[c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
Tony Varriale
tvarriale at comcast.net
Sun Apr 6 12:58:30 EDT 2008
I believe all of those items can be configured.
CSM is sucky. ASDM is a lot better especially in 6. Compared to CP (I hate
to say this) I like the GUI better. Also, you can send raw commands to the
ASDM. Is it a CLI? No. That's what SSH is for. :)
tv
----- Original Message -----
From: <nick.nauwelaerts at thomson.com>
To: <cisco-nsp at puck.nether.net>
Sent: Friday, April 04, 2008 2:38 AM
Subject: Re: [c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>> Jarrod Friedland
>> Sent: Friday, April 04, 2008 03:18
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
>>
>> Hi All
>>
>> I wonder if anyone can offer me some sound professional
>> opinion in terms of
>> using a Check Point FW device v Cisco PIX (ASA 5500 Series) Devices.
>>
>> Currently we are using Checkpoint Devices however, I have an
>> opportunity to
>> possible include a pix device in our mix, however all my
>> reading thus far
>> seems to be more based on personal opinion than operational
>> pro's and con's.
>>
>> Im looking for info in relation to can do's and cannots -
>> Administration
>> comparisons etc.
>>
>> If you are able to offer some insight but would like to take
>> this offline,
>> please let me know and I can send you my direct contact details.
>
> Since we're using both checkpoint & asas, here's what I think about
> them. We only use them for ipsec (enduser & site to site) and packet
> filtering. All kinds of protocol inspection run on seperate proxies,
> where they belong.
>
> Checkpoint has a great log viewer, but that's just about all I can say
> in their favor. They don't know how to apply rulesets to interfaces,
> just globally. Setting up vpns is a pain because they like to send out
> strange subnet configs. They're horribly expensive (we ran them on
> Nokia's, whose network cards do not support autoneg btw). Their support
> is pretty terrible as well. They also need arcane changes to their
> backend firewall database whenever something doesn't go as expected.
>
> Cisco ASAs are pretty cheap and have reasonable performance, but has
> lots of strange quirks. They don't decrement TTL by default (and I still
> haven't found a way to decrement it over vpn connections), handling icmp
> errors is a black art (still haven't gotten mtr working through asa's),
> do strange things with your tcp MSS, don't send out RSTs to denied
> connections, and other such fun stuff. Most of there can be configured
> to work correctly, but they're far from the default. Cisco's central
> management tool (Cisco Security Manager) is pretty horrible, I guess the
> lag is about 1 year between when the ASA gets a new feature and when
> Security Manager learns how to use it. On the other hand, the free gui
> (asdm) is pretty decent, and unliky checkpoint it comes with a cli.
> Software updates & fixes don't get released as often as checkpoint,
> which I consider a downside for the ASAs.
>
> I still think ASAs are a step up from checkpoint gear, but neither are
> great. I'm seriously considering netscreens for my next rollouts.
>
> If I ever manage to convince the upper echelons here, I'd go with pf on
> either openbsd & freebsd.
>
> // nick
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list