I've been working with Checkpoint firewalls since 2000 and Cisco Pix firewalls since 2001 and have built several "franken" Pix (aka Cisco Pix on PC). My expertise is mainly in Nokia/Checkpoint, Provider-1 and moderate experience in SPLAT. Here are some of my observations:
1) Pix firewall is a piece of crap. It is ok for simple scenarios and the configuration with static rulesets. When you have to do NAT across a VPN tunnels, it can get very complicate and ugly in a hurry. 2) Logging can be a nightmare with Cisco Pix. Not only you need a syslog server for this but you also need a third party software to parse this log in order to make any sense of it, if you can. 3) Pix does not support load balancing, only Active/Standby. However, I am playing with Pix version 7.0 beta and it is supposed to do just that but I would not give it serious consideration until at least 8 months from now. 4) Cisco Pix does not support transparent mode. This feature is supposed to be available in version 7.0. Again, refer to #3. 5) Cisco Pix Device Manager (PDM) is a piece of junk. Whoever wrote that piece should be fired. That piece of junk can not be compared with Nokia Voyager or SPLAT. 6) Even though Pix is a Cisco product, you can NOT do GRE inside an IPsec tunnel (you need Cisco IOS router to do this). GRE inside an IPSec tunnel can be accomplished with Nokia/checkpoint. I have not tested it on SPLAT because I am not sure if SPLAT supports GRE even though SPLAT does support zebra. 7) When it comes to trouble shooting, especially VPN, unless you are familiar with Cisco IOS (debug crypto isakmp & debug crypto ipsec), it is not as intuitive as "tcpdump -i eth0 -n port 500 or proto 50". One more thing, if you accidentally do "clear isakmp" instead of "clear isakmp sa", the former will erase your isakmp concfiguration. 8) Cisco ACLs can be a big problem for a site with complex configurations. The ACL can grow without control. One other thing, try to setup ACLs for SUN RPC and Microsoft DCOM services, you will run into problems immediately 9) your enterprise has to manage 20 cisco pix firewalls throughout the enterprises. There is NO centralized management. Cisco VPN Management Solution (VMS) is a F_cking joke. Cisco Pix firewall does NOT even log any AAA accounting when managing the firewall (Cisco IOS router does). How do you suppose to keep track of who is doing what to the firewalls in terms of "change control"? 10) Backing up configuration on CiscoPix can be a problem because of the TFTP issue. If you have to manage remote firewalls, it means that your configuration will travel across the Internet in the clear (unless you setup some kind of VPN tunnels). You do not have this problem with checkpoint because it can be done via Scp. 11) If you need to push a rule to multiple firewalls, there is no easy way to do this in Cisco Pix. With Checkpoint, you can do that through global rules (if you have provider-1). On the upside, Cisco Pix is cheaper than checkpoint and licensing is much easier to understand than checkpoint. At the same time, it costs more to hire someone to maintain cisco pix firewall than Checkpoint. Please keep in mind that a Network Engineer is NOT also a Security Engineer. Network Engineer, especially Cisco Network Engineer, also tends to think that they are also Security Engineer which is completely false. That is NOT to say that Checkpoint does not have its own problems. If you decide to go with checkpoint on Nokia platforms, keep in mind that you will have to deal with two separate vendors if you run into problems (Nokia might tell you otherwise). My personal take about Checkpoint is that unless you have specific requirements to run checkpoint on Nokia platforms, I would prefer the SPLAT because both the OS (linux) and firewall itself is supported by checkpoint and Checkpoint is responsible for both. You only have to deal with only one vendor (checkpoint) so there will be no finger pointing. In term of scalability issue, I would go with checkpoint because with SPLAT, I can scale the hardware from a 1 CPU box to a 4 CPU box and scale the memory up to 2GB of RAM or better yet, I can use clusterXL to add an addition enforcement modules into the cluster (ipso clustering for nokia platform). If I truly care about performance, I would go with IBM hardware and the corrent card (vpn acceleration card) for my SPLAT. In summary, I would give checkpoint over Cisco Pix in term of managebility, logging, troubleshooting, maintenance. The only thing that Cisco would score well is that Cisco TAC is much better than Checkpoint TAC. I hate to say this but Checkpoint TAC is no better than I am which is really suck because I am not that good either. Nokia TAC is about the same as Checkpoint TAC. On a separate note, I would explore Netscreen as an alternative option to Checkpoint. I've been testing Netscreen for only a few weeks and I am really impressed with the product. Netscreen also has a similar product to Checkpoint Provider-1 called NetScreen Security Manager (NSM). If anyone think I am wrong, please advise. Haralabos Klitiropoulos <[EMAIL PROTECTED]> wrote: Hello, Here are some (IMHO): 1) The PIX does not have a built-in logging facility. Yes, it does produce logs, but if you want to keep your logs you need a syslog server. If you also want to create reports you need a syslog server that understands the format of the PIX messages. 2) Cisco does not have an equivalent to the Application Intelligence technology. 3) Check Point firewall is not an appliance. If your needs grow with time you only need to upgrade your hardware + you have the choice of the operating system it will run on (Window$, Linux, SPLAT, Solaris, IPSO). If you have a PIX firewall, a memory upgrade may not be enough. In that case you will need a newer/bigger/better model. 4) PIX does not support load balancing. You can only do high availability with only two devices. 5) Check Point has created the OPSEC standard that lets your firewall do much more than just inspecting packets that go through it. 6) The most important IMHO. A GUI that actually works (despite what Cisco claims about PDM). In one case we did a demo to a future client that wanted to use VPN technology for their branches. They wanted a PIX simply because it is manufactured by Cisco - Cisco is something like the Holly Grail for the IT managers here in Greece. When they realized how simple it was to create rules, VPN communities, manage users and troubleshoot (using SmartTracker) they went for Check Point. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of dhananjoy chowdhury Sent: Saturday, February 19, 2005 3:34 AM To: [email protected] Subject: [FW-1] Advantages of having Checkpoint R55 rather than Cisco Pix Hi All, Does anyone have the convincing advantages of Checkpoint R55 over Cisco Pix, with respect to VPN ,security and management. Kindly share. Thanks, Dhananjoy ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
