James Drake wrote:
> I'm curious to know if anyone can give me a good analysis/opinion on
> whether or not a migration from a PIX 515 firewall to Checkpoint
<snip>
We've been doing an extensive comparison of PIX and Checkpoint for a
large internal project. I'll open up our thought process to the list.
Critical comments from the list are welcome, as they may help us wisely
spend a million or so taxpayer dollars and may help J.D. also.
Here's what we figure:
Every company has different parameters guiding their decision, so they
may end up with different products.
We want simplicity. We have 70 sites to firewall and our not getting any
extra staff to maintain these devices. That part of the budget got axed,
and headcounts are frozen. A large number of the devices will be
deployed at sites that are 4-6 hours from 'home'. Travel in winter is
sometimes a problem, with temps to -50F and snow measured in feet, not
inches.
We want 'stateful inspection' not 'proxy' type firewalls. Although the
proxy type may have some security advantages, we have a very open
environment with lots of unique apps, and are likely to have problems
proxying them all. Professors routinely invent new stuff & expect it to
work on our WAN. Proxy's sound like a headache.
We have 70 sites. Most sites have 255<>1400 computers with 1-3 T1's to
the Internet. Checkpoint requires an 'Enterprise' or 'Unlimited' license
for more than 255 IP's. That license will cost us $10KUS or so without
hardware. Nokia hardware adds $4K-$14K depending on the site. Most sites
could be adequetely served by a 515R or 515UR that costs $5K-$12K list,
but we are on an extremely agressive Cisco discount schedule, so our
actual costs will be much less. So at most of our sites PIX is about 1/2
the price of Checkpoint. At some sites PIX will be 1/3 of Checkpoint
cost. At our larger sites Checkpoint comes closer to PIX in price, as we
are looking at 525's instead of 515's.
We can't see where the nicer Checkpoint GUI adds enough value to the
firewall to make it worth 2x-3x the price of a PIX. The only pure
technical feature that Checkpoint has over PIX is the ability to write
your own rules based on bits & bytes within the packets. That feature
would be slick, as we could stop Code Red and a few other hacks in their
tracks, even if our campuses did not patch their servers. That problem
could also be solved by other methods, such as the 'NBAR' discussed
earlier on this list. Checkpoint also allows bandwidth management on the
same hardware. We need bandwidth management, but I'm not sure that I
want it on the same harware as my firewall. Then we get in to the
discussion of 'put everything in one box because it is simpler to
maintain' vs. 'put everything in separate, dedicated appliances because
they are simpler to maintain'.
The PIX has much cheaper maintenance contract costs. With PIX we only
have to purchase annual Smartnet that include hardware, software &
software upgrades. With a Nokia/Checkpoint combination we would have to
purchase annual Nokia maint., annual Checkpoint maint.and annual
Checkpoint software upgrade. For certain sized sites the combination of
the three annual fees is more than the cost of a new PIX. We could use
Compaq's new Linux/Checkpoint setup for less money than Nokia, but I'm
not sure that it is as well developed as the Nokia platform.
A PIX + failover bundle is about 125% the cost of a stand-alone
unrestricted PIX. Checkpoint failover is 200% of the cost of Checkpoint
w/o failover. We could deploy failover at many of our sites with PIX and
still be within budget.
With Checkpoint we have a firewall that depends on an ordinary operating
system and hard drive to boot and run. A PIX boots from flash. We are
not staffed to support remote computers 6 hours from home in -50deg
Minnesota weather. I'd rather have my critical devices boot from flash,
as I know that they will boot, and I know that I can modem into them &
get them fixed remotely most of the time. With PIX an upgrade is an
upgrade, with Checkpoint an upgrade is two upgrades (OS + Firewall
software).
We already support a few PIX's. They are simple, non-intimidating
devices. We've had four PIX's for more than two years, with absolutely
no problems. Have not even had to call Cisco one time.
We usually are more efficient with CLI's than GUI's.
I could take the money that I save by buying PIX's and spend it on other
tools that could help out our overall security situation quite a bit.
Obviously we are leaning toward PIX.
Critical comments appreciated.
--
-----------------------------------------
Michael Janke
Director, Network Services
Minnesota State Colleges and Universities
-----------------------------------------
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
