Ben makes good points about centralized management.
At some point you don't want to be uploading ACL's to 70+ boxes one at a
time. A script might do it but that brings up the issue of passwords. Are
you managing in the clear or turning on and supporting SSH? The CP
management station creates a semi-secure link to the remote boxes for you.
There is also a way to run the GUI over their VPN links but you have to dig
up the config. They also have something called Provider 1 targeted at really
large deployments with very different policies on different segments but you
probably don't need to spend the money on that.
I think that Check Point's relationship with Nokia is headed south since
Nokia came out with their own VPN product. However, CP is jumping on the
partnership wagon with other vendors. http://www.intrusion.com makes less
expensive hardware for CP - $2-$3K per box if you don't need lots of
interfaces and under $1K for smaller sites. Just make sure you are not
looking at the SOHO versions. Last time I checked they were still working
on HA for their larger boxes but I would look at CP's own HA solution or/and
multi-entry point features instead. Just try to use a dedicated or at least
a high speed internal interface for the update packet path.
You should not be spending $10K per license unless you are including VPN in
the cost and paying list. Make sure you are buying a central management
station and only the gateway licenses for the remote sites. If you can go
with cold spares they should discount the cold spare license or simply
configure the cold spare with the same IP address and license - Errr.....
that may NOT be OK - check the license agreement carefully. I've been
spoiled with hot spares or survived with none. Definitely do some price
negotiating - Pull out your PIX discount book, hit the CP rep with it and
get the same or better rate. With a possible 140 licenses CP corporate may
help you beat up a distributor that won't negotiate. True, CP has never
been cheap but there is some room for arm twisting.
Do a quick survey of postings asking for help on PIX vs. Check Point. A few
years ago PIX seemed to have more problems needing patches and more people
having problems. On the other hand CP users had so many "how do I..."
problems early on that D. Welch created http://www.phoneboy.com , now THE
site to check for CP issues. He even wrote a book about it.
Finally, get your support from CP directly rather than a reseller (unless it
Mr. Welch!). Their 1st level support is OK for simple stuff only but then,
I've rarely seen great support from anyone unless you have your own SE. Once
you escalate you can get decent support but having your own SE is best.
Anyway, I'm still a CP fan though I have to admit there are an awful lot of
good products out there, especially if you are only doing a few sites. For
medium or large scale I have yet to see a really usable, simple and quick to
deploy management system other than CP's. (I admit I still have lots of
management products to check out - Nortel's Shasta sounds comprehensive from
the literature. And I reserve the right to change my mind tomorrow.)
Adam
----- Original Message -----
From: "Ben Nagy" <[EMAIL PROTECTED]>
To: "'Michael Janke'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Sunday, September 16, 2001 9:09 PM
Subject: RE: More PIX vs. Firewall-1. Comments welcome.
> Thanks for this, Michael. One of my pet peeves is posts that present
> opinions without enough thought-process.
>
> > -----Original Message-----
> > From: Michael Janke [mailto:[EMAIL PROTECTED]]
> [...]
> > We've been doing an extensive comparison of PIX and Checkpoint for a
> > large internal project. [...]
> > Here's what we figure:
> >
> [...]
> >
> > We want 'stateful inspection' not 'proxy' type firewalls.
> > Although the
> > proxy type may have some security advantages, we have a very open
> > environment with lots of unique apps, and are likely to have problems
> > proxying them all. Professors routinely invent new stuff &
> > expect it to
> > work on our WAN. Proxy's sound like a headache.
>
> You'd be right. Mind you, NAT may also be a headache, depending on how
zany
> your inventors are.
>
> > We have 70 sites. Most sites have 255<>1400 computers with
> > 1-3 T1's to
> > the Internet. [FW-1 would cost much more money]
> >
> > We can't see where the nicer Checkpoint GUI adds enough value to the
> > firewall to make it worth 2x-3x the price of a PIX. The only pure
> > technical feature that Checkpoint has over PIX is the ability
> > to write
> > your own rules based on bits & bytes within the packets.
>
> What about policy management for all 70 sites from a single console? Can
the
> PIX do that effectively yet? I've heard mumble about an Enterprise Manager
> of some description for PIX / Router ACLs, but I honestly have no idea
> whether or not it's vapour.
>
> It would seem to me that the ability to make policy changes without
manually
> configuring 70 firewalls would be valuable - it's quicker and much more
> accurate.
>
> > [...]
> > Checkpoint also allows bandwidth
> > management on the
> > same hardware. We need bandwidth management, but I'm not sure that I
> > want it on the same harware as my firewall. Then we get in to the
> > discussion of 'put everything in one box because it is simpler to
> > maintain' vs. 'put everything in separate, dedicated
> > appliances because
> > they are simpler to maintain'.
>
> I would also be asking myself how _good_ the Checkpoint bandwidth
management
> is. Given a choice, I think I'd perfer to buy bandwidth management from
> someone who lives or dies by the quality of their offering - and
Checkpoint
> aint one of them.
>
> > The PIX has much cheaper maintenance contract costs.[...]
> > Compaq's new Linux/Checkpoint setup for less money than
> > Nokia, but I'm
> > not sure that it is as well developed as the Nokia platform.
>
> I've heard Good Things about Nokia, and I'm concerned (although with no
> evidence) about a) Linux for a firewall solution and b) Compaq / HP.
>
> > A PIX + failover bundle is about 125% the cost of a stand-alone
> > unrestricted PIX. Checkpoint failover is 200% of the cost of
> > Checkpoint
> > w/o failover. We could deploy failover at many of our sites
> > with PIX and
> > still be within budget.
> >
> > With Checkpoint we have a firewall that depends on an
> > ordinary operating
> > system and hard drive to boot and run. A PIX boots from flash. We are
> > not staffed to support remote computers 6 hours from home in -50deg
> > Minnesota weather. I'd rather have my critical devices boot
> > from flash,
> > as I know that they will boot, and I know that I can modem
> > into them &
> > get them fixed remotely most of the time. With PIX an upgrade is an
> > upgrade, with Checkpoint an upgrade is two upgrades (OS + Firewall
> > software).
>
> All good points. Modems permanently attached to firewalls is Very Wrong,
but
> I know that you're talking about modem access via manual intervention from
a
> human.
>
> > We already support a few PIX's. They are simple, non-intimidating
> > devices. We've had four PIX's for more than two years, with
> > absolutely
> > no problems. Have not even had to call Cisco one time.
> >
> > We usually are more efficient with CLI's than GUI's.
> >
> > I could take the money that I save by buying PIX's and spend
> > it on other
> > tools that could help out our overall security situation quite a bit.
>
> NIDS systems, monitored by human beings. About a million times more
valuable
> than firewalls, IMO.
>
> > Obviously we are leaning toward PIX.
> >
> > Critical comments appreciated.
>
> I just wonder about the cost of managing that many PIXen. Does anyone use
> Enterprise Management software that can make changes to many PIXen at
once,
> based on central policy decisions? I see that as fairly important for a
> network of that size.
>
> I'd also note that having seventy points of entry from the 'net is a
> dangerous architecture. I'm sure that it has been done for good reasons,
but
> I'd be more comfortable with a network that had less entry points.
>
> Cheers,
>
> --
> Ben Nagy
> Network Security Specialist
> Marconi Services Australia Pty Ltd
> Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
