PIX vs CheckPoint

[Imran Obaidullah M]

Hi friends,

I have few basic questions,

1. If I can implement NAT and Access policy on normal router which has 2
ethernet interfaces then how PIX improves the perfomance as an dedicated
Firewall(If Iam not implemeting VPN).

2 Which is the best firewall and more reliable. What are the perfomance
difference between the PIX and CheckPoint.

Please send me the details

Thanks 

imran

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX vs CheckPoint

[Imran Obaidullah M]

Hi friends, 

I have few basic questions, 

1. If I can implement NAT and Access policy on normal router which has 2 
ethernet interfaces then how PIX improves the perfomance as an dedicated 
Firewall(If Iam not implemeting VPN). 

2 Which is the best firewall and more reliable. What are the perfomance 
difference between the PIX and CheckPoint. 

Please send me the details 

Thanks 

imran 

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX vs CheckPoint

[David Wolsefer]

This is what you want:

http://www.roble.com/docs/fw1_or_pix.html

Regards,

David Wolsefer, CCIE #5858

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Imran Obaidullah M
Sent: Friday, January 12, 2001 4:23 AM
To: '[EMAIL PROTECTED]'
Subject: PIX vs CheckPoint


Hi friends,

I have few basic questions,

1. If I can implement NAT and Access policy on normal router which has 2
ethernet interfaces then how PIX improves the perfomance as an dedicated
Firewall(If Iam not implemeting VPN).

2 Which is the best firewall and more reliable. What are the perfomance
difference between the PIX and CheckPoint.

Please send me the details

Thanks

imran

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX vs CheckPoint

[Mark]

Not a bad article in here but just a little more.  I have both the
Checkpoint 4.1 and the Pix 525.  I bought the 525's because I was tiered of
dealing with Checkpoint.  CKP is terrible at customer support and licensing,
and I am not saying this from just my experience.  I was in the classes
recently and all the folks there expressed the same issues.  Support is
expensive and not so bad with Pix.  Remember that with CKP you rely on the
box and OS you run and that has been a performance problem for us. In
addition you had better know how to harden the box with CKP.  I guess my
opinion is that a hardware device is almost always a better solution. Dollar
for Dollar the PIx is the better solution.

Good Luck
ML
"Imran Obaidullah M" <[EMAIL PROTECTED]> wrote in message
F149A24C5121D211A9710004AC4419C801B4BAF5@RSINTS002">news:F149A24C5121D211A9710004AC4419C801B4BAF5@RSINTS002...
> Hi friends,
>
> I have few basic questions,
>
> 1. If I can implement NAT and Access policy on normal router which has 2
> ethernet interfaces then how PIX improves the perfomance as an dedicated
> Firewall(If Iam not implemeting VPN).
>
> 2 Which is the best firewall and more reliable. What are the perfomance
> difference between the PIX and CheckPoint.
>
> Please send me the details
>
> Thanks
>
> imran
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX vs CheckPoint

[Jim Brown]

I've been watching this thread and I have kept quiet. The article listed
below is obviously biased. CheckPoint has its issues but none of them are
performance related. The only bad things I have to say about the product is
in relation to support, which doesn't exist, and licensing.

CheckPoint is #1 in spite of themselves. CheckPoint can handle up to ~80Mb
of throughput, if you need more then maybe you should look at some other
solution, otherwise they are all on the same field in regards to speed. They
typical shop doesn't need more than 80Mb of throughput.

The NT GUI is free, you must purchase the Motif GUI.

Nobody, and I mean Nobody, beats their GUI interface. It is the same no
matter what platform you are running on.

The Nokia/CheckPoint appliance is the best of both worlds. It is a
prehardened, highly tested OS on super performance hardware. You just drop
and insert that baby and you are ready to go. We use NT and Nokia's IPSO,
and if I could do it all over again we would only use Nokias.

Their stock is strong despite the recent gut punch the technology sector has
encountered. They have a great product with terrible customer service. This
may come back to haunt them, but in the mean time they are the best in my
opinion.

I could argue/discuss each point in the link below, but I won't bore anyone.
If someone would like more details or a realistic view on CheckPoint
capabilities you can contact me offline.

-Original Message-
From: Mark [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 12, 2001 10:54 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX vs CheckPoint


Not a bad article in here but just a little more.  I have both the
Checkpoint 4.1 and the Pix 525.  I bought the 525's because I was tiered of
dealing with Checkpoint.  CKP is terrible at customer support and licensing,
and I am not saying this from just my experience.  I was in the classes
recently and all the folks there expressed the same issues.  Support is
expensive and not so bad with Pix.  Remember that with CKP you rely on the
box and OS you run and that has been a performance problem for us. In
addition you had better know how to harden the box with CKP.  I guess my
opinion is that a hardware device is almost always a better solution. Dollar
for Dollar the PIx is the better solution.

Good Luck
ML
"Imran Obaidullah M" <[EMAIL PROTECTED]> wrote in message
F149A24C5121D211A9710004AC4419C801B4BAF5@RSINTS002">news:F149A24C5121D211A9710004AC4419C801B4BAF5@RSINTS002...
> Hi friends,
>
> I have few basic questions,
>
> 1. If I can implement NAT and Access policy on normal router which has 2
> ethernet interfaces then how PIX improves the perfomance as an dedicated
> Firewall(If Iam not implemeting VPN).
>
> 2 Which is the best firewall and more reliable. What are the perfomance
> difference between the PIX and CheckPoint.
>
> Please send me the details
>
> Thanks
>
> imran
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX vs CheckPoint

[Mark Holloway]

Where I work we have two PIX Firewalls (520), one strictly for Internet
usage (e-commerce), the other for corporate Internet access + Extranets.
When I went to PIX training, everyone there had already worked with
Checkpoint Firewalls, and so I heard some good feedback in regards to
comparisons.

My experience with the PIX (520) has been totally positive given our
configurations.  The hardware is easy .. it's an ATX style PC with a Pentium
II/III CPU.  I would have to say, logically, the PIX would perform faster
since there is no hard drive.  Everything is in RAM (like a solid state
system).  Checkpoint runs on top of NT or Solaris, so there may be more
overhead.  However, the PIX is really a Layer 3 Firewall, although you can
load the PFSS NT service on a server and manually enter URLs to block.  To
go further than that, you need to run Websense, which is a package that the
PIX talks directly to (on an NT or Solaris box) and you create Groups and
based on those groups, users will be allowed/blocked from visitin certain
web sites.  Very similar to MS Proxy Server's group security.  We are
running it here at work (5000+ hosts), but I think that the extra overhead
of Websense may have an impact on overall performance (suddenly your super
fast PIX box isn't so super fast, it's the same as any other due to the
Websense bottleneck)..

As for Checkpoint, it goes far beyond layer 3.  Most people in my PIX class
seemed to like Nokia's version of Checkpoint in a FreeBSD box rather than
the NT version of Checkpoint.  Beyond that I cannot say much..

Regards,
Mark Holloway


"Imran Obaidullah M" <[EMAIL PROTECTED]> wrote in message
F149A24C5121D211A9710004AC4419C801B4BAF5@RSINTS002">news:F149A24C5121D211A9710004AC4419C801B4BAF5@RSINTS002...
> Hi friends,
>
> I have few basic questions,
>
> 1. If I can implement NAT and Access policy on normal router which has 2
> ethernet interfaces then how PIX improves the perfomance as an dedicated
> Firewall(If Iam not implemeting VPN).
>
> 2 Which is the best firewall and more reliable. What are the perfomance
> difference between the PIX and CheckPoint.
>
> Please send me the details
>
> Thanks
>
> imran



_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX vs CheckPoint

[David Wolsefer]

Jim,

I would be very interested in your view points. I am not a PIX zealot or
anything, this was just the best article I have. Perhaps you could respond
in detail with a different viewpoint.

Regards,

David Wolsefer

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jim Brown
Sent: Friday, January 12, 2001 10:34 AM
To: 'Mark'; [EMAIL PROTECTED]
Subject: RE: PIX vs CheckPoint


I've been watching this thread and I have kept quiet. The article listed
below is obviously biased. CheckPoint has its issues but none of them are
performance related. The only bad things I have to say about the product is
in relation to support, which doesn't exist, and licensing.

CheckPoint is #1 in spite of themselves. CheckPoint can handle up to ~80Mb
of throughput, if you need more then maybe you should look at some other
solution, otherwise they are all on the same field in regards to speed. They
typical shop doesn't need more than 80Mb of throughput.

The NT GUI is free, you must purchase the Motif GUI.

Nobody, and I mean Nobody, beats their GUI interface. It is the same no
matter what platform you are running on.

The Nokia/CheckPoint appliance is the best of both worlds. It is a
prehardened, highly tested OS on super performance hardware. You just drop
and insert that baby and you are ready to go. We use NT and Nokia's IPSO,
and if I could do it all over again we would only use Nokias.

Their stock is strong despite the recent gut punch the technology sector has
encountered. They have a great product with terrible customer service. This
may come back to haunt them, but in the mean time they are the best in my
opinion.

I could argue/discuss each point in the link below, but I won't bore anyone.
If someone would like more details or a realistic view on CheckPoint
capabilities you can contact me offline.

-Original Message-
From: Mark [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 12, 2001 10:54 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX vs CheckPoint


Not a bad article in here but just a little more.  I have both the
Checkpoint 4.1 and the Pix 525.  I bought the 525's because I was tiered of
dealing with Checkpoint.  CKP is terrible at customer support and licensing,
and I am not saying this from just my experience.  I was in the classes
recently and all the folks there expressed the same issues.  Support is
expensive and not so bad with Pix.  Remember that with CKP you rely on the
box and OS you run and that has been a performance problem for us. In
addition you had better know how to harden the box with CKP.  I guess my
opinion is that a hardware device is almost always a better solution. Dollar
for Dollar the PIx is the better solution.

Good Luck
ML
"Imran Obaidullah M" <[EMAIL PROTECTED]> wrote in message
F149A24C5121D211A9710004AC4419C801B4BAF5@RSINTS002">news:F149A24C5121D211A9710004AC4419C801B4BAF5@RSINTS002...
> Hi friends,
>
> I have few basic questions,
>
> 1. If I can implement NAT and Access policy on normal router which has 2
> ethernet interfaces then how PIX improves the perfomance as an dedicated
> Firewall(If Iam not implemeting VPN).
>
> 2 Which is the best firewall and more reliable. What are the perfomance
> difference between the PIX and CheckPoint.
>
> Please send me the details
>
> Thanks
>
> imran
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX vs CheckPoint

[Christopher Larson]

Actually it depends on what you mean by number one. Last month Sonicwall
surpassed all firewall manufacturers as having the largest installed base of
all firewalls. 
Checkpoint is based on the OS. Break the OS and you break the firewall.





-Original Message-
From: Jim Brown [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 12, 2001 1:34 PM
To: 'Mark'; [EMAIL PROTECTED]
Subject: RE: PIX vs CheckPoint


I've been watching this thread and I have kept quiet. The article listed
below is obviously biased. CheckPoint has its issues but none of them are
performance related. The only bad things I have to say about the product is
in relation to support, which doesn't exist, and licensing.

CheckPoint is #1 in spite of themselves. CheckPoint can handle up to ~80Mb
of throughput, if you need more then maybe you should look at some other
solution, otherwise they are all on the same field in regards to speed. They
typical shop doesn't need more than 80Mb of throughput.

The NT GUI is free, you must purchase the Motif GUI.

Nobody, and I mean Nobody, beats their GUI interface. It is the same no
matter what platform you are running on.

The Nokia/CheckPoint appliance is the best of both worlds. It is a
prehardened, highly tested OS on super performance hardware. You just drop
and insert that baby and you are ready to go. We use NT and Nokia's IPSO,
and if I could do it all over again we would only use Nokias.

Their stock is strong despite the recent gut punch the technology sector has
encountered. They have a great product with terrible customer service. This
may come back to haunt them, but in the mean time they are the best in my
opinion.

I could argue/discuss each point in the link below, but I won't bore anyone.
If someone would like more details or a realistic view on CheckPoint
capabilities you can contact me offline.

-Original Message-
From: Mark [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 12, 2001 10:54 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX vs CheckPoint


Not a bad article in here but just a little more.  I have both the
Checkpoint 4.1 and the Pix 525.  I bought the 525's because I was tiered of
dealing with Checkpoint.  CKP is terrible at customer support and licensing,
and I am not saying this from just my experience.  I was in the classes
recently and all the folks there expressed the same issues.  Support is
expensive and not so bad with Pix.  Remember that with CKP you rely on the
box and OS you run and that has been a performance problem for us. In
addition you had better know how to harden the box with CKP.  I guess my
opinion is that a hardware device is almost always a better solution. Dollar
for Dollar the PIx is the better solution.

Good Luck
ML
"Imran Obaidullah M" <[EMAIL PROTECTED]> wrote in message
F149A24C5121D211A9710004AC4419C801B4BAF5@RSINTS002">news:F149A24C5121D211A9710004AC4419C801B4BAF5@RSINTS002...
> Hi friends,
>
> I have few basic questions,
>
> 1. If I can implement NAT and Access policy on normal router which has 2
> ethernet interfaces then how PIX improves the perfomance as an dedicated
> Firewall(If Iam not implemeting VPN).
>
> 2 Which is the best firewall and more reliable. What are the perfomance
> difference between the PIX and CheckPoint.
>
> Please send me the details
>
> Thanks
>
> imran
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX vs CheckPoint

[Mark]

In some aspects I do agree but we have checkpoint on sun 250's and the
performance difference is very noticable. However, the real issue I have is
the price point and service which is not good compared to the PIX. But I do
agree that the GUI is fine, if that is a big issue. Most folks that I work
with on the high end of things are not concerned with a GUI. If you want to
channel links on a sun box you have to purchase addition software. If you
want to use checkpoint in a high volume environment you have to spend a
great deal more in Harware. Dont get me wrong the checkpoint firewall is top
notch in what it does but there are just as good alternatives at a lower
price point. It really comes down to what you want to use it for. As for
80MB you say "CheckPoint can handle up to ~80Mb of throughput" but that has
nothing to do with hardware so spend the money on a PIX 525 with a Gig blade
and match that with the price of the Checkpoint software and a Hardware
device to support it at the same rate. And as you noted the service and
licensing is much to be desired, that is the real issue.



ML

"Jim Brown" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I've been watching this thread and I have kept quiet. The article listed
> below is obviously biased. CheckPoint has its issues but none of them are
> performance related. The only bad things I have to say about the product
is
> in relation to support, which doesn't exist, and licensing.
>
> CheckPoint is #1 in spite of themselves. CheckPoint can handle up to ~80Mb
> of throughput, if you need more then maybe you should look at some other
> solution, otherwise they are all on the same field in regards to speed.
They
> typical shop doesn't need more than 80Mb of throughput.
>
> The NT GUI is free, you must purchase the Motif GUI.
>
> Nobody, and I mean Nobody, beats their GUI interface. It is the same no
> matter what platform you are running on.
>
> The Nokia/CheckPoint appliance is the best of both worlds. It is a
> prehardened, highly tested OS on super performance hardware. You just drop
> and insert that baby and you are ready to go. We use NT and Nokia's IPSO,
> and if I could do it all over again we would only use Nokias.
>
> Their stock is strong despite the recent gut punch the technology sector
has
> encountered. They have a great product with terrible customer service.
This
> may come back to haunt them, but in the mean time they are the best in my
> opinion.
>
> I could argue/discuss each point in the link below, but I won't bore
anyone.
> If someone would like more details or a realistic view on CheckPoint
> capabilities you can contact me offline.
>
> -Original Message-
> From: Mark [mailto:[EMAIL PROTECTED]]
> Sent: Friday, January 12, 2001 10:54 AM
> To: [EMAIL PROTECTED]
> Subject: Re: PIX vs CheckPoint
>
>
> Not a bad article in here but just a little more.  I have both the
> Checkpoint 4.1 and the Pix 525.  I bought the 525's because I was tiered
of
> dealing with Checkpoint.  CKP is terrible at customer support and
licensing,
> and I am not saying this from just my experience.  I was in the classes
> recently and all the folks there expressed the same issues.  Support is
> expensive and not so bad with Pix.  Remember that with CKP you rely on the
> box and OS you run and that has been a performance problem for us. In
> addition you had better know how to harden the box with CKP.  I guess my
> opinion is that a hardware device is almost always a better solution.
Dollar
> for Dollar the PIx is the better solution.
>
> Good Luck
> ML
> "Imran Obaidullah M" <[EMAIL PROTECTED]> wrote in message
> F149A24C5121D211A9710004AC4419C801B4BAF5@RSINTS002">news:F149A24C5121D211A9710004AC4419C801B4BAF5@RSINTS002...
> > Hi friends,
> >
> > I have few basic questions,
> >
> > 1. If I can implement NAT and Access policy on normal router which has 2
> > ethernet interfaces then how PIX improves the perfomance as an dedicated
> > Firewall(If Iam not implemeting VPN).
> >
> > 2 Which is the best firewall and more reliable. What are the perfomance
> > difference between the PIX and CheckPoint.
> >
> > Please send me the details
> >
> > Thanks
> >
> > imran
> >
> > _
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
>
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violat

RE: PIX vs CheckPoint

[Jim Brown]

Last comment online.

What really matters is whether or not your network is protected. The GUI
enables you to view, design, and UNDERSTAND the enforced security policy.
This is why the GUI is so important. A picture is worth a thousand words!

There is something to be said for using a single vendor solution, I
personally believe in best of breed. Security is not a single box but layers
of protection and I want the best product that I can afford at each layer.

CheckPoint is primarily supported by the user community through lists such
as this and some good independent web sites. Support is not a huge issue but
it would be nice if the product was supported at the same level as Cisco
products.

As I stated before, I would place the Nokia/CheckPoint appliance head to
head with any other vendor. There is such a mystique around the CheckPoint
cost vs. other vendors that it often throws monkey wrench in the works and
eliminates them from consideration.

There is not a single solution that works for everyone. Different
organizations have different requirements but the main gripe I hear about
CheckPoint is price. I just think the vendors are overselling or not
pitching it right?

Don't get me wrong, I love Cisco but this product just fit our needs.



-Original Message-
From: Mark [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 12, 2001 1:31 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX vs CheckPoint


In some aspects I do agree but we have checkpoint on sun 250's and the
performance difference is very noticable. However, the real issue I have is
the price point and service which is not good compared to the PIX. But I do
agree that the GUI is fine, if that is a big issue. Most folks that I work
with on the high end of things are not concerned with a GUI. If you want to
channel links on a sun box you have to purchase addition software. If you
want to use checkpoint in a high volume environment you have to spend a
great deal more in Harware. Dont get me wrong the checkpoint firewall is top
notch in what it does but there are just as good alternatives at a lower
price point. It really comes down to what you want to use it for. As for
80MB you say "CheckPoint can handle up to ~80Mb of throughput" but that has
nothing to do with hardware so spend the money on a PIX 525 with a Gig blade
and match that with the price of the Checkpoint software and a Hardware
device to support it at the same rate. And as you noted the service and
licensing is much to be desired, that is the real issue.



ML

"Jim Brown" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I've been watching this thread and I have kept quiet. The article listed
> below is obviously biased. CheckPoint has its issues but none of them are
> performance related. The only bad things I have to say about the product
is
> in relation to support, which doesn't exist, and licensing.
>
> CheckPoint is #1 in spite of themselves. CheckPoint can handle up to ~80Mb
> of throughput, if you need more then maybe you should look at some other
> solution, otherwise they are all on the same field in regards to speed.
They
> typical shop doesn't need more than 80Mb of throughput.
>
> The NT GUI is free, you must purchase the Motif GUI.
>
> Nobody, and I mean Nobody, beats their GUI interface. It is the same no
> matter what platform you are running on.
>
> The Nokia/CheckPoint appliance is the best of both worlds. It is a
> prehardened, highly tested OS on super performance hardware. You just drop
> and insert that baby and you are ready to go. We use NT and Nokia's IPSO,
> and if I could do it all over again we would only use Nokias.
>
> Their stock is strong despite the recent gut punch the technology sector
has
> encountered. They have a great product with terrible customer service.
This
> may come back to haunt them, but in the mean time they are the best in my
> opinion.
>
> I could argue/discuss each point in the link below, but I won't bore
anyone.
> If someone would like more details or a realistic view on CheckPoint
> capabilities you can contact me offline.
>
> -Original Message-
> From: Mark [mailto:[EMAIL PROTECTED]]
> Sent: Friday, January 12, 2001 10:54 AM
> To: [EMAIL PROTECTED]
> Subject: Re: PIX vs CheckPoint
>
>
> Not a bad article in here but just a little more.  I have both the
> Checkpoint 4.1 and the Pix 525.  I bought the 525's because I was tiered
of
> dealing with Checkpoint.  CKP is terrible at customer support and
licensing,
> and I am not saying this from just my experience.  I was in the classes
> recently and all the folks there expressed the same issues.  Support is
> expensive and not so bad with Pix.  Remember that with CKP you rely on the
> box and OS you run and that has been a performance prob

RE: PIX vs CheckPoint

[Imran Obaidullah M]

Hi David,

Thanks for the link. The URL answers my 2nd question. Can you give me some
details on the first qstn. 

regards
imran

-Original Message-
From: David Wolsefer
To: Imran Obaidullah M
Cc: [EMAIL PROTECTED]
Sent: 1/12/01 11:04 PM
Subject: RE: PIX vs CheckPoint


This is what you want:

http://www.roble.com/docs/fw1_or_pix.html

Regards,

David Wolsefer, CCIE #5858

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Imran Obaidullah M
Sent: Friday, January 12, 2001 4:23 AM
To: '[EMAIL PROTECTED]'
Subject: PIX vs CheckPoint


Hi friends,

I have few basic questions,

1. If I can implement NAT and Access policy on normal router which has 2
ethernet interfaces then how PIX improves the perfomance as an dedicated
Firewall(If Iam not implemeting VPN).

2 Which is the best firewall and more reliable. What are the perfomance
difference between the PIX and CheckPoint.

Please send me the details

Thanks

imran

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX vs CheckPoint

[Imran Obaidullah M]

Hi,

Thanks for the link. It answers my 2nd question. Can you give some details
on the 1st.

Regards

imran 

-Original Message-
From: David Wolsefer
To: Imran Obaidullah M
Cc: [EMAIL PROTECTED]
Sent: 1/12/01 11:04 PM
Subject: RE: PIX vs CheckPoint


This is what you want:

http://www.roble.com/docs/fw1_or_pix.html

Regards,

David Wolsefer, CCIE #5858

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Imran Obaidullah M
Sent: Friday, January 12, 2001 4:23 AM
To: '[EMAIL PROTECTED]'
Subject: PIX vs CheckPoint


Hi friends,

I have few basic questions,

1. If I can implement NAT and Access policy on normal router which has 2
ethernet interfaces then how PIX improves the perfomance as an dedicated
Firewall(If Iam not implemeting VPN).

2 Which is the best firewall and more reliable. What are the perfomance
difference between the PIX and CheckPoint.

Please send me the details

Thanks

imran

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX vs CheckPoint

[Aamir Lakhani]

Although for the most I agree with views posted on the web site there are a
few things to consider. Most people want to put a firewall in place and
forget about it. If you are going to making frequent policy changes,
managing multiple firewalls at different locations, have a need to look at
logs (The logging features in Checkpoint 4.1 SP2 greatly outshine the PIX
built in logging-- although you can enhance logging for both products
dramatically with Web Trends), are willing to have a dedicated security
admin, and willing to send him to training, then the Checkpoint is worth
considering.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Imran Obaidullah M
Sent: Sunday, January 14, 2001 9:24 PM
To: 'David Wolsefer '; '[EMAIL PROTECTED]'
Cc: '[EMAIL PROTECTED] '
Subject: RE: PIX vs CheckPoint


Hi,

Thanks for the link. It answers my 2nd question. Can you give some details
on the 1st.

Regards

imran

-Original Message-
From: David Wolsefer
To: Imran Obaidullah M
Cc: [EMAIL PROTECTED]
Sent: 1/12/01 11:04 PM
Subject: RE: PIX vs CheckPoint


This is what you want:

http://www.roble.com/docs/fw1_or_pix.html

Regards,

David Wolsefer, CCIE #5858

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Imran Obaidullah M
Sent: Friday, January 12, 2001 4:23 AM
To: '[EMAIL PROTECTED]'
Subject: PIX vs CheckPoint


Hi friends,

I have few basic questions,

1. If I can implement NAT and Access policy on normal router which has 2
ethernet interfaces then how PIX improves the perfomance as an dedicated
Firewall(If Iam not implemeting VPN).

2 Which is the best firewall and more reliable. What are the perfomance
difference between the PIX and CheckPoint.

Please send me the details

Thanks

imran

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX VS CheckPoint [7:40136]

[Jeffrey Reed]

Has anyone performed or seen an in depth study of PIX vs Checkpoint? I have
a customer who is looking at both. Ive read various magazine articles, but
nothing from real people such as this group! :)

Thanks!!

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40136&t=40136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX VS CheckPoint [7:40136]

[x]

I have setup and managed both PIX and Checkpoint in a
variety of environments.  I think they are both solid
options in different situations.  Here is how I market
these products.

PIX
- more cost effective
- fast
- you can have fail over
- Can be more complicated to setup the CLI, but PIX
has a nice feature of allowing all traffic out and
none in by default.

Who would I market this for?
I would target this as an ideal candidate for small
companies with rulesets that don't change much.  They
also need a Cisco savy person to manage it, usually a
consultant.  I am guessing you would fill this role. 
I have only made minor changes in the firewall I have
managed for almost two years.

Checkpoint
- nice GUI for ruleset management
- more expensive
- required to know Unix or NT ( for the love of God
don't use NT.  Its security is very poor out of the
box and requires a great deal of configuration to
become mildly secure )

Who would I market this toward?
I would target larger companies with Checkpoint.  It
is easier to manage the ruleset, but more setup time
and more costly.  I would also say this solution is
slightly slower and more prone to security issues
since you have to patch the OS and the firewall
software.


--- Jeffrey Reed  wrote:
> Has anyone performed or seen an in depth study of
> PIX vs Checkpoint? I have
> a customer who is looking at both. Ive read various
> magazine articles, but
> nothing from real people such as this group! :)
> 
> Thanks!!
> 
> Jeffrey Reed
> Classic Networking, Inc.
> Cell 717-805-5536
> Office 717-737-8586
> FAX 717-737-0290
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40171&t=40136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX VS CheckPoint [7:40136]

[Nurudeen Aderinto]

Dear x,

I love your presentation. You spoke well.

Nurudeen
""x""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I have setup and managed both PIX and Checkpoint in a
> variety of environments.  I think they are both solid
> options in different situations.  Here is how I market
> these products.
>
> PIX
> - more cost effective
> - fast
> - you can have fail over
> - Can be more complicated to setup the CLI, but PIX
> has a nice feature of allowing all traffic out and
> none in by default.
>
> Who would I market this for?
> I would target this as an ideal candidate for small
> companies with rulesets that don't change much.  They
> also need a Cisco savy person to manage it, usually a
> consultant.  I am guessing you would fill this role.
> I have only made minor changes in the firewall I have
> managed for almost two years.
>
> Checkpoint
> - nice GUI for ruleset management
> - more expensive
> - required to know Unix or NT ( for the love of God
> don't use NT.  Its security is very poor out of the
> box and requires a great deal of configuration to
> become mildly secure )
>
> Who would I market this toward?
> I would target larger companies with Checkpoint.  It
> is easier to manage the ruleset, but more setup time
> and more costly.  I would also say this solution is
> slightly slower and more prone to security issues
> since you have to patch the OS and the firewall
> software.
>
>
> --- Jeffrey Reed  wrote:
> > Has anyone performed or seen an in depth study of
> > PIX vs Checkpoint? I have
> > a customer who is looking at both. Ive read various
> > magazine articles, but
> > nothing from real people such as this group! :)
> >
> > Thanks!!
> >
> > Jeffrey Reed
> > Classic Networking, Inc.
> > Cell 717-805-5536
> > Office 717-737-8586
> > FAX 717-737-0290
> [EMAIL PROTECTED]
>
>
> __
> Do You Yahoo!?
> Yahoo! Tax Center - online filing with TurboTax
> http://http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40177&t=40136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX VS CheckPoint [7:40136]

[nrf]

On the other hand, there's a distinct third option, which is to run
Checkpoint on a dedicated hardware appliance, for example the Nokia Ipso
line of gear.  This removes one of the Checkpoint disadvantages (don't need
to know Unix or NT), but introduces another disadvantage (less flexible -
you should have included in your advantages that regular Checkpoint is more
flexible than Pix because you can integrate it with Unix and enjoy all the
features of Unix, but of course with a Nokia, you don't have that).  In
fact, the Pix and the Nokia Checkpoint are so close that it's almost a wash.
I believe the Pix is faster, but the Nokia Checkpoint is still more flexible
(but not as flexible as Checkpoint software).



""Nurudeen Aderinto""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Dear x,
>
> I love your presentation. You spoke well.
>
> Nurudeen
> ""x""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I have setup and managed both PIX and Checkpoint in a
> > variety of environments.  I think they are both solid
> > options in different situations.  Here is how I market
> > these products.
> >
> > PIX
> > - more cost effective
> > - fast
> > - you can have fail over
> > - Can be more complicated to setup the CLI, but PIX
> > has a nice feature of allowing all traffic out and
> > none in by default.
> >
> > Who would I market this for?
> > I would target this as an ideal candidate for small
> > companies with rulesets that don't change much.  They
> > also need a Cisco savy person to manage it, usually a
> > consultant.  I am guessing you would fill this role.
> > I have only made minor changes in the firewall I have
> > managed for almost two years.
> >
> > Checkpoint
> > - nice GUI for ruleset management
> > - more expensive
> > - required to know Unix or NT ( for the love of God
> > don't use NT.  Its security is very poor out of the
> > box and requires a great deal of configuration to
> > become mildly secure )
> >
> > Who would I market this toward?
> > I would target larger companies with Checkpoint.  It
> > is easier to manage the ruleset, but more setup time
> > and more costly.  I would also say this solution is
> > slightly slower and more prone to security issues
> > since you have to patch the OS and the firewall
> > software.
> >
> >
> > --- Jeffrey Reed  wrote:
> > > Has anyone performed or seen an in depth study of
> > > PIX vs Checkpoint? I have
> > > a customer who is looking at both. Ive read various
> > > magazine articles, but
> > > nothing from real people such as this group! :)
> > >
> > > Thanks!!
> > >
> > > Jeffrey Reed
> > > Classic Networking, Inc.
> > > Cell 717-805-5536
> > > Office 717-737-8586
> > > FAX 717-737-0290
> > [EMAIL PROTECTED]
> >
> >
> > __
> > Do You Yahoo!?
> > Yahoo! Tax Center - online filing with TurboTax
> > http://http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40255&t=40136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX VS CheckPoint [7:40136]

[colin newman]

Hi

Nokia?s IPSO OS is Unix.  It?s a ?hardened? and customize version of
FreeBSD.  I?ve worked on Nokia/CheckPoint boxes and it does help to have
knowledge of Unix.  I have not had the chance to work with PIX yet so I
can?t comment on the merits of a CheckPoint/Nokia vs. PIX.  The only
negative thing I have to say about CheckPoint is their idiotic licensing
scheme, it a pain and can be very confusing.


Colin
nrf wrote:
> 
> On the other hand, there's a distinct third option, which is to
> run
> Checkpoint on a dedicated hardware appliance, for example the
> Nokia Ipso
> line of gear.  This removes one of the Checkpoint disadvantages
> (don't need
> to know Unix or NT), but introduces another disadvantage (less
> flexible -
> you should have included in your advantages that regular
> Checkpoint is more
> flexible than Pix because you can integrate it with Unix and
> enjoy all the
> features of Unix, but of course with a Nokia, you don't have
> that).  In
> fact, the Pix and the Nokia Checkpoint are so close that it's
> almost a wash.
> I believe the Pix is faster, but the Nokia Checkpoint is still
> more flexible
> (but not as flexible as Checkpoint software).
> 
> 
> 
> ""Nurudeen Aderinto""  wrote in
> message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Dear x,
> >
> > I love your presentation. You spoke well.
> >
> > Nurudeen
> > ""x""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > I have setup and managed both PIX and Checkpoint in a
> > > variety of environments.  I think they are both solid
> > > options in different situations.  Here is how I market
> > > these products.
> > >
> > > PIX
> > > - more cost effective
> > > - fast
> > > - you can have fail over
> > > - Can be more complicated to setup the CLI, but PIX
> > > has a nice feature of allowing all traffic out and
> > > none in by default.
> > >
> > > Who would I market this for?
> > > I would target this as an ideal candidate for small
> > > companies with rulesets that don't change much.  They
> > > also need a Cisco savy person to manage it, usually a
> > > consultant.  I am guessing you would fill this role.
> > > I have only made minor changes in the firewall I have
> > > managed for almost two years.
> > >
> > > Checkpoint
> > > - nice GUI for ruleset management
> > > - more expensive
> > > - required to know Unix or NT ( for the love of God
> > > don't use NT.  Its security is very poor out of the
> > > box and requires a great deal of configuration to
> > > become mildly secure )
> > >
> > > Who would I market this toward?
> > > I would target larger companies with Checkpoint.  It
> > > is easier to manage the ruleset, but more setup time
> > > and more costly.  I would also say this solution is
> > > slightly slower and more prone to security issues
> > > since you have to patch the OS and the firewall
> > > software.
> > >
> > >
> > > --- Jeffrey Reed  wrote:
> > > > Has anyone performed or seen an in depth study of
> > > > PIX vs Checkpoint? I have
> > > > a customer who is looking at both. Ive read various
> > > > magazine articles, but
> > > > nothing from real people such as this group! :)
> > > >
> > > > Thanks!!
> > > >
> > > > Jeffrey Reed
> > > > Classic Networking, Inc.
> > > > Cell 717-805-5536
> > > > Office 717-737-8586
> > > > FAX 717-737-0290
> > > [EMAIL PROTECTED]
> > >
> > >
> > > __
> > > Do You Yahoo!?
> > > Yahoo! Tax Center - online filing with TurboTax
> > > http://http://taxes.yahoo.com/
> 
> 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40260&t=40136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX VS CheckPoint [7:40136]

[Rik Guyler]

One point I believe should be mentioned is the different levels of
"awareness" each product brings to the table.  One of the strengths of the
PIX becomes its primary weakness: the lack of true integrated
application-level awareness.  While this lack makes the PIX much faster than
say Checkpoint, you don't have nearly as many options such as virus
scanning, content scanning, etc.  Rather, you are required to rely upon
additional products to handle what Checkpoint has built-in.  I know that the
PIX has a few built-in features (such as MailGuard), the selection is rather
slim.

With that said, I'm really a PIX person so don't get the wrong impression.
;-)

Rik  

-Original Message-
From: nrf [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 02, 2002 7:08 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX VS CheckPoint [7:40136]


On the other hand, there's a distinct third option, which is to run
Checkpoint on a dedicated hardware appliance, for example the Nokia Ipso
line of gear.  This removes one of the Checkpoint disadvantages (don't need
to know Unix or NT), but introduces another disadvantage (less flexible -
you should have included in your advantages that regular Checkpoint is more
flexible than Pix because you can integrate it with Unix and enjoy all the
features of Unix, but of course with a Nokia, you don't have that).  In
fact, the Pix and the Nokia Checkpoint are so close that it's almost a wash.
I believe the Pix is faster, but the Nokia Checkpoint is still more flexible
(but not as flexible as Checkpoint software).



""Nurudeen Aderinto""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Dear x,
>
> I love your presentation. You spoke well.
>
> Nurudeen
> ""x""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I have setup and managed both PIX and Checkpoint in a
> > variety of environments.  I think they are both solid
> > options in different situations.  Here is how I market
> > these products.
> >
> > PIX
> > - more cost effective
> > - fast
> > - you can have fail over
> > - Can be more complicated to setup the CLI, but PIX
> > has a nice feature of allowing all traffic out and
> > none in by default.
> >
> > Who would I market this for?
> > I would target this as an ideal candidate for small
> > companies with rulesets that don't change much.  They
> > also need a Cisco savy person to manage it, usually a
> > consultant.  I am guessing you would fill this role.
> > I have only made minor changes in the firewall I have
> > managed for almost two years.
> >
> > Checkpoint
> > - nice GUI for ruleset management
> > - more expensive
> > - required to know Unix or NT ( for the love of God
> > don't use NT.  Its security is very poor out of the
> > box and requires a great deal of configuration to
> > become mildly secure )
> >
> > Who would I market this toward?
> > I would target larger companies with Checkpoint.  It
> > is easier to manage the ruleset, but more setup time
> > and more costly.  I would also say this solution is
> > slightly slower and more prone to security issues
> > since you have to patch the OS and the firewall
> > software.
> >
> >
> > --- Jeffrey Reed  wrote:
> > > Has anyone performed or seen an in depth study of
> > > PIX vs Checkpoint? I have
> > > a customer who is looking at both. Ive read various
> > > magazine articles, but
> > > nothing from real people such as this group! :)
> > >
> > > Thanks!!
> > >
> > > Jeffrey Reed
> > > Classic Networking, Inc.
> > > Cell 717-805-5536
> > > Office 717-737-8586
> > > FAX 717-737-0290
> > [EMAIL PROTECTED]
> >
> >
> > __
> > Do You Yahoo!?
> > Yahoo! Tax Center - online filing with TurboTax
> > http://http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40262&t=40136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX VS CheckPoint [7:40136]

[nrf]

I knew somebody was going to come back with that.  All-right fine, it is
indeed true that Ipso is a hacked version of Unix.  But then again, so is
Cisco IOS and Juniper JunOS, and you could say that it helps to have
knowledge of Unix to run either of those (especially JunOS).The point I
was trying to make is that by using a Nokia Ipso box, you don't subject
yourself to the full-blown intricacies of Unix like you do when installing
Checkpoint software on, say, a Sun box. I was trying to say that  you could
get by with less Unix skills than you could otherwise, I was not saying that
you could get by with an absolute 100% complete whole-nine-yards lack of
Unix knowledge.  Now, whether you consider that to be a good or bad thing is
in the eyes of the beholder.



""colin newman""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi
>
> Nokia?s IPSO OS is Unix.  It?s a ?hardened? and customize version of
> FreeBSD.  I?ve worked on Nokia/CheckPoint boxes and it does help to have
> knowledge of Unix.  I have not had the chance to work with PIX yet so I
> can?t comment on the merits of a CheckPoint/Nokia vs. PIX.  The only
> negative thing I have to say about CheckPoint is their idiotic licensing
> scheme, it a pain and can be very confusing.
>
>
> Colin
> nrf wrote:
> >
> > On the other hand, there's a distinct third option, which is to
> > run
> > Checkpoint on a dedicated hardware appliance, for example the
> > Nokia Ipso
> > line of gear.  This removes one of the Checkpoint disadvantages
> > (don't need
> > to know Unix or NT), but introduces another disadvantage (less
> > flexible -
> > you should have included in your advantages that regular
> > Checkpoint is more
> > flexible than Pix because you can integrate it with Unix and
> > enjoy all the
> > features of Unix, but of course with a Nokia, you don't have
> > that).  In
> > fact, the Pix and the Nokia Checkpoint are so close that it's
> > almost a wash.
> > I believe the Pix is faster, but the Nokia Checkpoint is still
> > more flexible
> > (but not as flexible as Checkpoint software).
> >
> >
> >
> > ""Nurudeen Aderinto""  wrote in
> > message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Dear x,
> > >
> > > I love your presentation. You spoke well.
> > >
> > > Nurudeen
> > > ""x""  wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > I have setup and managed both PIX and Checkpoint in a
> > > > variety of environments.  I think they are both solid
> > > > options in different situations.  Here is how I market
> > > > these products.
> > > >
> > > > PIX
> > > > - more cost effective
> > > > - fast
> > > > - you can have fail over
> > > > - Can be more complicated to setup the CLI, but PIX
> > > > has a nice feature of allowing all traffic out and
> > > > none in by default.
> > > >
> > > > Who would I market this for?
> > > > I would target this as an ideal candidate for small
> > > > companies with rulesets that don't change much.  They
> > > > also need a Cisco savy person to manage it, usually a
> > > > consultant.  I am guessing you would fill this role.
> > > > I have only made minor changes in the firewall I have
> > > > managed for almost two years.
> > > >
> > > > Checkpoint
> > > > - nice GUI for ruleset management
> > > > - more expensive
> > > > - required to know Unix or NT ( for the love of God
> > > > don't use NT.  Its security is very poor out of the
> > > > box and requires a great deal of configuration to
> > > > become mildly secure )
> > > >
> > > > Who would I market this toward?
> > > > I would target larger companies with Checkpoint.  It
> > > > is easier to manage the ruleset, but more setup time
> > > > and more costly.  I would also say this solution is
> > > > slightly slower and more prone to security issues
> > > > since you have to patch the OS and the firewall
> > > > software.
> > > >
> > > >
> > > > --- Jeffrey Reed  wrote:
> > > > > Has anyone performed or seen an in depth study of
> > > > > PIX vs Checkpoint? I have
> > > > > a customer who is looking at both. Ive read various
> > > > > magazine articles, but
> > > > > nothing from real people such as this group! :)
> > > > >
> > > > > Thanks!!
> > > > >
> > > > > Jeffrey Reed
> > > > > Classic Networking, Inc.
> > > > > Cell 717-805-5536
> > > > > Office 717-737-8586
> > > > > FAX 717-737-0290
> > > > [EMAIL PROTECTED]
> > > >
> > > >
> > > > __
> > > > Do You Yahoo!?
> > > > Yahoo! Tax Center - online filing with TurboTax
> > > > http://http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40274&t=40136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX VS CheckPoint [7:40136]

[Kent Hundley]

Actually, depending on what Nokia boxes you compare with what PIXen and
whose numbers you believe, the Nokia boxes may be faster.  According to
Nokia/Checkpoint, the high-end Nokia boxes are faster than the PIX 535's.
Course, a lot depends on what your rule-set looks like.

On the flexibility, I agree the CP's are definitely more flexible than the
PIX. (which is why the PIXen are easier to install in simple environments)
One thing that CP has that is fairly unique is the ability to write your own
rules using CP's INSPECT language, which allows you to filter on any part of
a packet, including the data portion.  Not many people seem to use this
feature, but it can come in handy if you have special filtering requirements
such as when a new IIS exploit surfaces. ;-)

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
nrf
Sent: Tuesday, April 02, 2002 4:08 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX VS CheckPoint [7:40136]


On the other hand, there's a distinct third option, which is to run
Checkpoint on a dedicated hardware appliance, for example the Nokia Ipso
line of gear.  This removes one of the Checkpoint disadvantages (don't need
to know Unix or NT), but introduces another disadvantage (less flexible -
you should have included in your advantages that regular Checkpoint is more
flexible than Pix because you can integrate it with Unix and enjoy all the
features of Unix, but of course with a Nokia, you don't have that).  In
fact, the Pix and the Nokia Checkpoint are so close that it's almost a wash.
I believe the Pix is faster, but the Nokia Checkpoint is still more flexible
(but not as flexible as Checkpoint software).



""Nurudeen Aderinto""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Dear x,
>
> I love your presentation. You spoke well.
>
> Nurudeen
> ""x""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I have setup and managed both PIX and Checkpoint in a
> > variety of environments.  I think they are both solid
> > options in different situations.  Here is how I market
> > these products.
> >
> > PIX
> > - more cost effective
> > - fast
> > - you can have fail over
> > - Can be more complicated to setup the CLI, but PIX
> > has a nice feature of allowing all traffic out and
> > none in by default.
> >
> > Who would I market this for?
> > I would target this as an ideal candidate for small
> > companies with rulesets that don't change much.  They
> > also need a Cisco savy person to manage it, usually a
> > consultant.  I am guessing you would fill this role.
> > I have only made minor changes in the firewall I have
> > managed for almost two years.
> >
> > Checkpoint
> > - nice GUI for ruleset management
> > - more expensive
> > - required to know Unix or NT ( for the love of God
> > don't use NT.  Its security is very poor out of the
> > box and requires a great deal of configuration to
> > become mildly secure )
> >
> > Who would I market this toward?
> > I would target larger companies with Checkpoint.  It
> > is easier to manage the ruleset, but more setup time
> > and more costly.  I would also say this solution is
> > slightly slower and more prone to security issues
> > since you have to patch the OS and the firewall
> > software.
> >
> >
> > --- Jeffrey Reed  wrote:
> > > Has anyone performed or seen an in depth study of
> > > PIX vs Checkpoint? I have
> > > a customer who is looking at both. Ive read various
> > > magazine articles, but
> > > nothing from real people such as this group! :)
> > >
> > > Thanks!!
> > >
> > > Jeffrey Reed
> > > Classic Networking, Inc.
> > > Cell 717-805-5536
> > > Office 717-737-8586
> > > FAX 717-737-0290
> > [EMAIL PROTECTED]
> >
> >
> > __
> > Do You Yahoo!?
> > Yahoo! Tax Center - online filing with TurboTax
> > http://http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40278&t=40136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX VS CheckPoint [7:40136]

[Jeffrey Reed]

IPSO comes with a nice web browser interface that I can teach a customer in
a matter of minutes. You only need to access command line when you have
support on the line. Also, Nokia certifies each CheckPoint release with
their IPSO operating system to make sure they are more than compatible. This
is a good solution if you're running CheckPoint. As X said, never run your
firewall on NT!!

Jeffrey Reed
Classic Networking, Inc.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of nrf
Sent: Tuesday, April 02, 2002 9:21 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX VS CheckPoint [7:40136]

I knew somebody was going to come back with that.  All-right fine, it is
indeed true that Ipso is a hacked version of Unix.  But then again, so is
Cisco IOS and Juniper JunOS, and you could say that it helps to have
knowledge of Unix to run either of those (especially JunOS).The point I
was trying to make is that by using a Nokia Ipso box, you don't subject
yourself to the full-blown intricacies of Unix like you do when installing
Checkpoint software on, say, a Sun box. I was trying to say that  you could
get by with less Unix skills than you could otherwise, I was not saying that
you could get by with an absolute 100% complete whole-nine-yards lack of
Unix knowledge.  Now, whether you consider that to be a good or bad thing is
in the eyes of the beholder.



""colin newman""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi
>
> Nokia?s IPSO OS is Unix.  It?s a ?hardened? and customize version of
> FreeBSD.  I?ve worked on Nokia/CheckPoint boxes and it does help to have
> knowledge of Unix.  I have not had the chance to work with PIX yet so I
> can?t comment on the merits of a CheckPoint/Nokia vs. PIX.  The only
> negative thing I have to say about CheckPoint is their idiotic licensing
> scheme, it a pain and can be very confusing.
>
>
> Colin
> nrf wrote:
> >
> > On the other hand, there's a distinct third option, which is to
> > run
> > Checkpoint on a dedicated hardware appliance, for example the
> > Nokia Ipso
> > line of gear.  This removes one of the Checkpoint disadvantages
> > (don't need
> > to know Unix or NT), but introduces another disadvantage (less
> > flexible -
> > you should have included in your advantages that regular
> > Checkpoint is more
> > flexible than Pix because you can integrate it with Unix and
> > enjoy all the
> > features of Unix, but of course with a Nokia, you don't have
> > that).  In
> > fact, the Pix and the Nokia Checkpoint are so close that it's
> > almost a wash.
> > I believe the Pix is faster, but the Nokia Checkpoint is still
> > more flexible
> > (but not as flexible as Checkpoint software).
> >
> >
> >
> > ""Nurudeen Aderinto""  wrote in
> > message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Dear x,
> > >
> > > I love your presentation. You spoke well.
> > >
> > > Nurudeen
> > > ""x""  wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > I have setup and managed both PIX and Checkpoint in a
> > > > variety of environments.  I think they are both solid
> > > > options in different situations.  Here is how I market
> > > > these products.
> > > >
> > > > PIX
> > > > - more cost effective
> > > > - fast
> > > > - you can have fail over
> > > > - Can be more complicated to setup the CLI, but PIX
> > > > has a nice feature of allowing all traffic out and
> > > > none in by default.
> > > >
> > > > Who would I market this for?
> > > > I would target this as an ideal candidate for small
> > > > companies with rulesets that don't change much.  They
> > > > also need a Cisco savy person to manage it, usually a
> > > > consultant.  I am guessing you would fill this role.
> > > > I have only made minor changes in the firewall I have
> > > > managed for almost two years.
> > > >
> > > > Checkpoint
> > > > - nice GUI for ruleset management
> > > > - more expensive
> > > > - required to know Unix or NT ( for the love of God
> > > > don't use NT.  Its security is very poor out of the
> > > > box and requires a great deal of configuration to
> > > > become mildly secure )
> > > >
> > > > Who would I market this toward?
> > > > I would target larger companies wit

Re: PIX VS CheckPoint [7:40136]

[Timo Graser]

The Pix has also a browser interface. The only disadvantage in the past 
was, that you could not configure a vpn. With the new pdm you will be 
able to do this too.

So the only things in the future to do at cli will be to run setup and 
then log in over your browser.

Jeffrey Reed wrote:

>IPSO comes with a nice web browser interface that I can teach a customer in
>a matter of minutes. You only need to access command line when you have
>support on the line. Also, Nokia certifies each CheckPoint release with
>their IPSO operating system to make sure they are more than compatible. This
>is a good solution if you're running CheckPoint. As X said, never run your
>firewall on NT!!
>
>Jeffrey Reed
>Classic Networking, Inc.
>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of nrf
>Sent: Tuesday, April 02, 2002 9:21 PM
>To: [EMAIL PROTECTED]
>Subject: Re: PIX VS CheckPoint [7:40136]
>
>I knew somebody was going to come back with that.  All-right fine, it is
>indeed true that Ipso is a hacked version of Unix.  But then again, so is
>Cisco IOS and Juniper JunOS, and you could say that it helps to have
>knowledge of Unix to run either of those (especially JunOS).The point I
>was trying to make is that by using a Nokia Ipso box, you don't subject
>yourself to the full-blown intricacies of Unix like you do when installing
>Checkpoint software on, say, a Sun box. I was trying to say that  you could
>get by with less Unix skills than you could otherwise, I was not saying that
>you could get by with an absolute 100% complete whole-nine-yards lack of
>Unix knowledge.  Now, whether you consider that to be a good or bad thing is
>in the eyes of the beholder.
>
>
>
>""colin newman""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
>>Hi
>>
>>Nokia?s IPSO OS is Unix.  It?s a ?hardened? and customize version of
>>FreeBSD.  I?ve worked on Nokia/CheckPoint boxes and it does help to have
>>knowledge of Unix.  I have not had the chance to work with PIX yet so I
>>can?t comment on the merits of a CheckPoint/Nokia vs. PIX.  The only
>>negative thing I have to say about CheckPoint is their idiotic licensing
>>scheme, it a pain and can be very confusing.
>>
>>
>>Colin
>>nrf wrote:
>>
>>>On the other hand, there's a distinct third option, which is to
>>>run
>>>Checkpoint on a dedicated hardware appliance, for example the
>>>Nokia Ipso
>>>line of gear.  This removes one of the Checkpoint disadvantages
>>>(don't need
>>>to know Unix or NT), but introduces another disadvantage (less
>>>flexible -
>>>you should have included in your advantages that regular
>>>Checkpoint is more
>>>flexible than Pix because you can integrate it with Unix and
>>>enjoy all the
>>>features of Unix, but of course with a Nokia, you don't have
>>>that).  In
>>>fact, the Pix and the Nokia Checkpoint are so close that it's
>>>almost a wash.
>>>I believe the Pix is faster, but the Nokia Checkpoint is still
>>>more flexible
>>>(but not as flexible as Checkpoint software).
>>>
>>>
>>>
>>>""Nurudeen Aderinto""  wrote in
>>>message
>>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>>>
>>>>Dear x,
>>>>
>>>>I love your presentation. You spoke well.
>>>>
>>>>Nurudeen
>>>>""x""  wrote in message
>>>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>>>>
>>>>>I have setup and managed both PIX and Checkpoint in a
>>>>>variety of environments.  I think they are both solid
>>>>>options in different situations.  Here is how I market
>>>>>these products.
>>>>>
>>>>>PIX
>>>>>- more cost effective
>>>>>- fast
>>>>>- you can have fail over
>>>>>- Can be more complicated to setup the CLI, but PIX
>>>>>has a nice feature of allowing all traffic out and
>>>>>none in by default.
>>>>>
>>>>>Who would I market this for?
>>>>>I would target this as an ideal candidate for small
>>>>>companies with rulesets that don't change much.  They
>>>>>also need a Cisco savy person to manage it, usually a
>>>>>consultant.  I am guessing you would fill this role.
>>>>>I have only made minor changes in the firewall I have
>>>>

Re: PIX VS CheckPoint [7:40136]

[Reggie Dwight]

As long as you're into comparing vendors, you might want to take a look at
Netscreen. the published data indicates it is every bit as fast, if not
faster, than PIX and has a GUI interface every bit as convenient as
Checkpoint.

It is also a whole lot less expensive than either.


""Jeffrey Reed""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Has anyone performed or seen an in depth study of PIX vs Checkpoint? I
have
> a customer who is looking at both. Ive read various magazine articles,
but
> nothing from real people such as this group! :)
>
> Thanks!!
>
> Jeffrey Reed
> Classic Networking, Inc.
> Cell 717-805-5536
> Office 717-737-8586
> FAX 717-737-0290




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40747&t=40136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX VS CheckPoint [7:40136]

[Mark Odette II]

Timo- Which version of the PDM are you referring to that has the VPN config
capability??

I have 1.1.2 now, and I have not found that functionality... Am I just
overlooking something!?!?!

TIA for your response.

-Mark Odette II

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Timo Graser
Sent: Sunday, April 07, 2002 7:05 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX VS CheckPoint [7:40136]


The Pix has also a browser interface. The only disadvantage in the past
was, that you could not configure a vpn. With the new pdm you will be
able to do this too.

So the only things in the future to do at cli will be to run setup and
then log in over your browser.

Jeffrey Reed wrote:

>IPSO comes with a nice web browser interface that I can teach a customer in
>a matter of minutes. You only need to access command line when you have
>support on the line. Also, Nokia certifies each CheckPoint release with
>their IPSO operating system to make sure they are more than compatible.
This
>is a good solution if you're running CheckPoint. As X said, never run your
>firewall on NT!!
>
>Jeffrey Reed
>Classic Networking, Inc.
>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of nrf
>Sent: Tuesday, April 02, 2002 9:21 PM
>To: [EMAIL PROTECTED]
>Subject: Re: PIX VS CheckPoint [7:40136]
>
>I knew somebody was going to come back with that.  All-right fine, it is
>indeed true that Ipso is a hacked version of Unix.  But then again, so is
>Cisco IOS and Juniper JunOS, and you could say that it helps to have
>knowledge of Unix to run either of those (especially JunOS).The point I
>was trying to make is that by using a Nokia Ipso box, you don't subject
>yourself to the full-blown intricacies of Unix like you do when installing
>Checkpoint software on, say, a Sun box. I was trying to say that  you could
>get by with less Unix skills than you could otherwise, I was not saying
that
>you could get by with an absolute 100% complete whole-nine-yards lack of
>Unix knowledge.  Now, whether you consider that to be a good or bad thing
is
>in the eyes of the beholder.
>
>
>
>""colin newman""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
>>Hi
>>
>>Nokia?s IPSO OS is Unix.  It?s a ?hardened? and customize version of
>>FreeBSD.  I?ve worked on Nokia/CheckPoint boxes and it does help to have
>>knowledge of Unix.  I have not had the chance to work with PIX yet so I
>>can?t comment on the merits of a CheckPoint/Nokia vs. PIX.  The only
>>negative thing I have to say about CheckPoint is their idiotic licensing
>>scheme, it a pain and can be very confusing.
>>
>>
>>Colin
>>nrf wrote:
>>
>>>On the other hand, there's a distinct third option, which is to
>>>run
>>>Checkpoint on a dedicated hardware appliance, for example the
>>>Nokia Ipso
>>>line of gear.  This removes one of the Checkpoint disadvantages
>>>(don't need
>>>to know Unix or NT), but introduces another disadvantage (less
>>>flexible -
>>>you should have included in your advantages that regular
>>>Checkpoint is more
>>>flexible than Pix because you can integrate it with Unix and
>>>enjoy all the
>>>features of Unix, but of course with a Nokia, you don't have
>>>that).  In
>>>fact, the Pix and the Nokia Checkpoint are so close that it's
>>>almost a wash.
>>>I believe the Pix is faster, but the Nokia Checkpoint is still
>>>more flexible
>>>(but not as flexible as Checkpoint software).
>>>
>>>
>>>
>>>""Nurudeen Aderinto""  wrote in
>>>message
>>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>>>
>>>>Dear x,
>>>>
>>>>I love your presentation. You spoke well.
>>>>
>>>>Nurudeen
>>>>""x""  wrote in message
>>>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>>>>
>>>>>I have setup and managed both PIX and Checkpoint in a
>>>>>variety of environments.  I think they are both solid
>>>>>options in different situations.  Here is how I market
>>>>>these products.
>>>>>
>>>>>PIX
>>>>>- more cost effective
>>>>>- fast
>>>>>- you can have fail over
>>>>>- Can be more complicated to setup the CLI, but PIX
>>>>>has a nice feature of allowing all traffic out and
>>>>>none in by default.
>>>>>
>>>>>Who

RE: PIX VS CheckPoint [7:40136]

[Tim O'Brien]

With PDM 2.0 and PIX OS 6.2 you will be able to do this. It was suppose to
be out last month.. I guess they are still working the bugs out of it...

Tim
CCIE 9015


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Mark Odette II
Sent: Monday, April 08, 2002 2:48 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX VS CheckPoint [7:40136]


Timo- Which version of the PDM are you referring to that has the VPN config
capability??

I have 1.1.2 now, and I have not found that functionality... Am I just
overlooking something!?!?!

TIA for your response.

-Mark Odette II

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Timo Graser
Sent: Sunday, April 07, 2002 7:05 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX VS CheckPoint [7:40136]


The Pix has also a browser interface. The only disadvantage in the past
was, that you could not configure a vpn. With the new pdm you will be
able to do this too.

So the only things in the future to do at cli will be to run setup and
then log in over your browser.

Jeffrey Reed wrote:

>IPSO comes with a nice web browser interface that I can teach a customer in
>a matter of minutes. You only need to access command line when you have
>support on the line. Also, Nokia certifies each CheckPoint release with
>their IPSO operating system to make sure they are more than compatible.
This
>is a good solution if you're running CheckPoint. As X said, never run your
>firewall on NT!!
>
>Jeffrey Reed
>Classic Networking, Inc.
>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of nrf
>Sent: Tuesday, April 02, 2002 9:21 PM
>To: [EMAIL PROTECTED]
>Subject: Re: PIX VS CheckPoint [7:40136]
>
>I knew somebody was going to come back with that.  All-right fine, it is
>indeed true that Ipso is a hacked version of Unix.  But then again, so is
>Cisco IOS and Juniper JunOS, and you could say that it helps to have
>knowledge of Unix to run either of those (especially JunOS).The point I
>was trying to make is that by using a Nokia Ipso box, you don't subject
>yourself to the full-blown intricacies of Unix like you do when installing
>Checkpoint software on, say, a Sun box. I was trying to say that  you could
>get by with less Unix skills than you could otherwise, I was not saying
that
>you could get by with an absolute 100% complete whole-nine-yards lack of
>Unix knowledge.  Now, whether you consider that to be a good or bad thing
is
>in the eyes of the beholder.
>
>
>
>""colin newman""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
>>Hi
>>
>>Nokia?s IPSO OS is Unix.  It?s a ?hardened? and customize version of
>>FreeBSD.  I?ve worked on Nokia/CheckPoint boxes and it does help to have
>>knowledge of Unix.  I have not had the chance to work with PIX yet so I
>>can?t comment on the merits of a CheckPoint/Nokia vs. PIX.  The only
>>negative thing I have to say about CheckPoint is their idiotic licensing
>>scheme, it a pain and can be very confusing.
>>
>>
>>Colin
>>nrf wrote:
>>
>>>On the other hand, there's a distinct third option, which is to
>>>run
>>>Checkpoint on a dedicated hardware appliance, for example the
>>>Nokia Ipso
>>>line of gear.  This removes one of the Checkpoint disadvantages
>>>(don't need
>>>to know Unix or NT), but introduces another disadvantage (less
>>>flexible -
>>>you should have included in your advantages that regular
>>>Checkpoint is more
>>>flexible than Pix because you can integrate it with Unix and
>>>enjoy all the
>>>features of Unix, but of course with a Nokia, you don't have
>>>that).  In
>>>fact, the Pix and the Nokia Checkpoint are so close that it's
>>>almost a wash.
>>>I believe the Pix is faster, but the Nokia Checkpoint is still
>>>more flexible
>>>(but not as flexible as Checkpoint software).
>>>
>>>
>>>
>>>""Nurudeen Aderinto""  wrote in
>>>message
>>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>>>
>>>>Dear x,
>>>>
>>>>I love your presentation. You spoke well.
>>>>
>>>>Nurudeen
>>>>""x""  wrote in message
>>>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>>>>
>>>>>I have setup and managed both PIX and Checkpoint in a
>>>>>variety of environments.  I think they are both solid
>>>>>options in different situations.  Here is how I market
>>>>>these products.
>>>&g

Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Hatim badr]

Hi ,

I would like to know the pluses and minuses of each product .  Currently We
are using checkpoint and I want to convince my management to switch to cisco
PIX firewall . 

Thanks 

Hatim 








Get free email and a permanent address at http://www.netaddress.com/?N=1




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=2878&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Jason Roysdon]

Cisco's CCO has info:
http://cisco.com/go/pix/

Cisco always has links to studies that show them on top:
http://sartryck.idg.se/art/firewall7_eng.html

--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/



""Hatim badr""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi ,
>
> I would like to know the pluses and minuses of each product .  Currently
We
> are using checkpoint and I want to convince my management to switch to
cisco
> PIX firewall .
>
> Thanks
>
> Hatim
>
>
>
>
>
>
>
> 
> Get free email and a permanent address at http://www.netaddress.com/?N=1
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=2940&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[[EMAIL PROTECTED]]

It depends on your security policy , design and needs  , generally what we
advice our
customers is checkpoint + pix together

Hatim badr a icrit :

> Hi ,
>
> I would like to know the pluses and minuses of each product .  Currently We
> are using checkpoint and I want to convince my management to switch to
cisco
> PIX firewall .
>
> Thanks
>
> Hatim
>
> 
> Get free email and a permanent address at http://www.netaddress.com/?N=1
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3102&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Chuck Larrieu]

Asked sincerely, what advantages do you see in provisions PIX plus
checkpoint?

Chuck

-Original Message-
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]
Sent:   Thursday, May 03, 2001 2:47 PM
To: [EMAIL PROTECTED]
Subject:Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

It depends on your security policy , design and needs  , generally what we
advice our
customers is checkpoint + pix together

Hatim badr a icrit :

> Hi ,
>
> I would like to know the pluses and minuses of each product .  Currently
We
> are using checkpoint and I want to convince my management to switch to
cisco
> PIX firewall .
>
> Thanks
>
> Hatim
>
> 
> Get free email and a permanent address at http://www.netaddress.com/?N=1
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3106&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Eugene Nine]

PIX goes up to layer 4, so it won't do things like URL filtering.
Checkpoint (or other SW) can do higher layer protection but may not be as
well at the lower layers (due to security holes in the OS, etc)
Eugene

""Chuck Larrieu""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Asked sincerely, what advantages do you see in provisions PIX plus
> checkpoint?
>
> Chuck
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Thursday, May 03, 2001 2:47 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
> It depends on your security policy , design and needs  , generally what we
> advice our
> customers is checkpoint + pix together
>
> Hatim badr a icrit :
>
> > Hi ,
> >
> > I would like to know the pluses and minuses of each product .  Currently
> We
> > are using checkpoint and I want to convince my management to switch to
> cisco
> > PIX firewall .
> >
> > Thanks
> >
> > Hatim
> >
> > 
> > Get free email and a permanent address at http://www.netaddress.com/?N=1
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3115&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Jason Roysdon]

Up sell, up sell, up sell!  Increased revenues!  ;-)

Seriously, perhaps you could use the PIX to protect the Checkpoint running
on NT.  Ok, not too serious, hehee ;-p

--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/



""Chuck Larrieu""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Asked sincerely, what advantages do you see in provisions PIX plus
> checkpoint?
>
> Chuck
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Thursday, May 03, 2001 2:47 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
> It depends on your security policy , design and needs  , generally what we
> advice our
> customers is checkpoint + pix together
>
> Hatim badr a icrit :
>
> > Hi ,
> >
> > I would like to know the pluses and minuses of each product .  Currently
> We
> > are using checkpoint and I want to convince my management to switch to
> cisco
> > PIX firewall .
> >
> > Thanks
> >
> > Hatim
> >
> > 
> > Get free email and a permanent address at http://www.netaddress.com/?N=1
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3131&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Jason Roysdon]

You can run traffic through a Proxy box before it hits the PIX if URL
filtering is what you want.  Then block all :80 + :443 traffic through the
PIX from anything but the Proxy.  Or whatever protocols it is you want to
URL filter.  This way you get the best of both worlds.

--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/



""Eugene Nine""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> PIX goes up to layer 4, so it won't do things like URL filtering.
> Checkpoint (or other SW) can do higher layer protection but may not be as
> well at the lower layers (due to security holes in the OS, etc)
> Eugene
>
> ""Chuck Larrieu""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Asked sincerely, what advantages do you see in provisions PIX plus
> > checkpoint?
> >
> > Chuck
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Thursday, May 03, 2001 2:47 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
> >
> > It depends on your security policy , design and needs  , generally what
we
> > advice our
> > customers is checkpoint + pix together
> >
> > Hatim badr a icrit :
> >
> > > Hi ,
> > >
> > > I would like to know the pluses and minuses of each product .
Currently
> > We
> > > are using checkpoint and I want to convince my management to switch to
> > cisco
> > > PIX firewall .
> > >
> > > Thanks
> > >
> > > Hatim
> > >
> > > 
> > > Get free email and a permanent address at
http://www.netaddress.com/?N=1
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3134&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Jim Brown]

Security holes in lower layers? Where did you come up with that, your Cisco
rep?

-Original Message-
From: Eugene Nine [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 03, 2001 5:01 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]


PIX goes up to layer 4, so it won't do things like URL filtering.
Checkpoint (or other SW) can do higher layer protection but may not be as
well at the lower layers (due to security holes in the OS, etc)
Eugene

""Chuck Larrieu""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Asked sincerely, what advantages do you see in provisions PIX plus
> checkpoint?
>
> Chuck
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Thursday, May 03, 2001 2:47 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
> It depends on your security policy , design and needs  , generally what we
> advice our
> customers is checkpoint + pix together
>
> Hatim badr a icrit :
>
> > Hi ,
> >
> > I would like to know the pluses and minuses of each product .  Currently
> We
> > are using checkpoint and I want to convince my management to switch to
> cisco
> > PIX firewall .
> >
> > Thanks
> >
> > Hatim
> >
> > 
> > Get free email and a permanent address at http://www.netaddress.com/?N=1
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3186&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Brian]

In a serious enterprise of scale, I would indeed consider using both a pix
and a server based firewall.

Bri

- Original Message -
From: "Jim Brown" 
To: 
Sent: Friday, May 04, 2001 7:44 AM
Subject: RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]


> Security holes in lower layers? Where did you come up with that, your
Cisco
> rep?
>
> -Original Message-
> From: Eugene Nine [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 03, 2001 5:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
> PIX goes up to layer 4, so it won't do things like URL filtering.
> Checkpoint (or other SW) can do higher layer protection but may not be as
> well at the lower layers (due to security holes in the OS, etc)
> Eugene
>
> ""Chuck Larrieu""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Asked sincerely, what advantages do you see in provisions PIX plus
> > checkpoint?
> >
> > Chuck
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Thursday, May 03, 2001 2:47 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
> >
> > It depends on your security policy , design and needs  , generally what
we
> > advice our
> > customers is checkpoint + pix together
> >
> > Hatim badr a icrit :
> >
> > > Hi ,
> > >
> > > I would like to know the pluses and minuses of each product .
Currently
> > We
> > > are using checkpoint and I want to convince my management to switch to
> > cisco
> > > PIX firewall .
> > >
> > > Thanks
> > >
> > > Hatim
> > >
> > > 
> > > Get free email and a permanent address at
http://www.netaddress.com/?N=1
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3192&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Allen May]

PIX can do url filtering with Websense.
http://www.cisco.com/warp/public/cc/so/neso/sqso/csap/wbsn_rg.htm

Allen May
- Original Message -
From: "Jason Roysdon" 
To: 
Sent: Thursday, May 03, 2001 10:25 PM
Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]


> You can run traffic through a Proxy box before it hits the PIX if URL
> filtering is what you want.  Then block all :80 + :443 traffic through the
> PIX from anything but the Proxy.  Or whatever protocols it is you want to
> URL filter.  This way you get the best of both worlds.
>
> --
> Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
> List email: [EMAIL PROTECTED]
> Homepage: http://jason.artoo.net/
>
>
>
> ""Eugene Nine""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > PIX goes up to layer 4, so it won't do things like URL filtering.
> > Checkpoint (or other SW) can do higher layer protection but may not be
as
> > well at the lower layers (due to security holes in the OS, etc)
> > Eugene
> >
> > ""Chuck Larrieu""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Asked sincerely, what advantages do you see in provisions PIX plus
> > > checkpoint?
> > >
> > > Chuck
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
Of
> > > [EMAIL PROTECTED]
> > > Sent: Thursday, May 03, 2001 2:47 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
> > >
> > > It depends on your security policy , design and needs  , generally
what
> we
> > > advice our
> > > customers is checkpoint + pix together
> > >
> > > Hatim badr a icrit :
> > >
> > > > Hi ,
> > > >
> > > > I would like to know the pluses and minuses of each product .
> Currently
> > > We
> > > > are using checkpoint and I want to convince my management to switch
to
> > > cisco
> > > > PIX firewall .
> > > >
> > > > Thanks
> > > >
> > > > Hatim
> > > >
> > > > 
> > > > Get free email and a permanent address at
> http://www.netaddress.com/?N=1
> > > > FAQ, list archives, and subscription info:
> > > http://www.groupstudy.com/list/cisco.html
> > > > Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> > > FAQ, list archives, and subscription info:
> > > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3199&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Maness, Drew]

I don't think it is security holes at a lower layer.  Checkpoint installs
what they call a shiv between the network and data link layer to protect the
IP stack.  And if you were to take advantage of OS security flaws you would
be doing it at the Session Layer and above, not the lower layers.


About five years ago it used to be the case the application based firewalls
did not protect the network as well as packet filtering.  But that was
because people didn't really understand what a firewall was. Most people
considered a proxy server as a sort of firewall.

I remember a client telling me they were protected because they used
reserved ip address and M$ proxy.  In fact at the time M$ was marketing
their proxy server as a "poormans" firewall.

But today firewalls protect the IP stack.  And most people know that a proxy
is not a firewall.  So this hardware based is better than software based
stuff does not ring true. 

When someone asks me which is better Pix or Checkpoint, I tell them it
depends. I can find you studies that says Pix has better throughput than
Checkpoint and vise versa. 

The real difference between them is that Checkpoint has a gui interface and
Pix has the o'l command line.  You can pretty much do the same thing with
them, so what it comes down to is what are you or your staff more
comfortable configuring.  Are you a cisco shop, buy the pix, are you an
NT/Unix shop, buy Checkpoint.  Beyond that it is all marketing semantics.   

In fact I have heard, but not seen, that their is a new gui interface for
the Pix.  Anyone used it lately?

I haven't had time to work with it, since I'm preparing for this little know
lab called CCIE or something like that.  What's an IGP? (oh my brain is
starting to hurt...)

-Original Message-
From: Jim Brown [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 04, 2001 7:45 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]


Security holes in lower layers? Where did you come up with that, your Cisco
rep?

-Original Message-
From: Eugene Nine [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 03, 2001 5:01 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]


PIX goes up to layer 4, so it won't do things like URL filtering.
Checkpoint (or other SW) can do higher layer protection but may not be as
well at the lower layers (due to security holes in the OS, etc)
Eugene

""Chuck Larrieu""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Asked sincerely, what advantages do you see in provisions PIX plus
> checkpoint?
>
> Chuck
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Thursday, May 03, 2001 2:47 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
> It depends on your security policy , design and needs  , generally what we
> advice our
> customers is checkpoint + pix together
>
> Hatim badr a icrit :
>
> > Hi ,
> >
> > I would like to know the pluses and minuses of each product .  Currently
> We
> > are using checkpoint and I want to convince my management to switch to
> cisco
> > PIX firewall .
> >
> > Thanks
> >
> > Hatim
> >
> > 
> > Get free email and a permanent address at http://www.netaddress.com/?N=1
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3204&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Carroll Kong]

At 10:44 AM 5/4/01 -0400, Jim Brown wrote:
>Security holes in lower layers? Where did you come up with that, your Cisco
>rep?
>
>-Original Message-
>From: Eugene Nine [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, May 03, 2001 5:01 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
>PIX goes up to layer 4, so it won't do things like URL filtering.
>Checkpoint (or other SW) can do higher layer protection but may not be as
>well at the lower layers (due to security holes in the OS, etc)
>Eugene

I think he is just pointing out that the underlying OS can be a potential 
security vulnerability.  It is kind of the "Don't use OpenBSD + IPFilter, 
use a PIX box since it is dedicated, no holes in the OS, etc".

My take on it is that, everything needs some level of software to run, even 
the Pix, so if the argument is merely the OS, even the Pix is 
vulnerable.  A cursory look at bugtraq will show that Pix has been just as 
vulnerable as any other OS.  (ok, maybe not as bad as some of the more 
popular ones we know  ;)  )

One of the real reasons why people felt the "OS" could be vulnerable (in a 
general sense, not specifically to checkpoint) is the services they 
run.  It is somewhat trivial to lock down any box running any OS down to 
minimal services.  Very rarely are there inherent flaws in the OS itself 
that leads to a compromise, it is the services that do so.  However, most 
people are not "unix saavy" to lock down the box properly, so they open 
themselves up to script kiddies.

The Pix does a bit more (mini-proxy like actions like 'fixups'), so it 
actually lends itself to be slightly more vulnerable than say an OpenBSD 
box + IPFilter.  However, there are pros and cons in any field.  (learning 
curve of a unix box, OS is not optimized for packet filtering like Pix box, 
checkpoint more expensive?  etc).  I do not know much about the checkpoint.

Also, nowadays, there are very few OS specific holes, it's usually bad 
services/daemons.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3205&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Allen May]

I installed the GUI for the PIX but haven't used it yet.  Letting something
else build my config just seems weird ;)  Almost like job security making a
flushing noise...rofl.

- Original Message -
From: "Maness, Drew" 
To: 
Sent: Friday, May 04, 2001 10:29 AM
Subject: RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]


> I don't think it is security holes at a lower layer.  Checkpoint installs
> what they call a shiv between the network and data link layer to protect
the
> IP stack.  And if you were to take advantage of OS security flaws you
would
> be doing it at the Session Layer and above, not the lower layers.
>
>
> About five years ago it used to be the case the application based
firewalls
> did not protect the network as well as packet filtering.  But that was
> because people didn't really understand what a firewall was. Most people
> considered a proxy server as a sort of firewall.
>
> I remember a client telling me they were protected because they used
> reserved ip address and M$ proxy.  In fact at the time M$ was marketing
> their proxy server as a "poormans" firewall.
>
> But today firewalls protect the IP stack.  And most people know that a
proxy
> is not a firewall.  So this hardware based is better than software based
> stuff does not ring true.
>
> When someone asks me which is better Pix or Checkpoint, I tell them it
> depends. I can find you studies that says Pix has better throughput than
> Checkpoint and vise versa.
>
> The real difference between them is that Checkpoint has a gui interface
and
> Pix has the o'l command line.  You can pretty much do the same thing with
> them, so what it comes down to is what are you or your staff more
> comfortable configuring.  Are you a cisco shop, buy the pix, are you an
> NT/Unix shop, buy Checkpoint.  Beyond that it is all marketing semantics.
>
> In fact I have heard, but not seen, that their is a new gui interface for
> the Pix.  Anyone used it lately?
>
> I haven't had time to work with it, since I'm preparing for this little
know
> lab called CCIE or something like that.  What's an IGP? (oh my brain is
> starting to hurt...)
>
> -Original Message-
> From: Jim Brown [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 04, 2001 7:45 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
> Security holes in lower layers? Where did you come up with that, your
Cisco
> rep?
>
> -Original Message-
> From: Eugene Nine [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 03, 2001 5:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
> PIX goes up to layer 4, so it won't do things like URL filtering.
> Checkpoint (or other SW) can do higher layer protection but may not be as
> well at the lower layers (due to security holes in the OS, etc)
> Eugene
>
> ""Chuck Larrieu""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Asked sincerely, what advantages do you see in provisions PIX plus
> > checkpoint?
> >
> > Chuck
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Thursday, May 03, 2001 2:47 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
> >
> > It depends on your security policy , design and needs  , generally what
we
> > advice our
> > customers is checkpoint + pix together
> >
> > Hatim badr a icrit :
> >
> > > Hi ,
> > >
> > > I would like to know the pluses and minuses of each product .
Currently
> > We
> > > are using checkpoint and I want to convince my management to switch to
> > cisco
> > > PIX firewall .
> > >
> > > Thanks
> > >
> > > Hatim
> > >
> > > 
> > > Get free email and a permanent address at
http://www.netaddress.com/?N=1
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.co

Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Eugene Nine]

Well I opened a can of worms with this one.  I do know of web sense, I
beleive I have read that Cisco is not going to be selling it in the future,
someone correct me if I am wrong there.  So far a properly configured PIX
has never been beat, there have been news stories of PIX's that have been
beat, but upon investigation there has been some config issue involved.  So
the recommended setup it to have more than one level that way if someone
finds a hole in one layer, they hit another layer, this helps out if
security hole happens to be found in any box, software or hardware as well
as helps when there are any config mistakes that allow a hole.  I hope I
explained myself better this time.
Eugene
""Allen May""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> PIX can do url filtering with Websense.
> http://www.cisco.com/warp/public/cc/so/neso/sqso/csap/wbsn_rg.htm
>
> Allen May
> - Original Message -
> From: "Jason Roysdon"
> To:
> Sent: Thursday, May 03, 2001 10:25 PM
> Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
> > You can run traffic through a Proxy box before it hits the PIX if URL
> > filtering is what you want.  Then block all :80 + :443 traffic through
the
> > PIX from anything but the Proxy.  Or whatever protocols it is you want
to
> > URL filter.  This way you get the best of both worlds.
> >
> > --
> > Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
> > List email: [EMAIL PROTECTED]
> > Homepage: http://jason.artoo.net/
> >
> >
> >
> > ""Eugene Nine""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > PIX goes up to layer 4, so it won't do things like URL filtering.
> > > Checkpoint (or other SW) can do higher layer protection but may not be
> as
> > > well at the lower layers (due to security holes in the OS, etc)
> > > Eugene
> > >
> > > ""Chuck Larrieu""  wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > Asked sincerely, what advantages do you see in provisions PIX plus
> > > > checkpoint?
> > > >
> > > > Chuck
> > > >
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
> Of
> > > > [EMAIL PROTECTED]
> > > > Sent: Thursday, May 03, 2001 2:47 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
> > > >
> > > > It depends on your security policy , design and needs  , generally
> what
> > we
> > > > advice our
> > > > customers is checkpoint + pix together
> > > >
> > > > Hatim badr a icrit :
> > > >
> > > > > Hi ,
> > > > >
> > > > > I would like to know the pluses and minuses of each product .
> > Currently
> > > > We
> > > > > are using checkpoint and I want to convince my management to
switch
> to
> > > > cisco
> > > > > PIX firewall .
> > > > >
> > > > > Thanks
> > > > >
> > > > > Hatim
> > > > >
> > > > >

> > > > > Get free email and a permanent address at
> > http://www.netaddress.com/?N=1
> > > > > FAQ, list archives, and subscription info:
> > > > http://www.groupstudy.com/list/cisco.html
> > > > > Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> > > > FAQ, list archives, and subscription info:
> > > > http://www.groupstudy.com/list/cisco.html
> > > > Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> > > > FAQ, list archives, and subscription info:
> > > http://www.groupstudy.com/list/cisco.html
> > > > Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3214&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[simonis]

"Maness, Drew" wrote:
> 
> 
> But today firewalls protect the IP stack.  

While they are running, yes.  You can cause the software to crash, 
often leaving the machine, and the network, exposed.  This is one
of the big problems with a software firewall.

>And most people know that a proxy
> is not a firewall.  So this hardware based is better than software based
> stuff does not ring true.
> 

Don't tell this to Axent...  Raptor is an application proxy firewall,
and a right good one at that.  I think the main problem is that not 
many people actually understand what an application proxy is, nor do
they understand how one works.  Also, the definitions are a bit mixed
by the vendors...

>From the dictionary:

Firewall.

Computer Science. Any of a number of security schemes that prevent 
unauthorized users from gaining access to a computer network or that 
monitor transfers of information to and from the network. 

Proxy. 

A mechanism authorized to act for another; an agent or a substitute.


Looking at it from this muddle, you can call many firewalls proxy
servers, and most proxy servers firewalls.  My rule has always been
to be strictly technical... there are Layer 7, or application level
gateways, and there are layer 2, circuit level gateways.  Figuring
out where a statefull inspection scheme like Checkpoint fits in is 
left as an excercise...




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3213&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Jim Brown]

On the flushing noise. It sounds more like job security to me! Which is
better, to have an effective, understandable security policy that is easily
managed through a GUI, or a complex command line driven attempt at a
security policy. The job security is in not making stupid mistakes in policy
design/implementation. An incident or compromise related to a stupid policy
mistake is the quickest way out the door.

As far as the PIX GUI is concerned, I was privileged enough to take a look
at a beta of it a month ago. It is strikingly similar in layout to the
CheckPoint GUI. It is definitely a step in the right direction. Had Cisco
been more generous on trade-in values I would be the latest convert to the
PIX cult.

CheckPoint's biggest downfall is support. It downright stinks. If anything
can topple them from their perch support will be it. There is no TAC to call
and get a person who can answer your question. The top support people are in
friggin'' Israel working 9-5 hours for god's sake. You do the math and
timezone conversion.

They are both great products, but when someone starts saying one is more
secure than the other, hold on!

A couple parting questions for stimulating conversation

Can you manage and install policy to multiple PIX firewalls simultaneously?
(With a $15K add-on)

How often do your throughput needs exceed the ~80Mb threshold of CheckPoint?

Who has 52% market share?

The right product for the right environment.


-Original Message-
From: Allen May [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 04, 2001 10:05 AM
To: [EMAIL PROTECTED]
Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]


I installed the GUI for the PIX but haven't used it yet.  Letting something
else build my config just seems weird ;)  Almost like job security making a
flushing noise...rofl.

- Original Message -
From: "Maness, Drew" 
To: 
Sent: Friday, May 04, 2001 10:29 AM
Subject: RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]


> I don't think it is security holes at a lower layer.  Checkpoint installs
> what they call a shiv between the network and data link layer to protect
the
> IP stack.  And if you were to take advantage of OS security flaws you
would
> be doing it at the Session Layer and above, not the lower layers.
>
>
> About five years ago it used to be the case the application based
firewalls
> did not protect the network as well as packet filtering.  But that was
> because people didn't really understand what a firewall was. Most people
> considered a proxy server as a sort of firewall.
>
> I remember a client telling me they were protected because they used
> reserved ip address and M$ proxy.  In fact at the time M$ was marketing
> their proxy server as a "poormans" firewall.
>
> But today firewalls protect the IP stack.  And most people know that a
proxy
> is not a firewall.  So this hardware based is better than software based
> stuff does not ring true.
>
> When someone asks me which is better Pix or Checkpoint, I tell them it
> depends. I can find you studies that says Pix has better throughput than
> Checkpoint and vise versa.
>
> The real difference between them is that Checkpoint has a gui interface
and
> Pix has the o'l command line.  You can pretty much do the same thing with
> them, so what it comes down to is what are you or your staff more
> comfortable configuring.  Are you a cisco shop, buy the pix, are you an
> NT/Unix shop, buy Checkpoint.  Beyond that it is all marketing semantics.
>
> In fact I have heard, but not seen, that their is a new gui interface for
> the Pix.  Anyone used it lately?
>
> I haven't had time to work with it, since I'm preparing for this little
know
> lab called CCIE or something like that.  What's an IGP? (oh my brain is
> starting to hurt...)
>
> -Original Message-
> From: Jim Brown [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 04, 2001 7:45 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
> Security holes in lower layers? Where did you come up with that, your
Cisco
> rep?
>
> -Original Message-
> From: Eugene Nine [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 03, 2001 5:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
> PIX goes up to layer 4, so it won't do things like URL filtering.
> Checkpoint (or other SW) can do higher layer protection but may not be as
> well at the lower layers (due to security holes in the OS, etc)
> Eugene
>
> ""Chuck Larrieu""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Asked sincerely, what advantages do you see in provisions PIX plus
> > checkpoint?
> >
> > Chuck
&g

RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Dave Chappell]

This might be of interest:

http://www.roble.com/docs/fw1_or_pix.html

Dave

-Original Message-
From: Brian [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 04, 2001 10:52 AM
To: [EMAIL PROTECTED]
Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]


In a serious enterprise of scale, I would indeed consider using both a pix
and a server based firewall.

Bri

- Original Message -
From: "Jim Brown" 
To: 
Sent: Friday, May 04, 2001 7:44 AM
Subject: RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]


> Security holes in lower layers? Where did you come up with that, your
Cisco
> rep?
>
> -Original Message-
> From: Eugene Nine [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 03, 2001 5:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
> PIX goes up to layer 4, so it won't do things like URL filtering.
> Checkpoint (or other SW) can do higher layer protection but may not be as
> well at the lower layers (due to security holes in the OS, etc)
> Eugene
>
> ""Chuck Larrieu""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Asked sincerely, what advantages do you see in provisions PIX plus
> > checkpoint?
> >
> > Chuck
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Thursday, May 03, 2001 2:47 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
> >
> > It depends on your security policy , design and needs  , generally what
we
> > advice our
> > customers is checkpoint + pix together
> >
> > Hatim badr a icrit :
> >
> > > Hi ,
> > >
> > > I would like to know the pluses and minuses of each product .
Currently
> > We
> > > are using checkpoint and I want to convince my management to switch to
> > cisco
> > > PIX firewall .
> > >
> > > Thanks
> > >
> > > Hatim
> > >
> > > 
> > > Get free email and a permanent address at
http://www.netaddress.com/?N=1
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3248&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Chuck Larrieu]

Interesting read. Thanks.

Goes to show - Cisco excels in service and support.  I used to think the
licensing procedure for Ciscoworks and Baseliner was a pain. Wow, what a
breeze compared to Checkpoint!

Another interesting comment - the PIX 506 licensing. Cisco has taken to
being very opaque about what a PIX 506 can and should do. Last time I
checked, Cisco's party line was that the 506 is good for "up to 10 internet
connections" and the folks at the pre-sales help line I spoke to were unable
to clarify this statement. Interesting, since I had recalled from
documentation that has long since been deleted from CCO, that the 506 was
good for several thousand simultaneous TCP connections, which is plenty for
any business of a couple hundred users. I suspect Cisco kinda shot
themselves in the foot with the 506, in that it is undercutting sales of
515's to small enterprises.

Chuck

-Original Message-
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave
Chappell
Sent:   Friday, May 04, 2001 3:14 PM
To: [EMAIL PROTECTED]
Subject:        RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

This might be of interest:

http://www.roble.com/docs/fw1_or_pix.html

Dave

-Original Message-
From: Brian [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 04, 2001 10:52 AM
To: [EMAIL PROTECTED]
Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]


In a serious enterprise of scale, I would indeed consider using both a pix
and a server based firewall.

Bri

- Original Message -
From: "Jim Brown"
To:
Sent: Friday, May 04, 2001 7:44 AM
Subject: RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]


> Security holes in lower layers? Where did you come up with that, your
Cisco
> rep?
>
> -Original Message-
> From: Eugene Nine [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 03, 2001 5:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
> PIX goes up to layer 4, so it won't do things like URL filtering.
> Checkpoint (or other SW) can do higher layer protection but may not be as
> well at the lower layers (due to security holes in the OS, etc)
> Eugene
>
> ""Chuck Larrieu""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Asked sincerely, what advantages do you see in provisions PIX plus
> > checkpoint?
> >
> > Chuck
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Thursday, May 03, 2001 2:47 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
> >
> > It depends on your security policy , design and needs  , generally what
we
> > advice our
> > customers is checkpoint + pix together
> >
> > Hatim badr a icrit :
> >
> > > Hi ,
> > >
> > > I would like to know the pluses and minuses of each product .
Currently
> > We
> > > are using checkpoint and I want to convince my management to switch to
> > cisco
> > > PIX firewall .
> > >
> > > Thanks
> > >
> > > Hatim
> > >
> > > 
> > > Get free email and a permanent address at
http://www.netaddress.com/?N=1
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3252&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Jason Roysdon]

Huh?  How would the PIX fixups possibly lead to security holes?  They're
there to protect the end device and only allow in the RFC commands (which
can actually be a pain, like with SMTP mailguard being too strict for SMTP
authentication on Exchange).  I don't see how this can be a security hole,
but prevents them on flawed/badly coded end devices.

--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/



""Carroll Kong""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> At 10:44 AM 5/4/01 -0400, Jim Brown wrote:

> The Pix does a bit more (mini-proxy like actions like 'fixups'), so it
> actually lends itself to be slightly more vulnerable than say an OpenBSD
> box + IPFilter.






Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3340&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Carroll Kong]

At 11:37 PM 5/5/01 -0400, Jason Roysdon wrote:
>Huh?  How would the PIX fixups possibly lead to security holes?  They're
>there to protect the end device and only allow in the RFC commands (which
>can actually be a pain, like with SMTP mailguard being too strict for SMTP
>authentication on Exchange).  I don't see how this can be a security hole,
>but prevents them on flawed/badly coded end devices.
>
>--
>Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
>List email: [EMAIL PROTECTED]
>Homepage: http://jason.artoo.net/
>
>""Carroll Kong""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > At 10:44 AM 5/4/01 -0400, Jim Brown wrote:
>
> > The Pix does a bit more (mini-proxy like actions like 'fixups'), so it
> > actually lends itself to be slightly more vulnerable than say an OpenBSD
> > box + IPFilter.

Anytime you try to do more than simple layer 3 packet filtering you are 
running into dangerous territory.  Anytime you try to touch the layer 7 
(fix up / quasi proxy), you are asking for possible danger.

Good security sense due to experience from programming knows, less 
features, less bugs, less exploits despite their best intentions.

http://www.securityfocus.com/frames/?content=/templates/advisory.html%3Fid%3D2133

In theory, you are right.  In theory, firewalls + proxies create a powerful 
security environment.  However, in theory of security, you cannot fully 
trust anything, that rule should supercede the other two.  (and of course 
bad users are the ultimate weak link, but I digress).

If an exploit has happened once, do not think it cannot happen again.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3343&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Jason Roysdon]

I've got a customer with 600 employees using a 506 with no problems.  The
biggest limitation is that it only has two ports, so you're not going to add
a DMZ off it, and IPSEC is only getting something like a 4 or 5mb throughput
(10mbit ports on it).  Of course, this customer only has a T1, so the
1.5mbit connection is the limit, not the PIX.  We're actually doing VPN
IPSEC tunnels to a number of "test sites" (my house, my office, my boss'
house) and have 7960 IP Phones working remotely.  Works great so far.

--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/



""Chuck Larrieu""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Interesting read. Thanks.
>
> Goes to show - Cisco excels in service and support.  I used to think the
> licensing procedure for Ciscoworks and Baseliner was a pain. Wow, what a
> breeze compared to Checkpoint!
>
> Another interesting comment - the PIX 506 licensing. Cisco has taken to
> being very opaque about what a PIX 506 can and should do. Last time I
> checked, Cisco's party line was that the 506 is good for "up to 10
internet
> connections" and the folks at the pre-sales help line I spoke to were
unable
> to clarify this statement. Interesting, since I had recalled from
> documentation that has long since been deleted from CCO, that the 506 was
> good for several thousand simultaneous TCP connections, which is plenty
for
> any business of a couple hundred users. I suspect Cisco kinda shot
> themselves in the foot with the 506, in that it is undercutting sales of
> 515's to small enterprises.
>
> Chuck
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Dave
> Chappell
> Sent: Friday, May 04, 2001 3:14 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
> This might be of interest:
>
> http://www.roble.com/docs/fw1_or_pix.html
>
> Dave
>
> -Original Message-
> From: Brian [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 04, 2001 10:52 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
> In a serious enterprise of scale, I would indeed consider using both a pix
> and a server based firewall.
>
> Bri
>
> - Original Message -
> From: "Jim Brown"
> To:
> Sent: Friday, May 04, 2001 7:44 AM
> Subject: RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
> > Security holes in lower layers? Where did you come up with that, your
> Cisco
> > rep?
> >
> > -Original Message-
> > From: Eugene Nine [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, May 03, 2001 5:01 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
> >
> >
> > PIX goes up to layer 4, so it won't do things like URL filtering.
> > Checkpoint (or other SW) can do higher layer protection but may not be
as
> > well at the lower layers (due to security holes in the OS, etc)
> > Eugene
> >
> > ""Chuck Larrieu""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Asked sincerely, what advantages do you see in provisions PIX plus
> > > checkpoint?
> > >
> > > Chuck
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
Of
> > > [EMAIL PROTECTED]
> > > Sent: Thursday, May 03, 2001 2:47 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
> > >
> > > It depends on your security policy , design and needs  , generally
what
> we
> > > advice our
> > > customers is checkpoint + pix together
> > >
> > > Hatim badr a icrit :
> > >
> > > > Hi ,
> > > >
> > > > I would like to know the pluses and minuses of each product .
> Currently
> > > We
> > > > are using checkpoint and I want to convince my management to switch
to
> > > cisco
> > > > PIX firewall .
> > > >
> > > > Thanks
> > > >
> > > > Hatim
> > > >
> > > > 
> > > > Get free email and a permanent address at
> http://www.netaddress.com/?N=1
> > > > FAQ, list archives, and subscription info:
> > > http://www.groupstudy.com/list/cisco.html
> > > > Report misconduct and Nondisclosure violat

Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

[Jason Roysdon]

True, true.  Good point.  Of course, you can always disable all the fixups
;-)'

--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/



""Carroll Kong""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> At 11:37 PM 5/5/01 -0400, Jason Roysdon wrote:
> >Huh?  How would the PIX fixups possibly lead to security holes?  They're
> >there to protect the end device and only allow in the RFC commands (which
> >can actually be a pain, like with SMTP mailguard being too strict for
SMTP
> >authentication on Exchange).  I don't see how this can be a security
hole,
> >but prevents them on flawed/badly coded end devices.
> >
> >--
> >Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
> >List email: [EMAIL PROTECTED]
> >Homepage: http://jason.artoo.net/
> >
> >""Carroll Kong""  wrote in message
> >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > At 10:44 AM 5/4/01 -0400, Jim Brown wrote:
> >
> > > The Pix does a bit more (mini-proxy like actions like 'fixups'), so it
> > > actually lends itself to be slightly more vulnerable than say an
OpenBSD
> > > box + IPFilter.
>
> Anytime you try to do more than simple layer 3 packet filtering you are
> running into dangerous territory.  Anytime you try to touch the layer 7
> (fix up / quasi proxy), you are asking for possible danger.
>
> Good security sense due to experience from programming knows, less
> features, less bugs, less exploits despite their best intentions.
>
>
http://www.securityfocus.com/frames/?content=/templates/advisory.html%3Fid%3
D2133
>
> In theory, you are right.  In theory, firewalls + proxies create a
powerful
> security environment.  However, in theory of security, you cannot fully
> trust anything, that rule should supercede the other two.  (and of course
> bad users are the ultimate weak link, but I digress).
>
> If an exploit has happened once, do not think it cannot happen again.
>
>
>
> -Carroll Kong
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3350&t=2878
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]