From: Magmax (magmax@bigpond.net.au)
Date: Fri Aug 01 2008 - 23:55:50 ART
I had to say this one
One small comment on P1/Checkpoint
1. SecureXL bugs, VSX bugs
2. Provider-1 R65 (See how many features have bugs and wonder what is
worth...) then call checkpoint TAC they will ask you to re-install it :-> or
case will stay open for 6 months
I am not saying Cisco is better than checkpoint. If Cisco started charging
money the way checkpoint does they will have far better product
Go Cisco Systems --- don't force Cisco engineer's to sell checkpoint
firewalls :->
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
David Tran
Sent: Friday, 25 July 2008 12:21 PM
To: Abdul
Cc: joe@affirmedsystems.com; sushilmenon2001@gmail.com;
Kevin.Phillips@fticonsulting.com; gabriel.bryson@minx.com;
diptanshu.singh@gmail.com; beyer@optonline.net; ccielab@groupstudy.com;
security@groupstudy.com
Subject: Re: ASA vs Checkpoint
I am going to add more fuel to the fire !!!
Yes, NetScreen is a good firewall with excellent throughput. I used to
manage
a pair of NetScreen/Juniper AS5200 about 3 years ago and for the most part,
the throughput is excellent.
The issue with Netscreen is it severely lacks the tools for troubleshooting.
Just like Cisco, the information is not in real-time. If I can recall
correctly, it is snoop, not solaris snoop but snoop that will dump
the output into a file and then you read the file. Well, if you do not
have to do a lot of troubleshooting, then yes, Netscreen is the way to go.
As for myself, I come from tcpdump and fw monitor. I like these tools
because
It tells me exactly where and why the traffics get processed by the firewall
on each particular interface. When you have a critical issue and something
is not working and need to be resolved right away, capture and snoop is not
a very efficient tool to solve critical issues.
Netscreen also has product called Netscreen Security Manager (NSM) that
is a "knock-off" of checkpoint Provider-1. In fact, the GUI look-and-feel
is very similar to Checpoint SmartConsole. I used this product in 2006 and
early 2007. The product is somewhat unstable. I tried to manage a pair
Netscreen via NSM and somehow the NSM lost my netscreen configuration.
If my recollection is correct, I was using NSM version 2007.1 release 2.
I don't know if the product has improved since but NSM is no Checkpoint
Provider-1. One thing I have to give credit to Netscreen is that they
don't develop NSM for Windows platform, only Linux and Solaris. I guess
that's why it is much robust stable than Cisco CSM.
Netscreen is a good firewall if you dont' have to make daily configuration
changes. If that is not the case, you're looking at something maybe just
a little bit than Cisco in term of policy and configuration management.
Remember, Netscreen has something called "zone-based" which is similar
to ASA security level.
It's boiling down to what fit your environment and what you're comfortable
with. I am a Cisco person but I like checkpoint because of the managment
and logging piece.
--- On Thu, 7/24/08, Abdul <rslab007@gmail.com> wrote:
From: Abdul <rslab007@gmail.com>
Subject: Re: ASA vs Checkpoint
To: "David Tran" <davidtran_mclean@yahoo.com>
Cc: joe@affirmedsystems.com, sushilmenon2001@gmail.com,
Kevin.Phillips@fticonsulting.com, gabriel.bryson@minx.com,
diptanshu.singh@gmail.com, beyer@optonline.net, ccielab@groupstudy.com,
security@groupstudy.com
Date: Thursday, July 24, 2008, 8:51 PM
awh men. How can I add to such a juicy set of comments about this topic.
God,
I don't know about you, but I'm loving reading every one's comments.
Ok, here is my two cents. I come from a big financial enterprise environment
that runs tons of multicast (in form of market data) through our firewalls.
The Financial industry is moving towards microsecond latency sensitivity
where
very source of delay counts negatively towards the business. We get huge
micro
busts of data unlike I've ever seen before (except when testing in the lab).
The environment primarily was a checkpoint firewall environment. Its
steadily
moving towards Juniper netscreens. Here's why. Performance & Latency. The
checkpoints (as so many so eloquently expressed in this email trail) are
feature rich, and very good with management. Especially in an environment
with
tons of firewalls and huge policies. But they are failing when it somes to
performance and latency. And while complaints abound are mentioned from the
Security Admins about the management piece of the Netsceens, its raw
performance is simply much better than the checkpoints.
And they are coming around with the feature support as well.
So if performance & latency is your top requirements, then maybe an
evaluation
between the Juniper's & ASA might be a better conversation.
On Wed, Jul 23, 2008 at 5:41 PM, David Tran <davidtran_mclean@yahoo.com>
wrote:
"Recently I had a meeting with a large blue chip company that had been
using checkpoint exclusively, As they were purchasing various Cisco
Routers and switches from us, I was asked to attend a meeting were there
security manager, who had Checkpoint believer wanted to ask a few
questions about the ASA. After the Q&A session I could see that lots of
what he said were related to the old Pix limitations, I then opened my
laptop and connected to a ASA we have in a lab and demonstrated the ASA
and let him play...They just purchased two ASA's to replace their
Checkpoints."
I don't know if you ever work in a large enterprise or a Managed
Security Service Provider (MSSP) but I would like to know if you can
convert a Checkpoint security policy with over 25,000 objects and
800 security rules on a Secureplatform gateways with 20+ interfaces.
Add about 100+ crazy NAT rules in the policy and let see if you can
convert this CP security policy into ASA security policy.
Think you can do it? By the way, cisco TAC couldn't do it either.
I had a meeting with a Cisco SE in 2005 and that he really touted
both ASA and MARS on how this product are much better than CP
and Juniper. After I sat him down and showed Checkpoint Provider-1
and requirements for my environment. ASA and CSM could not meet
the requirements.
Checkpoint has lots of drawback as well but overall it is much
better firewall than Cisco, especially for large enterprise and
Service Providers.
It's like owning a Porsche and owning a Honda Civic. Owning a Chevy is
very easy. You just need to change oil, for the most part and everything
will
be fine. Owning a Porsche is much different. You need to have the money
and the time to take care of that car. It is not that simple. Checkpoint
is
the
same way. Checkpoint is like a Porsche and ASA is like a Honda Civic.
--- On Wed, 7/23/08, gabriel.bryson@minx.com <gabriel.bryson@minx.com>
wrote:
From: gabriel.bryson@minx.com <gabriel.bryson@minx.com>
Subject: RE: ASA vs Checkpoint
To: joe@affirmedsystems.com, davidtran_mclean@yahoo.com,
sushilmenon2001@gmail.com, Kevin.Phillips@FTIConsulting.com
Cc: diptanshu.singh@gmail.com, beyer@optonline.net, ccielab@groupstudy.com,
security@groupstudy.com
Date: Wednesday, July 23, 2008, 4:08 PM
After reading along all day at what people had to say about the ASA vs
Checkpoint, If I was a complete novice that went exclusively on what was
said in this forum, I think I might go with the ASA?? There is a plenty
said on the checkpoint side about licensing, hardware, patching
problems, more expensive, not great support from the manufacturers, and
all that was said about the ASA is that does not have a fantastic
enterprise management solution, oh and the ASA vpn solution is rock
solid???
I think from my own experience the vast majority of people are put off
the ASA because of the old PIX, its command line and horrible GUI (PDM),
which the ASA have now revamped and replaced, making it just as easy as
the Checkpoint to configure.
Recently I had a meeting with a large blue chip company that had been
using checkpoint exclusively, As they were purchasing various Cisco
Routers and switches from us, I was asked to attend a meeting were there
security manager, who had Checkpoint believer wanted to ask a few
questions about the ASA. After the Q&A session I could see that lots of
what he said were related to the old Pix limitations, I then opened my
laptop and connected to a ASA we have in a lab and demonstrated the ASA
and let him play...They just purchased two ASA's to replace their
Checkpoints.
PS check out the Miercom report on the ASA compared to its
competitors??? Just google Miercom ASA
My 2p worth
Gabriel
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Joseph Brunner
Sent: 23 July 2008 17:49
To: 'David Tran'; 'sushil menon'; 'Phillips, Kevin'
Cc: 'dip'; 'Bill Eyer'; ccielab@groupstudy.com;
security@groupstudy.com
Subject: RE: ASA vs Checkpoint
David,
Time and time again you save me millions of brain cells. Thank you...
God Cisco has its sh*t in a twist... that server is massive to not be
able
to run CSM like google.com...
WOW
;)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
David Tran
Sent: Wednesday, July 23, 2008 10:30 AM
To: sushil menon; Phillips, Kevin
Cc: dip; Bill Eyer; ccielab@groupstudy.com; security@groupstudy.com
Subject: RE: ASA vs Checkpoint
"CSM is still new but yet another piece that Checkpoint and Juniper have
been doing for a while. Cisco never really offered a solution to manage
firewalls, maintain objects, and standard policies across and
enterprise."
This product is absolutely horrendous. I installed it on a Windows 2003
Enterprise
Edition with 16GB RAM and quad processors with quad-core and it is
extremely
slow.
Totally unworkable across the VPN. The system becomes very slugglish
after
5
users
logging into the system. At the moment, I am having issues with
installing
Performance Monitor on the CSM. In other words, it is a broken product.
"Companies may
not be ready to jump into buying a SIM as it may not be a requirement
for that company but being able to store firewall logs and search for
them is a core function of an enterprise firewall product"
Could not disagree with you more on this. The good thing about
Checkpoint
centralize
management is that the management piece can manage multiple firewalls.
If
you
have
multiple firewalls between the source and destination, the log, in real
time,
can tell you
which firewalls accept the traffics and which one drop the traffics.
When
it comes to trouble shooting, nothing beat tcpdump. Cisco capture
function
is
no where near tcpdump capabilities.
"MARS is a great product if you want a SIM"
If you have a "cisco" shop, then MARS is a great solution for you.
However,
if you
have a heterogeneous environment, ArcSight or EIQ is a much superior
solution.
--- On Wed, 7/23/08, Phillips, Kevin <Kevin.Phillips@FTIConsulting.com>
wrote:
From: Phillips, Kevin <Kevin.Phillips@FTIConsulting.com>
Subject: RE: ASA vs Checkpoint
To: "David Tran" <davidtran_mclean@yahoo.com>, "sushil
menon"
<sushilmenon2001@gmail.com>
Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer"
<beyer@optonline.net>,
ccielab@groupstudy.com, security@groupstudy.com
Date: Wednesday, July 23, 2008, 9:41 AM
This is quite a funny post as I have been beating up my Cisco SE's on
exactly this point. I think they get it, but Cisco doesn't.
A few years ago if you wanted a firewall, hands down it was Checkpoint
partly because of their AI. Today they all do the same, they pass or
deny traffic based on defined criteria. Sure one firewall may be faster
than the next vendors, but what is setting it apart for me is the
management.
MARS is a great product if you want a SIM, but if you want firewall
events then you just need logs, Checkpoint and Juniper get this and have
been doing this for years. Cisco never really offered this in their
product line and when they decided to add it they went leaps and bounds
ahead by going to MARS. MARS is not a firewall log tool, it is a SIM,
it does event correlation and a lot of other features. Companies may
not be ready to jump into buying a SIM as it may not be a requirement
for that company but being able to store firewall logs and search for
them is a core function of an enterprise firewall product.
CSM is still new but yet another piece that Checkpoint and Juniper have
been doing for a while. Cisco never really offered a solution to manage
firewalls, maintain objects, and standard policies across and
enterprise.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
David Tran
Sent: Wednesday, July 23, 2008 7:01 AM
To: sushil menon
Cc: dip; Bill Eyer; ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: ASA vs Checkpoint
"checkpoint support sucks big time as compared to cisco. see when u get
stuck
in live network all u care of some good guys to help u out of it this is
where
no one can touch cisco for sure."
This part I completely agree with you. Checkpoint TAC supports suck big
time. This is
one area where Cisco is really good at.
--- On Wed, 7/23/08, sushil menon <sushilmenon2001@gmail.com> wrote:
From: sushil menon <sushilmenon2001@gmail.com>
Subject: Re: ASA vs Checkpoint
To: "David Tran" <davidtran_mclean@yahoo.com>
Cc: "dip" <diptanshu.singh@gmail.com>, "Bill Eyer"
<beyer@optonline.net>,
ccielab@groupstudy.com, security@groupstudy.com
Date: Wednesday, July 23, 2008, 2:17 AM
i think it depends on what are u looking for.
from cisco point of view the few advantages and disadvantages i feel.
cisco is lot cheaper than checkpoint. in checkpoint the biggest pain is
the
licensing model. u need license for everything so the cost of it goes
very
high.since it;s a pure software u will have to invest on hardware again
like
if u are thinking of secure platform then good ibm or hp server plus
their
support as well.
checkpoint support sucks big time as compared to cisco. see when u get
stuck
in live network all u care of some good guys to help u out of it this is
where
no one can touch cisco for sure.
though checkpoint is famous for it;s gui that;s the only best thing i
find in
it. because it can be deployed on many different hardware configuration
on
different hardware is tough because for most of the hardware u don;t
even get
a documentation for free like nokia and crossbeam u need login access to
just
view the documentation there are hardly any good configuration examples
that u
could use.
there is nothing very great that checkpoint does that cisco cannot do.
except
for few things like running vpns and running protocols in active/active
mode.
but whereas vpns are concerned i find cisco vpns much scalable and easy.
in
checkpoint u have something called as communities and according to
communities
u will have to decide u want to have a mesh or star like vpns. in asa
it;s
upto u can configure the way u want need not worry abt any communities.
ofcourse for good management point of view seeing the logs in nice
format and
all u can go for checkpoint.
if u are really looking for options i would say rather try juniper or
fortinet. they are even better than both cisco and checkpoint.
especially fortinet provides everything in a single asic based box. they
have
got ips,anti-spam,url-filtering,anti-virus,content-filtering all in a
single
box and their license cost is very less . their anti-virus has been
winning 3
consecutive awards in anti-virus bulletin.
they can do souce based routing,., source interface based routing,
policy
based routing and many more features .
they have got their fortimanager like checkpoint to manage all the boxes
from
a single point and they have a fortilog analyser for consolidating all
the
logs at a single place.
On Wed, Jul 23, 2008 at 7:56 AM, David Tran <davidtran_mclean@yahoo.com>
wrote:
"
But there are downsides. It is software running on a computer, so you
have some form of Linux or Windows under the hood. We run ours on a
Nokia platform. The model we currently use is diskless, but some of our
older ones had a harddisk that seem to fail regularly. Plus keeping up
with patching means not only patching Checkpoint, but also patching
IPSO, which is Nokia's version of Linux."
You should be using Secureplatform instead of Nokia. With
Secureplatform, you go to a single vendor, Checkpoint,
for support with both OS and Checkpoint. Nokia is overprice
and overrated.
Ins't RAID-1 supposed to resolve this issue? My Secureplatform
has been up and running for almost five years with two reboot,
because I upgraded it to HFA_17 and HFA_20.
You will run into the same thing with Cisco as well. I can tell
you from Pix version 7.2(x) alone, there are about 28 different
versions out there.
Checkpoint FireFly is high-end running on IBM x3650.
Checkpoint can terminate VPN in active/active but Cisco ASA
can not,
Checkpoint is expensive and cisco is not
Imagine managing a firewall with 20+ interfaces with Cisco, a
very difficult task indeed. There is no cisco centralized
management like CP Provider-1 either, unless you count
Cisco Security Manager which run on crappy windows. This
product is horrible. Even Cisco TAC recommends Solsoft
over Cisco CSM.
If you have the money, go with Checkpoint. Otherwise, go
with Cisco.
As someone put it, Checkpoint firewalls is like driving a Porsche
or Audi while Cisco is like driving a Ford Pinto. Just like
everything in life, you get what you pay for.
--- On Tue, 7/22/08, Bill Eyer <beyer@optonline.net> wrote:
From: Bill Eyer <beyer@optonline.net>
Subject: Re: ASA vs Checkpoint
To: "dip" <diptanshu.singh@gmail.com>
Cc: ccielab@groupstudy.com, security@groupstudy.com
Date: Tuesday, July 22, 2008, 7:34 PM
Dip,
For what it's worth, at our company we use a mix of Checkpoint and Cisco
firewalls, the ASA, FWSM for 6500 and some older PIX units. This is
deliberate design solution on my part to provide diversity.
Both manufacturers have advantages and dis-advantages, and I will give
you my rant on both of them.
The Checkpoint is great for a couple of things. The Management
interface is still the best. Even I, who have never been to school on
it can easily configure and push policies. The logging system, while
proprietory, is really nice. If my firewall engineers had their way, we
would use only Checkpoint firewalls.
But there are downsides. It is software running on a computer, so you
have some form of Linux or Windows under the hood. We run ours on a
Nokia platform. The model we currently use is diskless, but some of our
older ones had a harddisk that seem to fail regularly. Plus keeping up
with patching means not only patching Checkpoint, but also patching
IPSO, which is Nokia's version of Linux. Our Checkpoint reps recently
told me they are coming out with their own appliance, that will feature
integrated patching.
Checkpoint is also "rental software". To legally keep it running you
have to re-license it periodically. You also have to have a dedicated
PC as a management server, and yes this has it's own license. Lastly
Checkpoint support is really expensive, although third party support may
be available from the appliance manufacturer. We get ours from Nokia.
Unlike Cisco TAC, Nokia does draw the line at some support requests.
For example I asked them to walk me through installing the R55 patch and
they told me I had to hire a VAR to do the work. I got around it but it
was painful.
Smart Defense, which is their version of IPS also adds extra costs and
since it is implemented in software, has a dramatic effect on
throughput.
All and all it adds up to a higher cost than ASA.
ASA wraps good things into a single box, and the cost is lower.
However, the management gui is not as easy to use (although recent
generations are definitely better). Logging is also horrible. The logs
on the built in gui are not nearly as nice as Checkpoints, so you will
probably find the need for some type of Enterprise logging tool. The
good new is that it is syslog so any enterprise SIM tool should work.
We actually use CS-MARS, but the staff still doesn't like it as much as
Checkpoint.
That's my rant anyway. If you have the money to pay for it, Checkpoint
is really nice, but support is higher, both in cost and in time.
In our case in the Data Center we use Checkpoint as a perimeter
firewall, then sandwich our DMZ between the outside and inside
firewalls. The theory is that if there is a vulnerability in one
manufacturer a hacker can't exploit it to get all the way inside the
enterprise. The inside firewalls are FWSM blades. For small sites we
use ASA because cost is the driving factor there.
Long post, and maybe off topic, but I am certain that other engineers
will have their own opinions.
Sincerely,
Bill
dip wrote:
> Hi Guys,
>
> i have to evaluate between Cisco ASA and Checkpoint for a big
enterprise.
I
> think this is a better place to ask since lot of people would have
worked
on
> both products.
>
> Please provide me all the plus points which you saw in checkpoint
which
you
> think currently Cisco ASA doesn't have or vice versa.
> Also what feature's checkpoint has which you think should be must in
cisco
> Firewalls .
>
>
>
> Thanks
> Dip
>
>
>
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:29 ART