Having work with both Cisco PIX and Checkpoint Firewall running Nokia platforms, even though I am NOT an expert in both, let me make a few comments:
1) Checkpoint Firewall, even though it is an application, if you run Checkpoint on Nokia Platforms which uses IPSO (netBSD kernel-like), it is very robust, powerful and secure. The Nokia platform is a NAP, just like Cisco PIX. Let me also add that the BSD platform is the most secure platform is the most secure platform one can find. Now, if someone is stupid running Firewall on a general- purpose platform such as Solaris and NT, then he/she should not be in the Firewall business in the first place, 2) Configure Checkpoint/IPSO on Nokia platform is very easy. I use Perl/Expect scripts to setup the nokia ipso box. This task takes less than 10 minutes and very robust. As far as checkpoint is concerns, the point-and-click makes it very easy, 3) If you are working in an Enterprise environment and you have a few PIXes to manage, that might not be so bad. However, if you have at least twenty PIXes to manage, good luck. There is no good management software for PIXes at the moment. Don't talk to me about the CSPM crap running on Windows platforms. May be Cisco will incorporate PIX support in the next release of its Hosting Solution Engine. On the other hand, Checkpoint MDS is second to none. It allows you to manage up to 200 Checkpoint per MDS, 4) You can create VPN between Checkpoint and other vendors such as Netscreen, PIX and other vendors out there and tunnel PPTP and L2TP VPN clients as well. Again, if you are using PPTP as VPN then you should NOT be a Firewall Engineer in the first place, 5) With Cisco PIX, you can not use RSA key authentication, only password is supported. Furthermore, since we are talking about security, PIX uses tftp to upload/download configuration file (clear text). Now tell me if that is good security practices. Furthemore, if you read security bulletin lately, there are lot of holes in version 1 of Secure Shell which PIX supports (Pix does NOT support version 2). With Nokia platforms, you can Secure Copy (scp) to upload/download configuration. The new version of Nokia even supports DSA and SSH version 2 which is very secure, 4) Cisco PIX is pretty much a packet-filtering firewall to me (I don't care what anyone might say otherwise). It is using the same access-list just like Cisco routers. It does have "some" stateful inspection capabilities but not as much as Checkpoint. If you are looking for a firewall with sheer performance in term of packet-filtering and limited 'stateful' inspection, then PIX might be the right choice. I like the PIX-535 model a lot in term of performance, 5) Yes, support from Checkpoint sucks. Support from Cisco is much better, 6) One thing I like about the PIXes is that it takes about 2 minutes to restore PIX firewall if one happens to crash (due to hardware). It takes about 10 mins to do so with Nokia/Checkpoint, 7) PIX Firewall version 6.0(1) and 6.1(1) and pdm1.1(2) have quite a few security holes especially with the Secure Shell and Secure Socket Layer (SSL) for its Pix Device Manager (PDM). I am saying that PIX is a bad product and Nokia/Checkpoint is a good one. If you are familiar with Unix, you will like Nokia/Checkpoint. On the other hand, if you are already familiar with routers/switches and come from a Windows background, then you will like Cisco PIX. Contact me off-line if you want to discuss this further. ----- Original Message ----- From: "Tim O'Brien" To: Sent: Wednesday, January 02, 2002 7:42 AM Subject: Re: OT - Firewall performance Comparisons - is it quitting time [7:30658] > A couple of points, and I will then get off of my soapbox... > > Checkpoint NG is STILL an application running on UNIX or NT, not a self > contained appliance. Personally I love Microsoft (let the flames begin!), > however, with the critical updates that I see getting installed on my 2000 > and XP workstations I am POSITIVE that I would not want to trust my company > security to it. Another point.. Have you ever installed and configured a > Checkpoint firewall? You can have the PIX up and running with failover even > before you get the OS half installed on the new server that you need to buy > for it, thus raising the cost for an already more expensive solution in > man-hours and equipment. The PIX is also very interoperable with other > devices in the network. You can create PIX to PIX or PIX to IOS or PIX to > 3000VPN site-to-site with other offices or home offices with built in 56bit > DES or available 3DES . You can tunnel in VPN clients (free Cisco VPN client > available). You can tunnel in Microsoft PPTP or L2TP sessions. And one last > point, Have you ever had to get support from Checkpoint??? enough said about > that one... > > If you would like to discuss further contact me offline... > > Tim > > ----- Original Message ----- > From: "[EMAIL PROTECTED]" > > To: > Sent: Wednesday, January 02, 2002 4:05 AM > Subject: Re: OT - Firewall performance Comparisons - is it quitting time > [7:30652] > > > > For quite a while CheckPoint is out performing every single Firewall in > the > > market a specially in the CheckPoint Next Generation Firewall version > > and with the release of there SecureXL API. > > It is important to remember that performance is not everything that need > to > > be compared while testing a Firewall. > > I love the Cisco PIX but the CheckPoint NG is amazing. > > > > Gil Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30682&t=30682 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
