From: Aun Raza (aun.raza@gmail.com)
Date: Fri Jul 25 2008 - 00:05:19 ART
you can do some real-time stuff with the ASA as well, using packet-captures
on the firewall itself, if you want to see asp-drops, etc, along with the
usual packet captures. you can also simulate a packet using the
packet-tracer to see how it will be processed through the box, etc. there
are a bunch of other tools as well.
On Thu, Jul 24, 2008 at 10:20 PM, David Tran <davidtran_mclean@yahoo.com>
wrote:
> I am going to add more fuel to the fire !!!
>
> Yes, NetScreen is a good firewall with excellent throughput. I used to
> manage
> a pair of NetScreen/Juniper AS5200 about 3 years ago and for the most part,
> the throughput is excellent.
>
> The issue with Netscreen is it severely lacks the tools for
> troubleshooting.
> Just like Cisco, the information is not in real-time. If I can recall
> correctly, it is snoop, not solaris snoop but snoop that will dump
> the output into a file and then you read the file. Well, if you do not
> have to do a lot of troubleshooting, then yes, Netscreen is the way to go.
> As for myself, I come from tcpdump and fw monitor. I like these tools
> because
> It tells me exactly where and why the traffics get processed by the
> firewall
> on each particular interface. When you have a critical issue and something
> is not working and need to be resolved right away, capture and snoop is not
> a very efficient tool to solve critical issues.
>
> Netscreen also has product called Netscreen Security Manager (NSM) that
> is a "knock-off" of checkpoint Provider-1. In fact, the GUI look-and-feel
> is very similar to Checpoint SmartConsole. I used this product in 2006 and
> early 2007. The product is somewhat unstable. I tried to manage a pair
> Netscreen via NSM and somehow the NSM lost my netscreen configuration.
> If my recollection is correct, I was using NSM version 2007.1 release 2.
> I don't know if the product has improved since but NSM is no Checkpoint
> Provider-1. One thing I have to give credit to Netscreen is that they
> don't develop NSM for Windows platform, only Linux and Solaris. I guess
> that's why it is much robust stable than Cisco CSM.
>
> Netscreen is a good firewall if you dont' have to make daily configuration
> changes. If that is not the case, you're looking at something maybe just
> a little bit than Cisco in term of policy and configuration management.
> Remember, Netscreen has something called "zone-based" which is similar
> to ASA security level.
>
> It's boiling down to what fit your environment and what you're comfortable
> with. I am a Cisco person but I like checkpoint because of the managment
> and logging piece.
>
> --- On Thu, 7/24/08, Abdul <rslab007@gmail.com> wrote:
> From: Abdul <rslab007@gmail.com>
> Subject: Re: ASA vs Checkpoint
> To: "David Tran" <davidtran_mclean@yahoo.com>
> Cc: joe@affirmedsystems.com, sushilmenon2001@gmail.com,
> Kevin.Phillips@fticonsulting.com, gabriel.bryson@minx.com,
> diptanshu.singh@gmail.com, beyer@optonline.net, ccielab@groupstudy.com,
> security@groupstudy.com
> Date: Thursday, July 24, 2008, 8:51 PM
>
> awh men. How can I add to such a juicy set of comments about this topic.
> God,
> I don't know about you, but I'm loving reading every one's comments.
>
> Ok, here is my two cents. I come from a big financial enterprise
> environment
> that runs tons of multicast (in form of market data) through our firewalls.
> The Financial industry is moving towards microsecond latency sensitivity
> where
> very source of delay counts negatively towards the business. We get huge
> micro
> busts of data unlike I've ever seen before (except when testing in the
> lab).
> The environment primarily was a checkpoint firewall environment. Its
> steadily
> moving towards Juniper netscreens. Here's why. Performance & Latency. The
> checkpoints (as so many so eloquently expressed in this email trail) are
> feature rich, and very good with management. Especially in an environment
> with
> tons of firewalls and huge policies. But they are failing when it somes to
> performance and latency. And while complaints abound are mentioned from the
> Security Admins about the management piece of the Netsceens, its raw
> performance is simply much better than the checkpoints.
> And they are coming around with the feature support as well.
>
>
> So if performance & latency is your top requirements, then maybe an
> evaluation
> between the Juniper's & ASA might be a better conversation.
>
>
>
>
>
> On Wed, Jul 23, 2008 at 5:41 PM, David Tran <davidtran_mclean@yahoo.com>
> wrote:
>
>
> "Recently I had a meeting with a large blue chip company that had been
> using checkpoint exclusively, As they were purchasing various Cisco
> Routers and switches from us, I was asked to attend a meeting were there
>
> security manager, who had Checkpoint believer wanted to ask a few
> questions about the ASA. After the Q&A session I could see that lots of
> what he said were related to the old Pix limitations, I then opened my
>
> laptop and connected to a ASA we have in a lab and demonstrated the ASA
> and let him play...They just purchased two ASA's to replace their
> Checkpoints."
>
> I don't know if you ever work in a large enterprise or a Managed
>
> Security Service Provider (MSSP) but I would like to know if you can
> convert a Checkpoint security policy with over 25,000 objects and
> 800 security rules on a Secureplatform gateways with 20+ interfaces.
> Add about 100+ crazy NAT rules in the policy and let see if you can
>
> convert this CP security policy into ASA security policy.
>
> Think you can do it? By the way, cisco TAC couldn't do it either.
>
> I had a meeting with a Cisco SE in 2005 and that he really touted
> both ASA and MARS on how this product are much better than CP
>
> and Juniper. After I sat him down and showed Checkpoint Provider-1
> and requirements for my environment. ASA and CSM could not meet
> the requirements.
>
> Checkpoint has lots of drawback as well but overall it is much
>
> better firewall than Cisco, especially for large enterprise and
> Service Providers.
>
> It's like owning a Porsche and owning a Honda Civic. Owning a Chevy is
> very easy. You just need to change oil, for the most part and everything
>
> will
> be fine. Owning a Porsche is much different. You need to have the money
> and the time to take care of that car. It is not that simple. Checkpoint
> is
> the
> same way. Checkpoint is like a Porsche and ASA is like a Honda Civic.
>
>
>
>
>
> --- On Wed, 7/23/08, gabriel.bryson@minx.com <gabriel.bryson@minx.com>
> wrote:
>
> From: gabriel.bryson@minx.com <gabriel.bryson@minx.com>
>
>
> Subject: RE: ASA vs Checkpoint
> To: joe@affirmedsystems.com, davidtran_mclean@yahoo.com,
> sushilmenon2001@gmail.com, Kevin.Phillips@FTIConsulting.com
>
> Cc: diptanshu.singh@gmail.com, beyer@optonline.net, ccielab@groupstudy.com
> ,
> security@groupstudy.com
>
> Date: Wednesday, July 23, 2008, 4:08 PM
>
>
>
>
> After reading along all day at what people had to say about the ASA vs
> Checkpoint, If I was a complete novice that went exclusively on what was
> said in this forum, I think I might go with the ASA?? There is a plenty
>
> said on the checkpoint side about licensing, hardware, patching
> problems, more expensive, not great support from the manufacturers, and
> all that was said about the ASA is that does not have a fantastic
> enterprise management solution, oh and the ASA vpn solution is rock
>
> solid???
> I think from my own experience the vast majority of people are put off
> the ASA because of the old PIX, its command line and horrible GUI (PDM),
> which the ASA have now revamped and replaced, making it just as easy as
>
> the Checkpoint to configure.
> Recently I had a meeting with a large blue chip company that had been
> using checkpoint exclusively, As they were purchasing various Cisco
> Routers and switches from us, I was asked to attend a meeting were there
>
> security manager, who had Checkpoint believer wanted to ask a few
> questions about the ASA. After the Q&A session I could see that lots of
> what he said were related to the old Pix limitations, I then opened my
>
> laptop and connected to a ASA we have in a lab and demonstrated the ASA
> and let him play...They just purchased two ASA's to replace their
> Checkpoints.
> PS check out the Miercom report on the ASA compared to its
>
> competitors??? Just google Miercom ASA
>
> My 2p worth
>
>
> Gabriel
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>
> Joseph Brunner
> Sent: 23 July 2008 17:49
> To: 'David Tran'; 'sushil menon'; 'Phillips, Kevin'
> Cc: 'dip'; 'Bill Eyer'; ccielab@groupstudy.com;
>
> security@groupstudy.com
> Subject: RE: ASA vs Checkpoint
>
> David,
>
> Time and time again you save me millions of brain cells. Thank you...
>
> God Cisco has its sh*t in a twist... that server is massive to not be
>
> able
> to run CSM like google.com...
>
> WOW
>
> ;)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>
> David Tran
> Sent: Wednesday, July 23, 2008 10:30 AM
> To: sushil menon; Phillips, Kevin
> Cc: dip; Bill Eyer; ccielab@groupstudy.com; security@groupstudy.com
>
> Subject: RE: ASA vs Checkpoint
>
> "CSM is still new but yet another piece that Checkpoint and Juniper have
> been doing for a while. Cisco never really offered a solution to manage
> firewalls, maintain objects, and standard policies across and
>
> enterprise."
>
> This product is absolutely horrendous. I installed it on a Windows 2003
> Enterprise
> Edition with 16GB RAM and quad processors with quad-core and it is
> extremely
> slow.
> Totally unworkable across the VPN. The system becomes very slugglish
>
> after
> 5
> users
> logging into the system. At the moment, I am having issues with
> installing
> Performance Monitor on the CSM. In other words, it is a broken product.
>
> "Companies may
> not be ready to jump into buying a SIM as it may not be a requirement
>
> for that company but being able to store firewall logs and search for
> them is a core function of an enterprise firewall product"
>
> Could not disagree with you more on this. The good thing about
> Checkpoint
>
> centralize
> management is that the management piece can manage multiple firewalls.
> If
> you
> have
> multiple firewalls between the source and destination, the log, in real
> time,
> can tell you
> which firewalls accept the traffics and which one drop the traffics.
>
> When
> it comes to trouble shooting, nothing beat tcpdump. Cisco capture
> function
> is
> no where near tcpdump capabilities.
>
> "MARS is a great product if you want a SIM"
>
> If you have a "cisco" shop, then MARS is a great solution for you.
>
> However,
> if you
> have a heterogeneous environment, ArcSight or EIQ is a much superior
> solution.
>
>
>
>
> --- On Wed, 7/23/08, Phillips, Kevin <Kevin.Phillips@FTIConsulting.com>
> wrote:
>
> From: Phillips, Kevin <Kevin.Phillips@FTIConsulting.com>
>
> Subject: RE: ASA vs Checkpoint
> To: "David Tran" <davidtran_mclean@yahoo.com>, "sushil
> menon"
> <sushilmenon2001@gmail.com>
>
> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer"
> <beyer@optonline.net>,
> ccielab@groupstudy.com, security@groupstudy.com
>
> Date: Wednesday, July 23, 2008, 9:41 AM
>
> This is quite a funny post as I have been beating up my Cisco SE's on
> exactly this point. I think they get it, but Cisco doesn't.
>
> A few years ago if you wanted a firewall, hands down it was Checkpoint
>
> partly because of their AI. Today they all do the same, they pass or
> deny traffic based on defined criteria. Sure one firewall may be faster
> than the next vendors, but what is setting it apart for me is the
> management.
>
>
> MARS is a great product if you want a SIM, but if you want firewall
> events then you just need logs, Checkpoint and Juniper get this and have
> been doing this for years. Cisco never really offered this in their
>
> product line and when they decided to add it they went leaps and bounds
> ahead by going to MARS. MARS is not a firewall log tool, it is a SIM,
> it does event correlation and a lot of other features. Companies may
>
> not be ready to jump into buying a SIM as it may not be a requirement
> for that company but being able to store firewall logs and search for
> them is a core function of an enterprise firewall product.
>
> CSM is still new but yet another piece that Checkpoint and Juniper have
>
> been doing for a while. Cisco never really offered a solution to manage
> firewalls, maintain objects, and standard policies across and
> enterprise.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>
> David Tran
> Sent: Wednesday, July 23, 2008 7:01 AM
> To: sushil menon
> Cc: dip; Bill Eyer; ccielab@groupstudy.com; security@groupstudy.com
>
> Subject: Re: ASA vs Checkpoint
>
> "checkpoint support sucks big time as compared to cisco. see when u get
> stuck
> in live network all u care of some good guys to help u out of it this is
> where
> no one can touch cisco for sure."
>
>
> This part I completely agree with you. Checkpoint TAC supports suck big
> time. This is
> one area where Cisco is really good at.
>
> --- On Wed, 7/23/08, sushil menon <sushilmenon2001@gmail.com> wrote:
>
>
> From: sushil menon <sushilmenon2001@gmail.com>
> Subject: Re: ASA vs Checkpoint
> To: "David Tran" <davidtran_mclean@yahoo.com>
>
> Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer"
> <beyer@optonline.net>,
> ccielab@groupstudy.com, security@groupstudy.com
>
> Date: Wednesday, July 23, 2008, 2:17 AM
>
>
>
> i think it depends on what are u looking for.
>
> from cisco point of view the few advantages and disadvantages i feel.
>
> cisco is lot cheaper than checkpoint. in checkpoint the biggest pain is
>
> the
> licensing model. u need license for everything so the cost of it goes
> very
> high.since it;s a pure software u will have to invest on hardware again
> like
> if u are thinking of secure platform then good ibm or hp server plus
>
> their
> support as well.
>
> checkpoint support sucks big time as compared to cisco. see when u get
> stuck
> in live network all u care of some good guys to help u out of it this is
> where
> no one can touch cisco for sure.
>
>
> though checkpoint is famous for it;s gui that;s the only best thing i
> find in
> it. because it can be deployed on many different hardware configuration
> on
> different hardware is tough because for most of the hardware u don;t
>
> even get
> a documentation for free like nokia and crossbeam u need login access to
> just
> view the documentation there are hardly any good configuration examples
> that u
> could use.
>
> there is nothing very great that checkpoint does that cisco cannot do.
>
> except
> for few things like running vpns and running protocols in active/active
> mode.
>
> but whereas vpns are concerned i find cisco vpns much scalable and easy.
> in
> checkpoint u have something called as communities and according to
>
> communities
> u will have to decide u want to have a mesh or star like vpns. in asa
> it;s
> upto u can configure the way u want need not worry abt any communities.
>
> ofcourse for good management point of view seeing the logs in nice
>
> format and
> all u can go for checkpoint.
>
> if u are really looking for options i would say rather try juniper or
> fortinet. they are even better than both cisco and checkpoint.
>
> especially fortinet provides everything in a single asic based box. they
>
> have
> got ips,anti-spam,url-filtering,anti-virus,content-filtering all in a
> single
> box and their license cost is very less . their anti-virus has been
> winning 3
> consecutive awards in anti-virus bulletin.
>
> they can do souce based routing,., source interface based routing,
> policy
> based routing and many more features .
>
> they have got their fortimanager like checkpoint to manage all the boxes
> from
> a single point and they have a fortilog analyser for consolidating all
>
> the
> logs at a single place.
>
>
>
>
>
>
>
>
> On Wed, Jul 23, 2008 at 7:56 AM, David Tran <davidtran_mclean@yahoo.com>
> wrote:
>
>
> "
>
> But there are downsides. It is software running on a computer, so you
> have some form of Linux or Windows under the hood. We run ours on a
> Nokia platform. The model we currently use is diskless, but some of our
>
> older ones had a harddisk that seem to fail regularly. Plus keeping up
> with patching means not only patching Checkpoint, but also patching
> IPSO, which is Nokia's version of Linux."
>
> You should be using Secureplatform instead of Nokia. With
>
> Secureplatform, you go to a single vendor, Checkpoint,
> for support with both OS and Checkpoint. Nokia is overprice
> and overrated.
>
> Ins't RAID-1 supposed to resolve this issue? My Secureplatform
> has been up and running for almost five years with two reboot,
>
> because I upgraded it to HFA_17 and HFA_20.
>
> You will run into the same thing with Cisco as well. I can tell
> you from Pix version 7.2(x) alone, there are about 28 different
> versions out there.
>
> Checkpoint FireFly is high-end running on IBM x3650.
>
>
> Checkpoint can terminate VPN in active/active but Cisco ASA
> can not,
>
> Checkpoint is expensive and cisco is not
>
> Imagine managing a firewall with 20+ interfaces with Cisco, a
> very difficult task indeed. There is no cisco centralized
>
> management like CP Provider-1 either, unless you count
> Cisco Security Manager which run on crappy windows. This
> product is horrible. Even Cisco TAC recommends Solsoft
> over Cisco CSM.
>
> If you have the money, go with Checkpoint. Otherwise, go
>
> with Cisco.
>
> As someone put it, Checkpoint firewalls is like driving a Porsche
> or Audi while Cisco is like driving a Ford Pinto. Just like
> everything in life, you get what you pay for.
>
> --- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net> wrote:
>
> From: Bill Eyer <beyer@optonline.net>
> Subject: Re: ASA vs Checkpoint
> To: "dip" <diptanshu.singh@gmail.com>
>
> Cc: ccielab@groupstudy.com, security@groupstudy.com
> Date: Tuesday, July 22, 2008, 7:34 PM
>
>
>
>
> Dip,
>
> For what it's worth, at our company we use a mix of Checkpoint and Cisco
>
> firewalls, the ASA, FWSM for 6500 and some older PIX units. This is
> deliberate design solution on my part to provide diversity.
>
> Both manufacturers have advantages and dis-advantages, and I will give
> you my rant on both of them.
>
>
> The Checkpoint is great for a couple of things. The Management
> interface is still the best. Even I, who have never been to school on
> it can easily configure and push policies. The logging system, while
> proprietory, is really nice. If my firewall engineers had their way, we
>
> would use only Checkpoint firewalls.
>
> But there are downsides. It is software running on a computer, so you
> have some form of Linux or Windows under the hood. We run ours on a
> Nokia platform. The model we currently use is diskless, but some of our
>
> older ones had a harddisk that seem to fail regularly. Plus keeping up
> with patching means not only patching Checkpoint, but also patching
> IPSO, which is Nokia's version of Linux. Our Checkpoint reps recently
>
> told me they are coming out with their own appliance, that will feature
> integrated patching.
>
> Checkpoint is also "rental software". To legally keep it running you
>
> have to re-license it periodically. You also have to have a dedicated
>
> PC as a management server, and yes this has it's own license. Lastly
> Checkpoint support is really expensive, although third party support may
> be available from the appliance manufacturer. We get ours from Nokia.
>
> Unlike Cisco TAC, Nokia does draw the line at some support requests.
> For example I asked them to walk me through installing the R55 patch and
> they told me I had to hire a VAR to do the work. I got around it but it
>
> was painful.
>
> Smart Defense, which is their version of IPS also adds extra costs and
> since it is implemented in software, has a dramatic effect on
> throughput.
>
> All and all it adds up to a higher cost than ASA.
>
>
> ASA wraps good things into a single box, and the cost is lower.
> However, the management gui is not as easy to use (although recent
> generations are definitely better). Logging is also horrible. The logs
> on the built in gui are not nearly as nice as Checkpoints, so you will
>
> probably find the need for some type of Enterprise logging tool. The
> good new is that it is syslog so any enterprise SIM tool should work.
> We actually use CS-MARS, but the staff still doesn't like it as much as
>
> Checkpoint.
>
> That's my rant anyway. If you have the money to pay for it, Checkpoint
> is really nice, but support is higher, both in cost and in time.
>
> In our case in the Data Center we use Checkpoint as a perimeter
>
> firewall, then sandwich our DMZ between the outside and inside
> firewalls. The theory is that if there is a vulnerability in one
> manufacturer a hacker can't exploit it to get all the way inside the
> enterprise. The inside firewalls are FWSM blades. For small sites we
>
> use ASA because cost is the driving factor there.
>
> Long post, and maybe off topic, but I am certain that other engineers
> will have their own opinions.
>
> Sincerely,
>
> Bill
>
> dip wrote:
> > Hi Guys,
>
> >
> > i have to evaluate between Cisco ASA and Checkpoint for a big
> enterprise.
> I
> > think this is a better place to ask since lot of people would have
> worked
> on
> > both products.
> >
>
> > Please provide me all the plus points which you saw in checkpoint
> which
> you
> > think currently Cisco ASA doesn't have or vice versa.
> > Also what feature's checkpoint has which you think should be must in
>
> cisco
> > Firewalls .
> >
> >
> >
> > Thanks
> > Dip
> >
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
>
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
>
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
>
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> This message has been scanned for malware by SurfControl plc.
> www.surfcontrol.com
>
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
-- aun raza pgp: 0x95A74924 (pgp.mit.edu) web: aunraza.com
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:57 ART