I have run both Checkpoint and PIX in my environment. I have seen some of the "classified" documents you are referring to - look at the source. I believe they are marketing documents from Checkpoint or Nokia.
The PIX is a true stateful inspection firewall. No "weird" ports have to be open for E-Mail or anything else for that matter. Both products have weaknesses which have to be addressed, as in any commercial offering. The biggest problem with the PIX is it's lack of a GUI. We've tried CSPM which stinks and is end-of-life, we've tried PDM which is built-in and nicer but too new to be stable, and settled on the command line. The PIX also has no built-in logging other than syslogging, requiring a third-party product for meaningful reports. On the other hand, the level of logging I do get out of the PIX far exceeds that from the Checkpoint. Furthermore, support for Checkpoint is spotty at best, and downright dismal in many cases. It depends upon your vendor, who will likely have to do your support. In any case, I do not recommend running ISA as a firewall - it should be used as an application proxy. -----Original Message----- From: David Ellis [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 9:05 PM To: 'Thorsten Dampf -- 7stein.net'; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: RE: Firewall recommendations? Hi at my current job we use checkpoint, and I personally love that firewall product. I am not a big fan of the pix and I have never played with the ISA server cause it is a microsoft product and would not trust it. We are very security conscious company. I think checkpoint has the best interface around. But hey that's my personal opinion. The cisco pix is not a true stateful packet inspection firewall. I have a classified pdf that talk about the pix versus checkpoint in a situation with multiple exchange servers and the ports you had to allow open for the pix to work in the environment that was documented was totally unsafe. At my next job, I would suggest going with checkpoint. Its not that expensive when you start thinking about isa server cause You still need the hardware, the windows server OS license and then the ISA license. -----Original Message----- From: Thorsten Dampf -- 7stein.net [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 3:48 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: AW: Firewall recommendations? Take a look at the watchguard products. www.watchguard.com Regards, Thorsten > -----Ursprüngliche Nachricht----- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 6. März 2003 21:05 > An: [EMAIL PROTECTED] > Betreff: Firewall recommendations? > > > > > I am in charge of researching a firewall to replace what we currently > > have. At my previous job I had used Microsoft ISA in a low-security > > environment, and was happy with its features, and its > integration with > > the Windows environment there. However, at my current job, > security is a > > much greater concern, and I have to admit, I am somewhat > uneasy running a > > Microsoft firewall product on top of a Microsoft OS. We also had > > investigated Checkpoint as well as Cisco Pix, and found that for our > > needs, the Pix at least seemed to need many separate > components for the > > same functionality. My question is what are your experiences > with using > > ISA from a security standpoint? Usability issues? From the > Mac end? Or > > would we be better off pursuing the Checkpoint or the Pix > solution? We > > also plan on implementing VPN over whatever we choose, so if you > > recommend something other than these, it should support at > least PPTP and > > perhaps eventually IPSec/L2TP. We have also considered placing ISA > > behind a Linux (or BSD) IP Chains firewall and our perimeter > network to > > block some of the traffic from getting to ISA. Any comments > here? Thanks > > to everybody in advance! > **************************************************************************** ********************** ** eSafe-portsmouth scanned this email for viruses, vandals and malicious content ** **************************************************************************** ********************** Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc.