[c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)

nick.nauwelaerts at thomson.com nick.nauwelaerts at thomson.com
Fri Apr 4 03:38:49 EDT 2008


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of 
> Jarrod Friedland
> Sent: Friday, April 04, 2008 03:18
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
> 
> Hi All
> 
> I wonder if anyone can offer me some sound professional 
> opinion in terms of
> using a Check Point FW device v Cisco PIX (ASA 5500 Series) Devices.
> 
> Currently we are using Checkpoint Devices however, I have an 
> opportunity to
> possible include a pix device in our mix, however all my 
> reading thus far
> seems to be more based on personal opinion than operational 
> pro's and con's.
> 
> Im looking for info in relation to can do's and cannots - 
> Administration
> comparisons etc.
> 
> If you are able to offer some insight but would like to take 
> this offline,
> please let me know and I can send you my direct contact details.

Since we're using both checkpoint & asas, here's what I think about
them. We only use them for ipsec (enduser & site to site) and packet
filtering. All kinds of protocol inspection run on seperate proxies,
where they belong.

Checkpoint has a great log viewer, but that's just about all I can say
in their favor. They don't know how to apply rulesets to interfaces,
just globally. Setting up vpns is a pain because they like to send out
strange subnet configs. They're horribly expensive (we ran them on
Nokia's, whose network cards do not support autoneg btw). Their support
is pretty terrible as well. They also need arcane changes to their
backend firewall database whenever something doesn't go as expected.

Cisco ASAs are pretty cheap and have reasonable performance, but has
lots of strange quirks. They don't decrement TTL by default (and I still
haven't found a way to decrement it over vpn connections), handling icmp
errors is a black art (still haven't gotten mtr working through asa's),
do strange things with your tcp MSS, don't send out RSTs to denied
connections, and other such fun stuff. Most of there can be configured
to work correctly, but they're far from the default. Cisco's central
management tool (Cisco Security Manager) is pretty horrible, I guess the
lag is about 1 year between when the ASA gets a new feature and when
Security Manager learns how to use it. On the other hand, the free gui
(asdm) is pretty decent, and unliky checkpoint it comes with a cli.
Software updates & fixes don't get released as often as checkpoint,
which I consider a downside for the ASAs.

I still think ASAs are a step up from checkpoint gear, but neither are
great. I'm seriously considering netscreens for my next rollouts.

If I ever manage to convince the upper echelons here, I'd go with pf on
either openbsd & freebsd.

// nick


More information about the cisco-nsp mailing list