From: Muhammad Nasim (muhammad.nasim@gmail.com)
Date: Fri Jul 25 2008 - 07:21:50 ART
I think first time I heard that NSM did not do well for you. I heard that
people are managing 100+ Netscreen prodcuts using NSM and it works fine for
them : )
2008/7/25 Aun Raza <aun.raza@gmail.com>:
> you can do some real-time stuff with the ASA as well, using packet-captures
> on the firewall itself, if you want to see asp-drops, etc, along with the
> usual packet captures. you can also simulate a packet using the
> packet-tracer to see how it will be processed through the box, etc. there
> are a bunch of other tools as well.
>
> On Thu, Jul 24, 2008 at 10:20 PM, David Tran <davidtran_mclean@yahoo.com>
> wrote:
>
> > I am going to add more fuel to the fire !!!
> >
> > Yes, NetScreen is a good firewall with excellent throughput. I used to
> > manage
> > a pair of NetScreen/Juniper AS5200 about 3 years ago and for the most
> part,
> > the throughput is excellent.
> >
> > The issue with Netscreen is it severely lacks the tools for
> > troubleshooting.
> > Just like Cisco, the information is not in real-time. If I can recall
> > correctly, it is snoop, not solaris snoop but snoop that will dump
> > the output into a file and then you read the file. Well, if you do not
> > have to do a lot of troubleshooting, then yes, Netscreen is the way to
> go.
> > As for myself, I come from tcpdump and fw monitor. I like these tools
> > because
> > It tells me exactly where and why the traffics get processed by the
> > firewall
> > on each particular interface. When you have a critical issue and
> something
> > is not working and need to be resolved right away, capture and snoop is
> not
> > a very efficient tool to solve critical issues.
> >
> > Netscreen also has product called Netscreen Security Manager (NSM) that
> > is a "knock-off" of checkpoint Provider-1. In fact, the GUI
> look-and-feel
> > is very similar to Checpoint SmartConsole. I used this product in 2006
> and
> > early 2007. The product is somewhat unstable. I tried to manage a pair
> > Netscreen via NSM and somehow the NSM lost my netscreen configuration.
> > If my recollection is correct, I was using NSM version 2007.1 release 2.
> > I don't know if the product has improved since but NSM is no Checkpoint
> > Provider-1. One thing I have to give credit to Netscreen is that they
> > don't develop NSM for Windows platform, only Linux and Solaris. I guess
> > that's why it is much robust stable than Cisco CSM.
> >
> > Netscreen is a good firewall if you dont' have to make daily
> configuration
> > changes. If that is not the case, you're looking at something maybe just
> > a little bit than Cisco in term of policy and configuration management.
> > Remember, Netscreen has something called "zone-based" which is similar
> > to ASA security level.
> >
> > It's boiling down to what fit your environment and what you're
> comfortable
> > with. I am a Cisco person but I like checkpoint because of the managment
> > and logging piece.
> >
> > --- On Thu, 7/24/08, Abdul <rslab007@gmail.com> wrote:
> > From: Abdul <rslab007@gmail.com>
> > Subject: Re: ASA vs Checkpoint
> > To: "David Tran" <davidtran_mclean@yahoo.com>
> > Cc: joe@affirmedsystems.com, sushilmenon2001@gmail.com,
> > Kevin.Phillips@fticonsulting.com, gabriel.bryson@minx.com,
> > diptanshu.singh@gmail.com, beyer@optonline.net, ccielab@groupstudy.com,
> > security@groupstudy.com
> > Date: Thursday, July 24, 2008, 8:51 PM
> >
> > awh men. How can I add to such a juicy set of comments about this topic.
> > God,
> > I don't know about you, but I'm loving reading every one's comments.
> >
> > Ok, here is my two cents. I come from a big financial enterprise
> > environment
> > that runs tons of multicast (in form of market data) through our
> firewalls.
> > The Financial industry is moving towards microsecond latency sensitivity
> > where
> > very source of delay counts negatively towards the business. We get huge
> > micro
> > busts of data unlike I've ever seen before (except when testing in the
> > lab).
> > The environment primarily was a checkpoint firewall environment. Its
> > steadily
> > moving towards Juniper netscreens. Here's why. Performance & Latency. The
> > checkpoints (as so many so eloquently expressed in this email trail) are
> > feature rich, and very good with management. Especially in an environment
> > with
> > tons of firewalls and huge policies. But they are failing when it somes
> to
> > performance and latency. And while complaints abound are mentioned from
> the
> > Security Admins about the management piece of the Netsceens, its raw
> > performance is simply much better than the checkpoints.
> > And they are coming around with the feature support as well.
> >
> >
> > So if performance & latency is your top requirements, then maybe an
> > evaluation
> > between the Juniper's & ASA might be a better conversation.
> >
> >
> >
> >
> >
> > On Wed, Jul 23, 2008 at 5:41 PM, David Tran <davidtran_mclean@yahoo.com>
> > wrote:
> >
> >
> > "Recently I had a meeting with a large blue chip company that had been
> > using checkpoint exclusively, As they were purchasing various Cisco
> > Routers and switches from us, I was asked to attend a meeting were there
> >
> > security manager, who had Checkpoint believer wanted to ask a few
> > questions about the ASA. After the Q&A session I could see that lots of
> > what he said were related to the old Pix limitations, I then opened my
> >
> > laptop and connected to a ASA we have in a lab and demonstrated the ASA
> > and let him play...They just purchased two ASA's to replace their
> > Checkpoints."
> >
> > I don't know if you ever work in a large enterprise or a Managed
> >
> > Security Service Provider (MSSP) but I would like to know if you can
> > convert a Checkpoint security policy with over 25,000 objects and
> > 800 security rules on a Secureplatform gateways with 20+ interfaces.
> > Add about 100+ crazy NAT rules in the policy and let see if you can
> >
> > convert this CP security policy into ASA security policy.
> >
> > Think you can do it? By the way, cisco TAC couldn't do it either.
> >
> > I had a meeting with a Cisco SE in 2005 and that he really touted
> > both ASA and MARS on how this product are much better than CP
> >
> > and Juniper. After I sat him down and showed Checkpoint Provider-1
> > and requirements for my environment. ASA and CSM could not meet
> > the requirements.
> >
> > Checkpoint has lots of drawback as well but overall it is much
> >
> > better firewall than Cisco, especially for large enterprise and
> > Service Providers.
> >
> > It's like owning a Porsche and owning a Honda Civic. Owning a Chevy is
> > very easy. You just need to change oil, for the most part and everything
> >
> > will
> > be fine. Owning a Porsche is much different. You need to have the money
> > and the time to take care of that car. It is not that simple.
> Checkpoint
> > is
> > the
> > same way. Checkpoint is like a Porsche and ASA is like a Honda Civic.
> >
> >
> >
> >
> >
> > --- On Wed, 7/23/08, gabriel.bryson@minx.com <gabriel.bryson@minx.com>
> > wrote:
> >
> > From: gabriel.bryson@minx.com <gabriel.bryson@minx.com>
> >
> >
> > Subject: RE: ASA vs Checkpoint
> > To: joe@affirmedsystems.com, davidtran_mclean@yahoo.com,
> > sushilmenon2001@gmail.com, Kevin.Phillips@FTIConsulting.com
> >
> > Cc: diptanshu.singh@gmail.com, beyer@optonline.net,
> ccielab@groupstudy.com
> > ,
> > security@groupstudy.com
> >
> > Date: Wednesday, July 23, 2008, 4:08 PM
> >
> >
> >
> >
> > After reading along all day at what people had to say about the ASA vs
> > Checkpoint, If I was a complete novice that went exclusively on what was
> > said in this forum, I think I might go with the ASA?? There is a plenty
> >
> > said on the checkpoint side about licensing, hardware, patching
> > problems, more expensive, not great support from the manufacturers, and
> > all that was said about the ASA is that does not have a fantastic
> > enterprise management solution, oh and the ASA vpn solution is rock
> >
> > solid???
> > I think from my own experience the vast majority of people are put off
> > the ASA because of the old PIX, its command line and horrible GUI (PDM),
> > which the ASA have now revamped and replaced, making it just as easy as
> >
> > the Checkpoint to configure.
> > Recently I had a meeting with a large blue chip company that had been
> > using checkpoint exclusively, As they were purchasing various Cisco
> > Routers and switches from us, I was asked to attend a meeting were there
> >
> > security manager, who had Checkpoint believer wanted to ask a few
> > questions about the ASA. After the Q&A session I could see that lots of
> > what he said were related to the old Pix limitations, I then opened my
> >
> > laptop and connected to a ASA we have in a lab and demonstrated the ASA
> > and let him play...They just purchased two ASA's to replace their
> > Checkpoints.
> > PS check out the Miercom report on the ASA compared to its
> >
> > competitors??? Just google Miercom ASA
> >
> > My 2p worth
> >
> >
> > Gabriel
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> >
> > Joseph Brunner
> > Sent: 23 July 2008 17:49
> > To: 'David Tran'; 'sushil menon'; 'Phillips, Kevin'
> > Cc: 'dip'; 'Bill Eyer'; ccielab@groupstudy.com;
> >
> > security@groupstudy.com
> > Subject: RE: ASA vs Checkpoint
> >
> > David,
> >
> > Time and time again you save me millions of brain cells. Thank you...
> >
> > God Cisco has its sh*t in a twist... that server is massive to not be
> >
> > able
> > to run CSM like google.com...
> >
> > WOW
> >
> > ;)
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> >
> > David Tran
> > Sent: Wednesday, July 23, 2008 10:30 AM
> > To: sushil menon; Phillips, Kevin
> > Cc: dip; Bill Eyer; ccielab@groupstudy.com; security@groupstudy.com
> >
> > Subject: RE: ASA vs Checkpoint
> >
> > "CSM is still new but yet another piece that Checkpoint and Juniper have
> > been doing for a while. Cisco never really offered a solution to manage
> > firewalls, maintain objects, and standard policies across and
> >
> > enterprise."
> >
> > This product is absolutely horrendous. I installed it on a Windows 2003
> > Enterprise
> > Edition with 16GB RAM and quad processors with quad-core and it is
> > extremely
> > slow.
> > Totally unworkable across the VPN. The system becomes very slugglish
> >
> > after
> > 5
> > users
> > logging into the system. At the moment, I am having issues with
> > installing
> > Performance Monitor on the CSM. In other words, it is a broken product.
> >
> > "Companies may
> > not be ready to jump into buying a SIM as it may not be a requirement
> >
> > for that company but being able to store firewall logs and search for
> > them is a core function of an enterprise firewall product"
> >
> > Could not disagree with you more on this. The good thing about
> > Checkpoint
> >
> > centralize
> > management is that the management piece can manage multiple firewalls.
> > If
> > you
> > have
> > multiple firewalls between the source and destination, the log, in real
> > time,
> > can tell you
> > which firewalls accept the traffics and which one drop the traffics.
> >
> > When
> > it comes to trouble shooting, nothing beat tcpdump. Cisco capture
> > function
> > is
> > no where near tcpdump capabilities.
> >
> > "MARS is a great product if you want a SIM"
> >
> > If you have a "cisco" shop, then MARS is a great solution for you.
> >
> > However,
> > if you
> > have a heterogeneous environment, ArcSight or EIQ is a much superior
> > solution.
> >
> >
> >
> >
> > --- On Wed, 7/23/08, Phillips, Kevin <Kevin.Phillips@FTIConsulting.com>
> > wrote:
> >
> > From: Phillips, Kevin <Kevin.Phillips@FTIConsulting.com>
> >
> > Subject: RE: ASA vs Checkpoint
> > To: "David Tran" <davidtran_mclean@yahoo.com>, "sushil
> > menon"
> > <sushilmenon2001@gmail.com>
> >
> > Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer"
> > <beyer@optonline.net>,
> > ccielab@groupstudy.com, security@groupstudy.com
> >
> > Date: Wednesday, July 23, 2008, 9:41 AM
> >
> > This is quite a funny post as I have been beating up my Cisco SE's on
> > exactly this point. I think they get it, but Cisco doesn't.
> >
> > A few years ago if you wanted a firewall, hands down it was Checkpoint
> >
> > partly because of their AI. Today they all do the same, they pass or
> > deny traffic based on defined criteria. Sure one firewall may be faster
> > than the next vendors, but what is setting it apart for me is the
> > management.
> >
> >
> > MARS is a great product if you want a SIM, but if you want firewall
> > events then you just need logs, Checkpoint and Juniper get this and have
> > been doing this for years. Cisco never really offered this in their
> >
> > product line and when they decided to add it they went leaps and bounds
> > ahead by going to MARS. MARS is not a firewall log tool, it is a SIM,
> > it does event correlation and a lot of other features. Companies may
> >
> > not be ready to jump into buying a SIM as it may not be a requirement
> > for that company but being able to store firewall logs and search for
> > them is a core function of an enterprise firewall product.
> >
> > CSM is still new but yet another piece that Checkpoint and Juniper have
> >
> > been doing for a while. Cisco never really offered a solution to manage
> > firewalls, maintain objects, and standard policies across and
> > enterprise.
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> >
> > David Tran
> > Sent: Wednesday, July 23, 2008 7:01 AM
> > To: sushil menon
> > Cc: dip; Bill Eyer; ccielab@groupstudy.com; security@groupstudy.com
> >
> > Subject: Re: ASA vs Checkpoint
> >
> > "checkpoint support sucks big time as compared to cisco. see when u get
> > stuck
> > in live network all u care of some good guys to help u out of it this is
> > where
> > no one can touch cisco for sure."
> >
> >
> > This part I completely agree with you. Checkpoint TAC supports suck big
> > time. This is
> > one area where Cisco is really good at.
> >
> > --- On Wed, 7/23/08, sushil menon <sushilmenon2001@gmail.com> wrote:
> >
> >
> > From: sushil menon <sushilmenon2001@gmail.com>
> > Subject: Re: ASA vs Checkpoint
> > To: "David Tran" <davidtran_mclean@yahoo.com>
> >
> > Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer"
> > <beyer@optonline.net>,
> > ccielab@groupstudy.com, security@groupstudy.com
> >
> > Date: Wednesday, July 23, 2008, 2:17 AM
> >
> >
> >
> > i think it depends on what are u looking for.
> >
> > from cisco point of view the few advantages and disadvantages i feel.
> >
> > cisco is lot cheaper than checkpoint. in checkpoint the biggest pain is
> >
> > the
> > licensing model. u need license for everything so the cost of it goes
> > very
> > high.since it;s a pure software u will have to invest on hardware again
> > like
> > if u are thinking of secure platform then good ibm or hp server plus
> >
> > their
> > support as well.
> >
> > checkpoint support sucks big time as compared to cisco. see when u get
> > stuck
> > in live network all u care of some good guys to help u out of it this is
> > where
> > no one can touch cisco for sure.
> >
> >
> > though checkpoint is famous for it;s gui that;s the only best thing i
> > find in
> > it. because it can be deployed on many different hardware configuration
> > on
> > different hardware is tough because for most of the hardware u don;t
> >
> > even get
> > a documentation for free like nokia and crossbeam u need login access to
> > just
> > view the documentation there are hardly any good configuration examples
> > that u
> > could use.
> >
> > there is nothing very great that checkpoint does that cisco cannot do.
> >
> > except
> > for few things like running vpns and running protocols in active/active
> > mode.
> >
> > but whereas vpns are concerned i find cisco vpns much scalable and easy.
> > in
> > checkpoint u have something called as communities and according to
> >
> > communities
> > u will have to decide u want to have a mesh or star like vpns. in asa
> > it;s
> > upto u can configure the way u want need not worry abt any communities.
> >
> > ofcourse for good management point of view seeing the logs in nice
> >
> > format and
> > all u can go for checkpoint.
> >
> > if u are really looking for options i would say rather try juniper or
> > fortinet. they are even better than both cisco and checkpoint.
> >
> > especially fortinet provides everything in a single asic based box. they
> >
> > have
> > got ips,anti-spam,url-filtering,anti-virus,content-filtering all in a
> > single
> > box and their license cost is very less . their anti-virus has been
> > winning 3
> > consecutive awards in anti-virus bulletin.
> >
> > they can do souce based routing,., source interface based routing,
> > policy
> > based routing and many more features .
> >
> > they have got their fortimanager like checkpoint to manage all the boxes
> > from
> > a single point and they have a fortilog analyser for consolidating all
> >
> > the
> > logs at a single place.
> >
> >
> >
> >
> >
> >
> >
> >
> > On Wed, Jul 23, 2008 at 7:56 AM, David Tran <davidtran_mclean@yahoo.com>
> > wrote:
> >
> >
> > "
> >
> > But there are downsides. It is software running on a computer, so you
> > have some form of Linux or Windows under the hood. We run ours on a
> > Nokia platform. The model we currently use is diskless, but some of our
> >
> > older ones had a harddisk that seem to fail regularly. Plus keeping up
> > with patching means not only patching Checkpoint, but also patching
> > IPSO, which is Nokia's version of Linux."
> >
> > You should be using Secureplatform instead of Nokia. With
> >
> > Secureplatform, you go to a single vendor, Checkpoint,
> > for support with both OS and Checkpoint. Nokia is overprice
> > and overrated.
> >
> > Ins't RAID-1 supposed to resolve this issue? My Secureplatform
> > has been up and running for almost five years with two reboot,
> >
> > because I upgraded it to HFA_17 and HFA_20.
> >
> > You will run into the same thing with Cisco as well. I can tell
> > you from Pix version 7.2(x) alone, there are about 28 different
> > versions out there.
> >
> > Checkpoint FireFly is high-end running on IBM x3650.
> >
> >
> > Checkpoint can terminate VPN in active/active but Cisco ASA
> > can not,
> >
> > Checkpoint is expensive and cisco is not
> >
> > Imagine managing a firewall with 20+ interfaces with Cisco, a
> > very difficult task indeed. There is no cisco centralized
> >
> > management like CP Provider-1 either, unless you count
> > Cisco Security Manager which run on crappy windows. This
> > product is horrible. Even Cisco TAC recommends Solsoft
> > over Cisco CSM.
> >
> > If you have the money, go with Checkpoint. Otherwise, go
> >
> > with Cisco.
> >
> > As someone put it, Checkpoint firewalls is like driving a Porsche
> > or Audi while Cisco is like driving a Ford Pinto. Just like
> > everything in life, you get what you pay for.
> >
> > --- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net> wrote:
> >
> > From: Bill Eyer <beyer@optonline.net>
> > Subject: Re: ASA vs Checkpoint
> > To: "dip" <diptanshu.singh@gmail.com>
> >
> > Cc: ccielab@groupstudy.com, security@groupstudy.com
> > Date: Tuesday, July 22, 2008, 7:34 PM
> >
> >
> >
> >
> > Dip,
> >
> > For what it's worth, at our company we use a mix of Checkpoint and Cisco
> >
> > firewalls, the ASA, FWSM for 6500 and some older PIX units. This is
> > deliberate design solution on my part to provide diversity.
> >
> > Both manufacturers have advantages and dis-advantages, and I will give
> > you my rant on both of them.
> >
> >
> > The Checkpoint is great for a couple of things. The Management
> > interface is still the best. Even I, who have never been to school on
> > it can easily configure and push policies. The logging system, while
> > proprietory, is really nice. If my firewall engineers had their way, we
> >
> > would use only Checkpoint firewalls.
> >
> > But there are downsides. It is software running on a computer, so you
> > have some form of Linux or Windows under the hood. We run ours on a
> > Nokia platform. The model we currently use is diskless, but some of our
> >
> > older ones had a harddisk that seem to fail regularly. Plus keeping up
> > with patching means not only patching Checkpoint, but also patching
> > IPSO, which is Nokia's version of Linux. Our Checkpoint reps recently
> >
> > told me they are coming out with their own appliance, that will feature
> > integrated patching.
> >
> > Checkpoint is also "rental software". To legally keep it running you
> >
> > have to re-license it periodically. You also have to have a dedicated
> >
> > PC as a management server, and yes this has it's own license. Lastly
> > Checkpoint support is really expensive, although third party support may
> > be available from the appliance manufacturer. We get ours from Nokia.
> >
> > Unlike Cisco TAC, Nokia does draw the line at some support requests.
> > For example I asked them to walk me through installing the R55 patch and
> > they told me I had to hire a VAR to do the work. I got around it but it
> >
> > was painful.
> >
> > Smart Defense, which is their version of IPS also adds extra costs and
> > since it is implemented in software, has a dramatic effect on
> > throughput.
> >
> > All and all it adds up to a higher cost than ASA.
> >
> >
> > ASA wraps good things into a single box, and the cost is lower.
> > However, the management gui is not as easy to use (although recent
> > generations are definitely better). Logging is also horrible. The logs
> > on the built in gui are not nearly as nice as Checkpoints, so you will
> >
> > probably find the need for some type of Enterprise logging tool. The
> > good new is that it is syslog so any enterprise SIM tool should work.
> > We actually use CS-MARS, but the staff still doesn't like it as much as
> >
> > Checkpoint.
> >
> > That's my rant anyway. If you have the money to pay for it, Checkpoint
> > is really nice, but support is higher, both in cost and in time.
> >
> > In our case in the Data Center we use Checkpoint as a perimeter
> >
> > firewall, then sandwich our DMZ between the outside and inside
> > firewalls. The theory is that if there is a vulnerability in one
> > manufacturer a hacker can't exploit it to get all the way inside the
> > enterprise. The inside firewalls are FWSM blades. For small sites we
> >
> > use ASA because cost is the driving factor there.
> >
> > Long post, and maybe off topic, but I am certain that other engineers
> > will have their own opinions.
> >
> > Sincerely,
> >
> > Bill
> >
> > dip wrote:
> > > Hi Guys,
> >
> > >
> > > i have to evaluate between Cisco ASA and Checkpoint for a big
> > enterprise.
> > I
> > > think this is a better place to ask since lot of people would have
> > worked
> > on
> > > both products.
> > >
> >
> > > Please provide me all the plus points which you saw in checkpoint
> > which
> > you
> > > think currently Cisco ASA doesn't have or vice versa.
> > > Also what feature's checkpoint has which you think should be must in
> >
> > cisco
> > > Firewalls .
> > >
> > >
> > >
> > > Thanks
> > > Dip
> > >
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> >
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> >
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> >
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> > This message has been scanned for malware by SurfControl plc.
> > www.surfcontrol.com
> >
> >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
>
>
> --
> aun raza
> pgp: 0x95A74924 (pgp.mit.edu)
> web: aunraza.com
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
-- Muhammad Nasim Network Engineer Saudi Arabia
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:57 ART