Thanks for this, Michael. One of my pet peeves is posts that present
opinions without enough thought-process.
> -----Original Message-----
> From: Michael Janke [mailto:[EMAIL PROTECTED]]
[...]
> We've been doing an extensive comparison of PIX and Checkpoint for a
> large internal project. [...]
> Here's what we figure:
>
[...]
>
> We want 'stateful inspection' not 'proxy' type firewalls.
> Although the
> proxy type may have some security advantages, we have a very open
> environment with lots of unique apps, and are likely to have problems
> proxying them all. Professors routinely invent new stuff &
> expect it to
> work on our WAN. Proxy's sound like a headache.
You'd be right. Mind you, NAT may also be a headache, depending on how zany
your inventors are.
> We have 70 sites. Most sites have 255<>1400 computers with
> 1-3 T1's to
> the Internet. [FW-1 would cost much more money]
>
> We can't see where the nicer Checkpoint GUI adds enough value to the
> firewall to make it worth 2x-3x the price of a PIX. The only pure
> technical feature that Checkpoint has over PIX is the ability
> to write
> your own rules based on bits & bytes within the packets.
What about policy management for all 70 sites from a single console? Can the
PIX do that effectively yet? I've heard mumble about an Enterprise Manager
of some description for PIX / Router ACLs, but I honestly have no idea
whether or not it's vapour.
It would seem to me that the ability to make policy changes without manually
configuring 70 firewalls would be valuable - it's quicker and much more
accurate.
> [...]
> Checkpoint also allows bandwidth
> management on the
> same hardware. We need bandwidth management, but I'm not sure that I
> want it on the same harware as my firewall. Then we get in to the
> discussion of 'put everything in one box because it is simpler to
> maintain' vs. 'put everything in separate, dedicated
> appliances because
> they are simpler to maintain'.
I would also be asking myself how _good_ the Checkpoint bandwidth management
is. Given a choice, I think I'd perfer to buy bandwidth management from
someone who lives or dies by the quality of their offering - and Checkpoint
aint one of them.
> The PIX has much cheaper maintenance contract costs.[...]
> Compaq's new Linux/Checkpoint setup for less money than
> Nokia, but I'm
> not sure that it is as well developed as the Nokia platform.
I've heard Good Things about Nokia, and I'm concerned (although with no
evidence) about a) Linux for a firewall solution and b) Compaq / HP.
> A PIX + failover bundle is about 125% the cost of a stand-alone
> unrestricted PIX. Checkpoint failover is 200% of the cost of
> Checkpoint
> w/o failover. We could deploy failover at many of our sites
> with PIX and
> still be within budget.
>
> With Checkpoint we have a firewall that depends on an
> ordinary operating
> system and hard drive to boot and run. A PIX boots from flash. We are
> not staffed to support remote computers 6 hours from home in -50deg
> Minnesota weather. I'd rather have my critical devices boot
> from flash,
> as I know that they will boot, and I know that I can modem
> into them &
> get them fixed remotely most of the time. With PIX an upgrade is an
> upgrade, with Checkpoint an upgrade is two upgrades (OS + Firewall
> software).
All good points. Modems permanently attached to firewalls is Very Wrong, but
I know that you're talking about modem access via manual intervention from a
human.
> We already support a few PIX's. They are simple, non-intimidating
> devices. We've had four PIX's for more than two years, with
> absolutely
> no problems. Have not even had to call Cisco one time.
>
> We usually are more efficient with CLI's than GUI's.
>
> I could take the money that I save by buying PIX's and spend
> it on other
> tools that could help out our overall security situation quite a bit.
NIDS systems, monitored by human beings. About a million times more valuable
than firewalls, IMO.
> Obviously we are leaning toward PIX.
>
> Critical comments appreciated.
I just wonder about the cost of managing that many PIXen. Does anyone use
Enterprise Management software that can make changes to many PIXen at once,
based on central policy decisions? I see that as fairly important for a
network of that size.
I'd also note that having seventy points of entry from the 'net is a
dangerous architecture. I'm sure that it has been done for good reasons, but
I'd be more comfortable with a network that had less entry points.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
