Dan Simoes <[EMAIL PROTECTED]> wrote:
> - - Can you open ipsec tunnels to Checkpoint boxes? Many of our clients
> use Checkpoint and management is worried about being incompatible for
> extranet purposes (hence they want me to buy Checkpoint)
This is one drawback to the PIX, You'll need to telnet or use a modem
attached to the console port for access. They're is no encryption
option though IPsec is promised in the next release.
You can always install the PIX VPN option, which requires a hardware
card on both sides of the link.
> - - Why did you personally choose Pix over Checkpoint if you looked at
> both?
I have recommended FW-1 many times since '95 however PIX has recently
become the better choice (IMHO) for a number of reasons:
* logging
Checkpoint has been promising syslog support and plaintext logging
for 3 versions now but has not delivered. The Checkpoint log GUI is
cumberson at best. Shops that read their syslogs will get a lot more
information from a PIX.
* licensing
This has always been a problem but seems to have become worse in the
last few years. Checkpoint keeps their license database on a
computer in Israel. When you buy the product your vendor needs to
notify their supplier regarding the purchase. The supplier then
notifies Checkpoint who then updates their database and website.
Only then can you go to Checkpoint's web page and get the perm
license keys. This process can take several weeks. I've seen it
take 2 months. The Checkpoint license computer is often down or your
vendor or VAR may lose your paperwork. If you change external IP
addresses or hostids you'll need to go through this process all over.
It can be a _big_ headache.
Figuring out which FW-1 license options you need can be another
exercise in frustration. Even pre-sales tech support often gets it
wrong. There are something like 2 dozen license options none of
which are well defined. One example is the motif option. It's
supposed to be free, and it's supposedly required to run under X11,
but it's often not included in the base license keys. There's an
(unlinked/undocumented) web page, separate from the regular license
page to get the motif license key.
The PIX comes licensed out of the box for any IP addresses. You
need telnet to configure it.
* tech support
Cisco tech support is free for 90 days and relatively cheap
thereafter. Their support desk is staffed with excellent engineers.
I rarely need to escalate questions to 2nd line (senior) engineers.
FW-1 has no free tech support. You're supposed to rely on your
vendor for front-line tech support. Checkpoint's own front-line
support is not as well trained as they should be. You'll often need
to escalate. What tech support Checkpoint does offer is expensive.
* documentation
PIX ships with excellent documentation. Cisco's website also has
great documentation.
FW-1 has never been well documented and no longer ships with any
documentation whatsoever. Checkpoint's website is rarely useful.
One example: If you assign a FW-1 password with more than 8
characters it will fail every time. This is not documented and
front-line tech support won't know why it fails either. 2nd line
tech support may or may not recognize this bug. You can imagine
the headaches these sorts of bugs can create.
* pricing
FW-1 would appear to cost less up front but once you add the cost
of support, a remote GUI client, and annual updates it's actually
considerable more expensive than a PIX over time.
* setup
If your admins aren't IOS literate they may be uncomfortable with the
PIX command line interface. The FW-1 GUI is far and away superior to
anything else on the market. Why other firewall vendors haven't
cloned the FW-1 interface I don't know.
That said the problem with FW-1 is that you have to use the GUI to do
anything.
The FW-1 initial configuration is often problematic if you're not
using a (pre-installed but not pre-licensed) Nokia and not possible
from behind a remote NAT gateway.
If you use ssh to a remote FW-1 unix host it will be denied by
default even if you select "allow all" as the initial rule. This is
because ssh is not defined as a protocol. You have to first add ssh
to the list of protocols before it can be allowed.
Under NT FW-1 (V3 at least) NAT doesn't arp correctly. It fails to
read the $WINNTDIR\FW\STATE and you have to write a (startup) batch
file to load the arp table manually.
FW-1 fwui may not work under Solaris. You may need to use fwpolicy,
which is a separate package. The remote GUI client works fine under
Unix or NT once the initial setup is complete.
The PIX has an advantage in that rip and snmp are not allowed in
"pre-applied" rules.
For these reasons I've become a PIX fan and usually recommend it over FW-1.
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
