It's almost time to replace our hardware firewall at work.
Currently use a Nokia IP330 box with CheckPoint on. Run a DMZ and private network off it.
Considering whether to replace the IP330 with the new (it's replacement) IP390 and keep CheckPoint, or whether to look at something like the Cisco PIX (which I have used in the past).
I like the GUI on CheckPoint for ease of management, but I know the Cisco PDM has a basic GUI for PIX (though not sure how this compares).
GUI aside, I guess my question is, which is the better product?
We currently use PIX-520s on the edge. Its' GUI (PDM 3.0) is flaky sometimes -- it seems to suck in the entire running-config into its' workspace, and when you make changes and hit "apply" it (over)writes the entire config back out to the PIX (not just the new/changed lines.) I've already have had one instance where it failed to write out the whole config, and boom! -- no Internet access! (fortunately, the second re-apply worked.) That's the last time I ever used PDM to make changes... :P Admittedly, the PIX-520 is an older platform, but I think we have the most current PDM for it.
Never have used Nokia/Checkpoint, so can't comment there.
firewall technology as compared to Checkpoint, Symantec, BlueCoat, etc. Of course you can find proponents and detractors of any vendor's platform(s), but that's the consensus I've been able to determine (we are looking to replace our aged PIXen as well...) I even have one (well respected) person telling me to replace our PIXen with MSFT's ISA 2004. We use ISA behind our PIX, and it does have a very attractive GUI, and I find it very easy to set up and use. We aren't using it as an edge firewall however, or terminating VPNs, etc. on it, so I'm not pushing it to any limits...
There is solsoft.com's security policy manager, which is (according to the specs at least) designed to only output the minimal changes needed for any particular update.
Stick with Check Point. Cisco doesn't have near the features or protections of CP. If you have any doubt about that, set up a web server behind Pix and behind Check Point. Throw Metasploit at each one and it's bye-bye to the web server behind Cisco every time. Check Point stops every Metasploit attack cold even in its default confguration..
Check Point's only product is security; it's a sideline for Cisco.
Any firewall needs effective maintenance; a firewall is only as good as its security policy and those which understand its management. This is too often overlooked in a platform debate.
As you'd expect each platform has its advantages and disadvantages. The newer Cisco ASA devices running version 7.x code have an improved GUI, the ADSM though I've yet to see anything which improves on the Check Point GUI (if you like GUIs). Cisco engineers will tend to prefer using the CLI. Version 7.x has improved application inspection, and you get QoS too (this was, and may still be an additional purchase for the Check Point platform).
Personally, I think the PIX handles NAT better when connecting to multiple different networks and NATing inside addresses differently, but this can be achieved with Check Point with additional manual rules.
Check Point with Nokia clustering is a good high-availablity, load-balancing solution (although unicast IP addresses mapping to multicast MAC addresses can be problematic). PIXs operate in an active/standby mode, except when PIX 7.x is configured using multiple 'contexts' (or virtual firewalls) where it's possible for one firewall to be active for some contexts and standby for others, giving some degree of active/active functionality, but asymmetric routing can cause problems.
It's easier to plug in OPSEC compliant services to Check Point, to hand-off A/V checking, for example, although arguably this is best achieved through a separate box.
Ultimately, the features required and the in-house skill sets to manage a firewall will usually influence the platform choice.
I would agree with JJ. Check Point is alot better than Cisco's PIX which is just acls with no smartness on studing traffic patterns and application types (Smart Defense feature in CheckPoint). If you have cost in mind, I would suggest using a Dell or any other x386 for hardware and install Secure Platform on it. It is much easier to keep up with Check Point's patches and you don't have to worry about maintaing OS and maintaining CheckPoint. But BIGGEST PLUS point is secure platform on x386 machine have almost $0 maintainance cost then compare to Nokia's maintainance cost.
Matthew, if you're gonna come waltzing in here spouting totally unbiased & fair opinions without at least taking a better-than-you holier-than-thou condescending tone with the people asking these questions you're never going to fit in here. ;)
As of the latest releases for Enterprise, QoS is included in the licenses if you buy new. It still may be an extra feature in an upgrade
True...NAT is much easier to use and implement in the PIX code than CP.
Also, Checkpoint SecurePlatform also provide good active-active (with multiple nodes, it is not limited to only two enforcement modules) and active-standby. It is easy to implement and with the right license takes pushing policy to convert from active/standby to active/active. (If the switches/routers are configured correctly.) Fall-over is almost unnoticible. I do not recall if Nokia provides the same open-ended capability.
Also, SPLAT can be implemented on general purpose servers (such as a Dell 2850) for much less cost than the Nokia.
You do want to use the distributed module (separate management server) for HA
Logging is much more useful in Checkpoint than PIX. The log viewer is native to CP and is very easy to use. You do not have to export the logs to a SYSLOG viewer
Also, you need to consider your experience in using CP and the amount of time that would be required to transition to PIX. PIX is very different and, as indicated, most people administer it from CLI. I have not heard any good reports about the GUI and have not looked at it lately. The last time, (late 6.3 I believe) I was not impressed.
Actually it is feature more than cost. Secure Platform is a CP OS based on Linux. It is not windows. Secure Platform seems to have one of the best price perfomance for a CP device.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.