
>>> Cc: ccielab@groupstudy.com, security@groupstudy.com
>>> Date: Tuesday, July 22, 2008, 7:34 PM
>>>
>>>
>>>
>>>
>>> Dip,
>>>
>>> For what it's worth, at our company we use a mix of
>>> Checkpoint and Cisco firewalls, the ASA, FWSM for 6500 and
>>> some older PIX units. This is deliberate design solution
>>> on my part to provide diversity.
>>>
>>> Both manufacturers have advantages and dis-advantages, and
>>> I will give you my rant on both of them.
>>>
>>> The Checkpoint is great for a couple of things. The
>>> Management interface is still the best. Even I, who have
>>> never been to school on it can easily configure and push
>>> policies. The logging system, while proprietory, is
>>> really nice. If my firewall engineers had their way, we
>>> would use only Checkpoint firewalls.
>>>
>>> But there are downsides. It is software running on a
>>> computer, so you have some form of Linux or Windows under
>>> the hood. We run ours on a Nokia platform. The model we
>>> currently use is diskless, but some of our older ones had
>>> a harddisk that seem to fail regularly. Plus keeping up
>>> with patching means not only patching Checkpoint, but also
>>> patching IPSO, which is Nokia's version of Linux. Our
>>> Checkpoint reps recently told me they are coming out with
>>> their own appliance, that will feature integrated
>>> patching.
>>>
>>> Checkpoint is also "rental software". To legally keep it
>>> running you
>>>
>>> have to re-license it periodically. You also have to have
>>> a dedicated PC as a management server, and yes this has
>>> it's own license. Lastly Checkpoint support is really
>>> expensive, although third party support may be available
>>> from the appliance manufacturer. We get ours from Nokia.
>>> Unlike Cisco TAC, Nokia does draw the line at some support
>>> requests. For example I asked them to walk me through
>>> installing the R55 patch and they told me I had to hire a
>>> VAR to do the work. I got around it but it was painful.
>>>
>>> Smart Defense, which is their version of IPS also adds
>>> extra costs and since it is implemented in software, has a
>>> dramatic effect on throughput.
>>>
>>> All and all it adds up to a higher cost than ASA.
>>>
>>> ASA wraps good things into a single box, and the cost is
>>> lower. However, the management gui is not as easy to use
>>> (although recent generations are definitely better).
>>> Logging is also horrible. The logs on the built in gui
>>> are not nearly as nice as Checkpoints, so you will
>>> probably find the need for some type of Enterprise logging
>>> tool. The good new is that it is syslog so any enterprise
>>> SIM tool should work. We actually use CS-MARS, but the
>>> staff still doesn't like it as much as Checkpoint.
>>>
>>> That's my rant anyway. If you have the money to pay for
>>> it, Checkpoint is really nice, but support is higher, both
>>> in cost and in time.
>>>
>>> In our case in the Data Center we use Checkpoint as a
>>> perimeter firewall, then sandwich our DMZ between the
>>> outside and inside firewalls. The theory is that if there
>>> is a vulnerability in one manufacturer a hacker can't
>>> exploit it to get all the way inside the enterprise. The
>>> inside firewalls are FWSM blades. For small sites we use
>>> ASA because cost is the driving factor there.
>>>
>>> Long post, and maybe off topic, but I am certain that
>>> other engineers will have their own opinions.
>>>
>>> Sincerely,
>>>
>>> Bill
>>>
>>> dip wrote:
>>>> Hi Guys,
>>>>
>>>> i have to evaluate between Cisco ASA and Checkpoint for
>>> a big enterprise.
>>> I
>>>> think this is a better place to ask since lot of people
>>> would have worked
>>> on
>>>> both products.
>>>>
>>>> Please provide me all the plus points which you saw in
>>> checkpoint which
>>> you
>>>> think currently Cisco ASA doesn't have or vice versa.
>>>> Also what feature's checkpoint has which you think
>>> should be must in cisco
>>>> Firewalls .
>>>>
>>>>
>>>>
>>>> Thanks
>>>> Dip
>>>>
>>>>
>>>>
>>> __________________________________________________________
>>>> _____________ Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> __________________________________________________________
>>> _____________ Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> __________________________________________________________
>>> _____________ Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>> This message has been scanned for malware by SurfControl
>>> plc. www.surfcontrol.com
>>>
>>>
>>> __________________________________________________________
>>> _____________ Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> __________________________________________________________
>>> _____________ Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>
>>
>>
>> _________________________________________
>>
>> Check your Email accounts at http://www.MyEmail.com
>>
>> Login from home, work, school. Anywhere!
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART