[c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)

Javier Liendo javier at liendo.net
Fri Apr 4 10:31:30 EDT 2008 

>> don't send out RSTs to denied connections, and other such fun stuff.

for a firewall, not sending an RST for a denied connection, isn´t it
the "Right Thing" to do?

regards

javier

On 4/4/08, nick.nauwelaerts at thomson.com <nick.nauwelaerts at thomson.com> wrote:
> > -----Original Message-----
>  > From: cisco-nsp-bounces at puck.nether.net
>  > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>  > Jarrod Friedland
>  > Sent: Friday, April 04, 2008 03:18
>  > To: cisco-nsp at puck.nether.net
>  > Subject: [c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
>  >
>  > Hi All
>  >
>  > I wonder if anyone can offer me some sound professional
>  > opinion in terms of
>  > using a Check Point FW device v Cisco PIX (ASA 5500 Series) Devices.
>  >
>  > Currently we are using Checkpoint Devices however, I have an
>  > opportunity to
>  > possible include a pix device in our mix, however all my
>  > reading thus far
>  > seems to be more based on personal opinion than operational
>  > pro's and con's.
>  >
>  > Im looking for info in relation to can do's and cannots -
>  > Administration
>  > comparisons etc.
>  >
>  > If you are able to offer some insight but would like to take
>  > this offline,
>  > please let me know and I can send you my direct contact details.
>
>
> Since we're using both checkpoint & asas, here's what I think about
>  them. We only use them for ipsec (enduser & site to site) and packet
>  filtering. All kinds of protocol inspection run on seperate proxies,
>  where they belong.
>
>  Checkpoint has a great log viewer, but that's just about all I can say
>  in their favor. They don't know how to apply rulesets to interfaces,
>  just globally. Setting up vpns is a pain because they like to send out
>  strange subnet configs. They're horribly expensive (we ran them on
>  Nokia's, whose network cards do not support autoneg btw). Their support
>  is pretty terrible as well. They also need arcane changes to their
>  backend firewall database whenever something doesn't go as expected.
>
>  Cisco ASAs are pretty cheap and have reasonable performance, but has
>  lots of strange quirks. They don't decrement TTL by default (and I still
>  haven't found a way to decrement it over vpn connections), handling icmp
>  errors is a black art (still haven't gotten mtr working through asa's),
>  do strange things with your tcp MSS, don't send out RSTs to denied
>  connections, and other such fun stuff. Most of there can be configured
>  to work correctly, but they're far from the default. Cisco's central
>  management tool (Cisco Security Manager) is pretty horrible, I guess the
>  lag is about 1 year between when the ASA gets a new feature and when
>  Security Manager learns how to use it. On the other hand, the free gui
>  (asdm) is pretty decent, and unliky checkpoint it comes with a cli.
>  Software updates & fixes don't get released as often as checkpoint,
>  which I consider a downside for the ASAs.
>
>  I still think ASAs are a step up from checkpoint gear, but neither are
>  great. I'm seriously considering netscreens for my next rollouts.
>
>  If I ever manage to convince the upper echelons here, I'd go with pf on
>  either openbsd & freebsd.
>
>  // nick
>
> _______________________________________________
>  cisco-nsp mailing list  cisco-nsp at puck.nether.net
>  https://puck.nether.net/mailman/listinfo/cisco-nsp
>  archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list