NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] comparison between Pix and FW-1



I recently did the same analysis and came to the conclusion to use Checkpoint. Pix is cheaper, but is much less full featured. The best is two expensive Nokia's with failover. Second is two Solaris's with NG and Checkpoint HA. I am using the Checkpoint HA on NG and it has been excellent. The place where Checkpoint has fallen short for me has been Licensing, and Support.

Usually the Wan team all wants to use Pixes. Remember most Wan guys are studying for Cisco certifications, and they last thing they need is something else to study, that does not count toward their CCIE's. Plus Cisco now has a CCIE in security, another reason for the Wan team to push for Pixes. Also, a pix is a Cisco box, therefore it will always be managed by the Wan team. A Checkpoint firewall is up for grabs. Since it seems to be everyone's dream to manage a firewall, everyone will argue about who will take care of it. If you use Unix, the Unix guys want it. If you use NT the NT guys want to manage it. I feel the Wan team should manage it, because that area of networking study has the best chance of actually understanding it.

One of the best reasons to use Checkpoint is the user interface. I can take a printout of the Checkpoint rulebase to the people in my management, and have a chance of explaining the security configuration to them. That is important because I feel that the management should have this explained to them, so that you as the firewall administrator can later disclaim total liability for any breaches that occur. This is difficult to do with a pix config. Cisco has a policy manager with a GUI, but I have not yet seen it. Even when I do see it, I doubt that it will be as good as the Checkpoint product.

If anything should happen at your installation, you want to be sure to be able to say that you did not personally make all the decisions regarding your security in a vacuum, but rather had management's buy-in when you opened ports. This also is good for the management, because it makes them feel more secure, because they have some understanding of what is going on. The last thing you need is your management telling the FBI, "Well he never told us that port was open". This can happen very easily, because people in most organizations have no idea what the hell is going on with their internet security. All they know is, " I bought a very expensive firewall, and my guys know what they are doing. Therefore, I am safe". This is a really stupid way to think because it is very easy to misconfigure a firewall, but management usually doesn't know this. Usually the pressure is on the firewall guy to open ports, not close them. I have never had anyone come up to me and question why a pa!
rticular port is open. But if a port is not open, its like, a major problem.

I probably could write an entire Doctoral Dissertation on this stuff, so I am stopping now.

Good luck,

Dave in Cleveland.



-----Original Message-----
From: Nick Ellenden [mailto:[email protected]]
Sent: Thursday, November 01, 2001 4:53 AM
To: [email protected]
Subject: Re: [FW-1] comparison between Pix and FW-1


Hi,

I would ask your FW1 reseller to send you an abridged copy of the Checkpoint
review of PIX, it's rather good. If speed is what you want, check out the
Checkpoint performance numbers on their web site, it shows the platform with
the mostest is the Nokia 740, it will now pip 2 Gbps. The 530 will do approx
520 mbps. The Nortel stuff certainly looks and reads good too, but it sounds
like you have a Cisco infrastructure, lots of Nokia's in that environment.

Bestest,

nick

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Tom
Sevy
Sent: 31 October 2001 22:22
To: [email protected]
Subject: Re: [FW-1] comparison between Pix and FW-1


You [your boss] should look into the FW-1 that is going to be running on
Alteon [Nortel now] hardware....

http://www.checkpoint.com/opsec/platforms/nortel.html


-----Original Message-----
From: Hal Dorsman [mailto:[email protected]]
Sent: Wednesday, October 31, 2001 3:51 PM
To: [email protected]
Subject: Re: [FW-1] comparison between Pix and FW-1


PIX is the fastest, yes, but how fast is fast enough?
Do you need a car that will do 120 when the speed limit
is 75?  Do you need a firewall that can keep up with a
saturated 100mb interface when all you have is a T-1 to
the Internet?  Better, no.  Checkpoint is the industry
leader because of their well designed intuitive management
interface.  Manageability is everything.

Hal

> -----Original Message-----
> From: John Castillo [mailto:[email protected]]
> Sent: Wednesday, October 31, 2001 1:05 PM
> To: [email protected]
> Subject: [FW-1] comparison between Pix and FW-1
>
>
> can anyone highlight the differences, advantage/disadvantage
> of each FW
> solution?
>
> my boss is looking into replacing FW-1 with a Pix in a datacenter
> environment.  no one has done much research except for the common
> argument that "the pix is a hardware accelerated firewall,
> therefore its
> better and faster".
>
> opinions?
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.