BTW, The Cisco Secure Policy Manager will allow you to manage up to 500 PIX
firewalls from a single GUI management interface, as well as VPNs, IDS, and
more. Not sure why people keep harping on the one-at-a-time management
issue for the PIX, as we've had this covered for some time now.
-bill
At 06:03 PM 9/17/2001 -0400, safieradam wrote:
>Ben makes good points about centralized management.
>
>At some point you don't want to be uploading ACL's to 70+ boxes one at a
>time. A script might do it but that brings up the issue of passwords. Are
>you managing in the clear or turning on and supporting SSH? The CP
>management station creates a semi-secure link to the remote boxes for you.
>There is also a way to run the GUI over their VPN links but you have to dig
>up the config. They also have something called Provider 1 targeted at really
>large deployments with very different policies on different segments but you
>probably don't need to spend the money on that.
>
>I think that Check Point's relationship with Nokia is headed south since
>Nokia came out with their own VPN product. However, CP is jumping on the
>partnership wagon with other vendors. http://www.intrusion.com makes less
>expensive hardware for CP - $2-$3K per box if you don't need lots of
>interfaces and under $1K for smaller sites. Just make sure you are not
>looking at the SOHO versions. Last time I checked they were still working
>on HA for their larger boxes but I would look at CP's own HA solution or/and
>multi-entry point features instead. Just try to use a dedicated or at least
>a high speed internal interface for the update packet path.
>
>You should not be spending $10K per license unless you are including VPN in
>the cost and paying list. Make sure you are buying a central management
>station and only the gateway licenses for the remote sites. If you can go
>with cold spares they should discount the cold spare license or simply
>configure the cold spare with the same IP address and license - Errr.....
>that may NOT be OK - check the license agreement carefully. I've been
>spoiled with hot spares or survived with none. Definitely do some price
>negotiating - Pull out your PIX discount book, hit the CP rep with it and
>get the same or better rate. With a possible 140 licenses CP corporate may
>help you beat up a distributor that won't negotiate. True, CP has never
>been cheap but there is some room for arm twisting.
>
>Do a quick survey of postings asking for help on PIX vs. Check Point. A few
>years ago PIX seemed to have more problems needing patches and more people
>having problems. On the other hand CP users had so many "how do I..."
>problems early on that D. Welch created http://www.phoneboy.com , now THE
>site to check for CP issues. He even wrote a book about it.
>
>Finally, get your support from CP directly rather than a reseller (unless it
>Mr. Welch!). Their 1st level support is OK for simple stuff only but then,
>I've rarely seen great support from anyone unless you have your own SE. Once
>you escalate you can get decent support but having your own SE is best.
>
>Anyway, I'm still a CP fan though I have to admit there are an awful lot of
>good products out there, especially if you are only doing a few sites. For
>medium or large scale I have yet to see a really usable, simple and quick to
>deploy management system other than CP's. (I admit I still have lots of
>management products to check out - Nortel's Shasta sounds comprehensive from
>the literature. And I reserve the right to change my mind tomorrow.)
>
>Adam
>
>
>----- Original Message -----
>From: "Ben Nagy" <[EMAIL PROTECTED]>
>To: "'Michael Janke'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
>Sent: Sunday, September 16, 2001 9:09 PM
>Subject: RE: More PIX vs. Firewall-1. Comments welcome.
>
>
> > Thanks for this, Michael. One of my pet peeves is posts that present
> > opinions without enough thought-process.
> >
> > > -----Original Message-----
> > > From: Michael Janke [mailto:[EMAIL PROTECTED]]
> > [...]
> > > We've been doing an extensive comparison of PIX and Checkpoint for a
> > > large internal project. [...]
> > > Here's what we figure:
> > >
> > [...]
> > >
> > > We want 'stateful inspection' not 'proxy' type firewalls.
> > > Although the
> > > proxy type may have some security advantages, we have a very open
> > > environment with lots of unique apps, and are likely to have problems
> > > proxying them all. Professors routinely invent new stuff &
> > > expect it to
> > > work on our WAN. Proxy's sound like a headache.
> >
> > You'd be right. Mind you, NAT may also be a headache, depending on how
>zany
> > your inventors are.
> >
> > > We have 70 sites. Most sites have 255<>1400 computers with
> > > 1-3 T1's to
> > > the Internet. [FW-1 would cost much more money]
> > >
> > > We can't see where the nicer Checkpoint GUI adds enough value to the
> > > firewall to make it worth 2x-3x the price of a PIX. The only pure
> > > technical feature that Checkpoint has over PIX is the ability
> > > to write
> > > your own rules based on bits & bytes within the packets.
> >
> > What about policy management for all 70 sites from a single console? Can
>the
> > PIX do that effectively yet? I've heard mumble about an Enterprise Manager
> > of some description for PIX / Router ACLs, but I honestly have no idea
> > whether or not it's vapour.
> >
> > It would seem to me that the ability to make policy changes without
>manually
> > configuring 70 firewalls would be valuable - it's quicker and much more
> > accurate.
> >
> > > [...]
> > > Checkpoint also allows bandwidth
> > > management on the
> > > same hardware. We need bandwidth management, but I'm not sure that I
> > > want it on the same harware as my firewall. Then we get in to the
> > > discussion of 'put everything in one box because it is simpler to
> > > maintain' vs. 'put everything in separate, dedicated
> > > appliances because
> > > they are simpler to maintain'.
> >
> > I would also be asking myself how _good_ the Checkpoint bandwidth
>management
> > is. Given a choice, I think I'd perfer to buy bandwidth management from
> > someone who lives or dies by the quality of their offering - and
>Checkpoint
> > aint one of them.
> >
> > > The PIX has much cheaper maintenance contract costs.[...]
> > > Compaq's new Linux/Checkpoint setup for less money than
> > > Nokia, but I'm
> > > not sure that it is as well developed as the Nokia platform.
> >
> > I've heard Good Things about Nokia, and I'm concerned (although with no
> > evidence) about a) Linux for a firewall solution and b) Compaq / HP.
> >
> > > A PIX + failover bundle is about 125% the cost of a stand-alone
> > > unrestricted PIX. Checkpoint failover is 200% of the cost of
> > > Checkpoint
> > > w/o failover. We could deploy failover at many of our sites
> > > with PIX and
> > > still be within budget.
> > >
> > > With Checkpoint we have a firewall that depends on an
> > > ordinary operating
> > > system and hard drive to boot and run. A PIX boots from flash. We are
> > > not staffed to support remote computers 6 hours from home in -50deg
> > > Minnesota weather. I'd rather have my critical devices boot
> > > from flash,
> > > as I know that they will boot, and I know that I can modem
> > > into them &
> > > get them fixed remotely most of the time. With PIX an upgrade is an
> > > upgrade, with Checkpoint an upgrade is two upgrades (OS + Firewall
> > > software).
> >
> > All good points. Modems permanently attached to firewalls is Very Wrong,
>but
> > I know that you're talking about modem access via manual intervention from
>a
> > human.
> >
> > > We already support a few PIX's. They are simple, non-intimidating
> > > devices. We've had four PIX's for more than two years, with
> > > absolutely
> > > no problems. Have not even had to call Cisco one time.
> > >
> > > We usually are more efficient with CLI's than GUI's.
> > >
> > > I could take the money that I save by buying PIX's and spend
> > > it on other
> > > tools that could help out our overall security situation quite a bit.
> >
> > NIDS systems, monitored by human beings. About a million times more
>valuable
> > than firewalls, IMO.
> >
> > > Obviously we are leaning toward PIX.
> > >
> > > Critical comments appreciated.
> >
> > I just wonder about the cost of managing that many PIXen. Does anyone use
> > Enterprise Management software that can make changes to many PIXen at
>once,
> > based on central policy decisions? I see that as fairly important for a
> > network of that size.
> >
> > I'd also note that having seventy points of entry from the 'net is a
> > dangerous architecture. I'm sure that it has been done for good reasons,
>but
> > I'd be more comfortable with a network that had less entry points.
> >
> > Cheers,
> >
> > --
> > Ben Nagy
> > Network Security Specialist
> > Marconi Services Australia Pty Ltd
> > Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> > _______________________________________________
> > Firewalls mailing list
> > [EMAIL PROTECTED]
> > http://lists.gnac.net/mailman/listinfo/firewalls
> >
>_______________________________________________
>Firewalls mailing list
>[EMAIL PROTECTED]
>http://lists.gnac.net/mailman/listinfo/firewalls
______________________________________________________________________________________
Bill McGee, CCNA [EMAIL PROTECTED]
VPN and Security BU Phone: 408.859.7942
Channels Manager and Evangelist Pager: 800.365.4578 (or
[EMAIL PROTECTED])
Cisco Systems, Inc. FAX: 408.527.5173
Make your Cisco network "SAFE" The power to end extreme poverty is
now online...
http://www.cisco.com/go/safe/ www.netaid.org
______________________________________________________________________________________
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
