Hey,
PIX does have a "visual security policy editor", called CSPM (Cisco Secure
Policy Manager). Check
http://www.cisco.com/warp/public/cc/pd/sqsw/sqppmn/
I think it's actually better than Visual Policy Editor (VPE) in Checkpoint
FW-1 because you really define your objects (networks, hosts, interfaces,
...) with some kind of graphical language. Though some admins will apply NAT
rules faster in PIX command line CSPM is a must for networks with several
interfaces in DMZ, many subnets etc. From more than one year usage of CSPM I
can say it saves a lot of time (e.g. you change one IP for a host which has
many rules attached. In CSPM you just have to change its IP then save and
update plus deploy a config to a PIX. Manually this would require more work
and could lead to errors or misconfiguration).
As I understand FW-1's VPE is only a representation not a tool to define a
policy (that has to be done in usual policy editor). CSPM also allows you to
"to make very granular changes" but the hardest part is defining your
network topology first - if you don't know how to do that hire a CISCO
certified specialist - while administration is later a piece of cake.
Sergej Rinc
system engineer IT, SKB Banka d.d.
mailto:[EMAIL PROTECTED]
http://www.skb.si
> -----Original Message-----
> Date: Mon, 14 May 2001 12:34:05 -0500
> From: Martin Hoz <[EMAIL PROTECTED]>
> Subject: Re: Checkpoint to PIX conversion
>
> > why would you think the pix isn't powerful-to-deploy?
>
> I never said that.
>
> I mean the GUI, not the firewall. FW-1's GUI is the
> best one I've seen, easy-to-use (a few click and it's
> done), and powerful-to-deploy (allows me to make very
> granular changes in my security policy.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
