Pardon me
In release 5 of the PIX software, you got IPSec VPN compability and dont
need any hardware card at any end. Version 5 was released like a week ago
or something.
The IPSec compability is very good. PIX workes as a branch office
connection to a lot of other (IPSec) VPN boxes. And the client can be used
to connect to other IPSec VPN boxes.
IMHO the PIX beats FW-1 in remote admin to. You can use the VPN client,
tunnel in to the box, telnet to the box and start doing you stuff. FW-1
needs a third party program like PCAnywhere (or something familiar) to get
tunneled, encrypted comunication.
BUT, If you are interested in high end solutions, take a look att RADGuard
( for VPN ) and Gauntlet ( for FW ).
Lars Kronf�lt
( remember, it's my opinion, not to be confused with that of my company )
On Tue, 12 Oct 1999, Roger Marquis wrote:
> Dan Simoes <[EMAIL PROTECTED]> wrote:
> > - - Can you open ipsec tunnels to Checkpoint boxes? Many of our clients
> > use Checkpoint and management is worried about being incompatible for
> > extranet purposes (hence they want me to buy Checkpoint)
>
> This is one drawback to the PIX, You'll need to telnet or use a modem
> attached to the console port for access. They're is no encryption
> option though IPsec is promised in the next release.
>
> You can always install the PIX VPN option, which requires a hardware
> card on both sides of the link.
>
> > - - Why did you personally choose Pix over Checkpoint if you looked at
> > both?
>
> I have recommended FW-1 many times since '95 however PIX has recently
> become the better choice (IMHO) for a number of reasons:
>
> * logging
>
> Checkpoint has been promising syslog support and plaintext logging
> for 3 versions now but has not delivered. The Checkpoint log GUI is
> cumberson at best. Shops that read their syslogs will get a lot more
> information from a PIX.
>
> * licensing
>
> This has always been a problem but seems to have become worse in the
> last few years. Checkpoint keeps their license database on a
> computer in Israel. When you buy the product your vendor needs to
> notify their supplier regarding the purchase. The supplier then
> notifies Checkpoint who then updates their database and website.
> Only then can you go to Checkpoint's web page and get the perm
> license keys. This process can take several weeks. I've seen it
> take 2 months. The Checkpoint license computer is often down or your
> vendor or VAR may lose your paperwork. If you change external IP
> addresses or hostids you'll need to go through this process all over.
> It can be a _big_ headache.
>
> Figuring out which FW-1 license options you need can be another
> exercise in frustration. Even pre-sales tech support often gets it
> wrong. There are something like 2 dozen license options none of
> which are well defined. One example is the motif option. It's
> supposed to be free, and it's supposedly required to run under X11,
> but it's often not included in the base license keys. There's an
> (unlinked/undocumented) web page, separate from the regular license
> page to get the motif license key.
>
> The PIX comes licensed out of the box for any IP addresses. You
> need telnet to configure it.
>
> * tech support
>
> Cisco tech support is free for 90 days and relatively cheap
> thereafter. Their support desk is staffed with excellent engineers.
> I rarely need to escalate questions to 2nd line (senior) engineers.
>
> FW-1 has no free tech support. You're supposed to rely on your
> vendor for front-line tech support. Checkpoint's own front-line
> support is not as well trained as they should be. You'll often need
> to escalate. What tech support Checkpoint does offer is expensive.
>
> * documentation
>
> PIX ships with excellent documentation. Cisco's website also has
> great documentation.
>
> FW-1 has never been well documented and no longer ships with any
> documentation whatsoever. Checkpoint's website is rarely useful.
>
> One example: If you assign a FW-1 password with more than 8
> characters it will fail every time. This is not documented and
> front-line tech support won't know why it fails either. 2nd line
> tech support may or may not recognize this bug. You can imagine
> the headaches these sorts of bugs can create.
>
> * pricing
>
> FW-1 would appear to cost less up front but once you add the cost
> of support, a remote GUI client, and annual updates it's actually
> considerable more expensive than a PIX over time.
>
> * setup
>
> If your admins aren't IOS literate they may be uncomfortable with the
> PIX command line interface. The FW-1 GUI is far and away superior to
> anything else on the market. Why other firewall vendors haven't
> cloned the FW-1 interface I don't know.
>
> That said the problem with FW-1 is that you have to use the GUI to do
> anything.
>
> The FW-1 initial configuration is often problematic if you're not
> using a (pre-installed but not pre-licensed) Nokia and not possible
> from behind a remote NAT gateway.
>
> If you use ssh to a remote FW-1 unix host it will be denied by
> default even if you select "allow all" as the initial rule. This is
> because ssh is not defined as a protocol. You have to first add ssh
> to the list of protocols before it can be allowed.
>
> Under NT FW-1 (V3 at least) NAT doesn't arp correctly. It fails to
> read the $WINNTDIR\FW\STATE and you have to write a (startup) batch
> file to load the arp table manually.
>
> FW-1 fwui may not work under Solaris. You may need to use fwpolicy,
> which is a separate package. The remote GUI client works fine under
> Unix or NT once the initial setup is complete.
>
> The PIX has an advantage in that rip and snmp are not allowed in
> "pre-applied" rules.
>
> For these reasons I've become a PIX fan and usually recommend it over FW-1.
>
> --
> Roger Marquis
> Roble Systems Consulting
> http://www.roble.com/
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
