Funky Unix exploits tend to only happen when people for some odd
reason, decide to open up public services on those machines. The same
problem exists with NT, but usually it has silly libraries sploits as well.
Any decent security admin can lock down any box running any
OS. The problem I would fear of using an OS based vs appliance based is
making sure they cannot do more damage with it. A hacked unix box can do
oodles more damage than a hacked windows box. Of course, you can lockdown
the amount of binaries on the machine to make it very hard to continue
attacking. These are super hardened boxes. Disabling services, any good
admin can do in his sleep. Hardening the box by removing specific binaries
is a bit more difficult. Have you checked the Nokia 440s or 330s
"appliance like" boxes? They run a BSD variant (IIRC), and are quite
secure OS wise. Yes, checkpoint runs on them as well. Now, Checkpoint's
security issues, that's a different story. You will find most of the
security holes in checkpoint are because of checkpoint itself, not the
OS. As for running it under NT, all I can say to the man who suggested it
is, "What are you thinking?".
On the side, Pix has flaws too. To be fair, I do not think there
has been any firewall product released without a security exploit either in
it's rule handling or in it's management interface.
I think checkpoint can interoperate between some other devices as
well. So this is not a big deal.
Supposedly, skip checkpoint specific tech support and get it from
Nokia. Nokia surprisingly has better checkpoint guys than checkpoint
themselves.
I agree that anything command line based can be configured far
faster. I think we all know the reason why people still go with
checkpoint. For some odd reason, some companies either believe that having
an "easier to use" firewall will allow for a more secure network. (insert
your laughter here). Or they believe that command line firewalls are "too
hard to use." (insert more laughter) Sigh. My take on it. If you do not
understand firewalling theory, you will not understand it with or without a
GUI. Syntax aside, but that's trivial. Ask any programmer who can make
this analogy. The key is understanding fundamentals, not understanding
mouse clicks.
Finally, I am not arguing for or against the Pix or
Checkpoint. Personally, I find they both have glaring problems that I am
shocked to find. They also have their own specific advantages. However, I
find some of your points are not necessarily valid.
At 07:42 AM 1/2/02 -0500, Tim O'Brien wrote:
>A couple of points, and I will then get off of my soapbox...
>
>Checkpoint NG is STILL an application running on UNIX or NT, not a self
>contained appliance. Personally I love Microsoft (let the flames begin!),
>however, with the critical updates that I see getting installed on my 2000
>and XP workstations I am POSITIVE that I would not want to trust my company
>security to it. Another point.. Have you ever installed and configured a
>Checkpoint firewall? You can have the PIX up and running with failover even
>before you get the OS half installed on the new server that you need to buy
>for it, thus raising the cost for an already more expensive solution in
>man-hours and equipment. The PIX is also very interoperable with other
>devices in the network. You can create PIX to PIX or PIX to IOS or PIX to
>3000VPN site-to-site with other offices or home offices with built in 56bit
>DES or available 3DES . You can tunnel in VPN clients (free Cisco VPN client
>available). You can tunnel in Microsoft PPTP or L2TP sessions. And one last
>point, Have you ever had to get support from Checkpoint??? enough said about
>that one...
>
>If you would like to discuss further contact me offline...
>
>Tim
>
>----- Original Message -----
>From: "[EMAIL PROTECTED]"
>
>To:
>Sent: Wednesday, January 02, 2002 4:05 AM
>Subject: Re: OT - Firewall performance Comparisons - is it quitting time
>[7:30652]
>
>
> > For quite a while CheckPoint is out performing every single Firewall in
>the
> > market a specially in the CheckPoint Next Generation Firewall version
> > and with the release of there SecureXL API.
> > It is important to remember that performance is not everything that need
>to
> > be compared while testing a Firewall.
> > I love the Cisco PIX but the CheckPoint NG is amazing.
> >
> > Gil
-Carroll Kong
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=30675&t=30675
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
