[c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
Masood Ahmad Shah
masood at nexlinx.net.pk
Fri Apr 4 08:12:15 EDT 2008
If you really need a firewall thn you must go for Netscreen. Netscreen is a
truly firewall with pretty nice/stable packet inspection engine and pretty
nice GUI/Command line interface.
A single box (netscreen 500) will work like a charm for packet inspection,
attack prevention and vpn tunnels termination.
Oh yea you will not face any issue like icmp response packets or tcp
flags... mtr is working fine too :)
Regards,
Masood Ahmad Shah
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
nick.nauwelaerts at thomson.com
Sent: Friday, April 04, 2008 12:39 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Jarrod Friedland
> Sent: Friday, April 04, 2008 03:18
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
>
> Hi All
>
> I wonder if anyone can offer me some sound professional
> opinion in terms of
> using a Check Point FW device v Cisco PIX (ASA 5500 Series) Devices.
>
> Currently we are using Checkpoint Devices however, I have an
> opportunity to
> possible include a pix device in our mix, however all my
> reading thus far
> seems to be more based on personal opinion than operational
> pro's and con's.
>
> Im looking for info in relation to can do's and cannots -
> Administration
> comparisons etc.
>
> If you are able to offer some insight but would like to take
> this offline,
> please let me know and I can send you my direct contact details.
Since we're using both checkpoint & asas, here's what I think about
them. We only use them for ipsec (enduser & site to site) and packet
filtering. All kinds of protocol inspection run on seperate proxies,
where they belong.
Checkpoint has a great log viewer, but that's just about all I can say
in their favor. They don't know how to apply rulesets to interfaces,
just globally. Setting up vpns is a pain because they like to send out
strange subnet configs. They're horribly expensive (we ran them on
Nokia's, whose network cards do not support autoneg btw). Their support
is pretty terrible as well. They also need arcane changes to their
backend firewall database whenever something doesn't go as expected.
Cisco ASAs are pretty cheap and have reasonable performance, but has
lots of strange quirks. They don't decrement TTL by default (and I still
haven't found a way to decrement it over vpn connections), handling icmp
errors is a black art (still haven't gotten mtr working through asa's),
do strange things with your tcp MSS, don't send out RSTs to denied
connections, and other such fun stuff. Most of there can be configured
to work correctly, but they're far from the default. Cisco's central
management tool (Cisco Security Manager) is pretty horrible, I guess the
lag is about 1 year between when the ASA gets a new feature and when
Security Manager learns how to use it. On the other hand, the free gui
(asdm) is pretty decent, and unliky checkpoint it comes with a cli.
Software updates & fixes don't get released as often as checkpoint,
which I consider a downside for the ASAs.
I still think ASAs are a step up from checkpoint gear, but neither are
great. I'm seriously considering netscreens for my next rollouts.
If I ever manage to convince the upper echelons here, I'd go with pf on
either openbsd & freebsd.
// nick
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list