On the flushing noise. It sounds more like job security to me! Which is
better, to have an effective, understandable security policy that is easily
managed through a GUI, or a complex command line driven attempt at a
security policy. The job security is in not making stupid mistakes in policy
design/implementation. An incident or compromise related to a stupid policy
mistake is the quickest way out the door.
As far as the PIX GUI is concerned, I was privileged enough to take a look
at a beta of it a month ago. It is strikingly similar in layout to the
CheckPoint GUI. It is definitely a step in the right direction. Had Cisco
been more generous on trade-in values I would be the latest convert to the
PIX cult.
CheckPoint's biggest downfall is support. It downright stinks. If anything
can topple them from their perch support will be it. There is no TAC to call
and get a person who can answer your question. The top support people are in
friggin'' Israel working 9-5 hours for god's sake. You do the math and
timezone conversion.
They are both great products, but when someone starts saying one is more
secure than the other, hold on!
A couple parting questions for stimulating conversation....
Can you manage and install policy to multiple PIX firewalls simultaneously?
(With a $15K add-on)
How often do your throughput needs exceed the ~80Mb threshold of CheckPoint?
Who has 52% market share?
The right product for the right environment.
-----Original Message-----
From: Allen May [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 04, 2001 10:05 AM
To: [EMAIL PROTECTED]
Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
I installed the GUI for the PIX but haven't used it yet. Letting something
else build my config just seems weird ;) Almost like job security making a
flushing noise...rofl.
----- Original Message -----
From: "Maness, Drew"
To:
Sent: Friday, May 04, 2001 10:29 AM
Subject: RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
> I don't think it is security holes at a lower layer. Checkpoint installs
> what they call a shiv between the network and data link layer to protect
the
> IP stack. And if you were to take advantage of OS security flaws you
would
> be doing it at the Session Layer and above, not the lower layers.
>
>
> About five years ago it used to be the case the application based
firewalls
> did not protect the network as well as packet filtering. But that was
> because people didn't really understand what a firewall was. Most people
> considered a proxy server as a sort of firewall.
>
> I remember a client telling me they were protected because they used
> reserved ip address and M$ proxy. In fact at the time M$ was marketing
> their proxy server as a "poormans" firewall.
>
> But today firewalls protect the IP stack. And most people know that a
proxy
> is not a firewall. So this hardware based is better than software based
> stuff does not ring true.
>
> When someone asks me which is better Pix or Checkpoint, I tell them it
> depends. I can find you studies that says Pix has better throughput than
> Checkpoint and vise versa.
>
> The real difference between them is that Checkpoint has a gui interface
and
> Pix has the o'l command line. You can pretty much do the same thing with
> them, so what it comes down to is what are you or your staff more
> comfortable configuring. Are you a cisco shop, buy the pix, are you an
> NT/Unix shop, buy Checkpoint. Beyond that it is all marketing semantics.
>
> In fact I have heard, but not seen, that their is a new gui interface for
> the Pix. Anyone used it lately?
>
> I haven't had time to work with it, since I'm preparing for this little
know
> lab called CCIE or something like that. What's an IGP? (oh my brain is
> starting to hurt...)
>
> -----Original Message-----
> From: Jim Brown [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 04, 2001 7:45 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
> Security holes in lower layers? Where did you come up with that, your
Cisco
> rep?
>
> -----Original Message-----
> From: Eugene Nine [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 03, 2001 5:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
> PIX goes up to layer 4, so it won't do things like URL filtering.
> Checkpoint (or other SW) can do higher layer protection but may not be as
> well at the lower layers (due to security holes in the OS, etc)
> Eugene
>
> ""Chuck Larrieu"" wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Asked sincerely, what advantages do you see in provisions PIX plus
> > checkpoint?
> >
> > Chuck
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Thursday, May 03, 2001 2:47 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
> >
> > It depends on your security policy , design and needs , generally what
we
> > advice our
> > customers is checkpoint + pix together
> >
> > Hatim badr a icrit :
> >
> > > Hi ,
> > >
> > > I would like to know the pluses and minuses of each product .
Currently
> > We
> > > are using checkpoint and I want to convince my management to switch to
> > cisco
> > > PIX firewall .
> > >
> > > Thanks
> > >
> > > Hatim
> > >
> > > ____________________________________________________________________
> > > Get free email and a permanent address at
http://www.netaddress.com/?N=1
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3217&t=2878
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
