Security Basics mailing list archives

RE: Firewall recommendations?

From: "Fields, James" <James.Fields () bcbsfl com>
Date: Mon, 10 Mar 2003 07:26:12 -0500

I have run both Checkpoint and PIX in my environment.  I have seen some of
the "classified" documents you are referring to - look at the source.  I
believe they are marketing documents from Checkpoint or Nokia.

The PIX is a true stateful inspection firewall.  No "weird" ports have to be
open for E-Mail or anything else for that matter.  Both products have
weaknesses which have to be addressed, as in any commercial offering.  The
biggest problem with the PIX is it's lack of a GUI.  We've tried CSPM which
stinks and is end-of-life, we've tried PDM which is built-in and nicer but
too new to be stable, and settled on the command line.  The PIX also has no
built-in logging other than syslogging, requiring a third-party product for
meaningful reports.  On the other hand, the level of logging I do get out of
the PIX far exceeds that from the Checkpoint.  Furthermore, support for
Checkpoint is spotty at best, and downright dismal in many cases.  It
depends upon your vendor, who will likely have to do your support.

In any case, I do not recommend running ISA as a firewall - it should be
used as an application proxy.

-----Original Message-----
From: David Ellis [mailto:dellis () unicam com] 
Sent: Friday, March 07, 2003 9:05 PM
To: 'Thorsten Dampf -- 7stein.net'; 'rdusek () myway com';
'security-basics () securityfocus com'
Subject: RE: Firewall recommendations?

Hi at my current job  we use checkpoint, and I personally love that firewall
product. I am not a big fan of the pix and I have never played with the ISA
server cause it is a microsoft product and would not trust it. We are very
security conscious company. I think checkpoint has the best interface
around. But hey that's my personal opinion. The cisco pix is not a true
stateful packet inspection firewall. I have a classified pdf that talk about
the pix versus checkpoint in a situation with multiple exchange servers and
the ports you had to allow open for the pix to work in the environment that
was documented was totally unsafe.
At my next job, I would suggest going with checkpoint. Its not that
expensive when you start thinking about isa server cause You still need the
hardware, the windows server OS license and then the ISA license.

-----Original Message-----
From: Thorsten Dampf -- 7stein.net [mailto:thorsten.dampf () 7stein net] 
Sent: Friday, March 07, 2003 3:48 PM
To: rdusek () myway com; security-basics () securityfocus com
Subject: AW: Firewall recommendations?


Take a look at the watchguard products. www.watchguard.com

Regards, Thorsten

-----Ursprüngliche Nachricht-----
Von: rdusek () myway com [mailto:rdusek () myway com]
Gesendet: Donnerstag, 6. März 2003 21:05
An: security-basics () securityfocus com
Betreff: Firewall recommendations?




I am in charge of researching a firewall to replace what we currently

have.  At my previous job I had used Microsoft ISA in a low-security

environment, and was happy with its features, and its
integration with 

the Windows environment there.  However, at my current job,
security is a 

much greater concern, and I have to admit, I am somewhat
uneasy running a 

Microsoft firewall product on top of a Microsoft OS. We also had

investigated Checkpoint as well as Cisco Pix, and found that for our

needs, the Pix at least seemed to need  many  separate
components for the 

same functionality. My question is what are your experiences
with using 

ISA from a security standpoint? Usability issues? From the
Mac end? Or 

would we be better off pursuing the Checkpoint or the Pix
solution? We 

also plan on implementing VPN over whatever we choose, so if you

recommend something other than these, it should support at
least PPTP and 

perhaps eventually IPSec/L2TP.  We have also considered placing ISA

behind a Linux (or BSD) IP Chains firewall and our perimeter
network to 

block some of the traffic from getting to ISA. Any comments
here? Thanks 

to everybody in advance!



****************************************************************************
**********************
** eSafe-portsmouth scanned this email for viruses, vandals and malicious
content **
****************************************************************************
**********************




Blue Cross Blue Shield of Florida, Inc., and its subsidiary and 
affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in 
this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc.

Current thread:

RE: Firewall recommendations?, (continued)
- - - RE: Firewall recommendations? Jacob (Mar 12)
    - RE: Firewall recommendations? John Tolmachoff (Mar 13)
    - RE: Firewall recommendations? Jeremy Stinson (Mar 13)
    - RE: Firewall recommendations? David Gillett (Mar 17)
    - RE: Firewall recommendations? Kevin Saenz (Mar 18)
    - RE: Firewall recommendations? Bhavin (Mar 12)
    - RE: Firewall recommendations? Ernest Lau (Mar 13)
- RE: Firewall recommendations? Tom Sevy (Mar 10)
  - Re: Firewall recommendations? Myroslav Halecky (Mar 17)
- RE: Firewall recommendations? Marendra Nutriaji (Mar 10)
- RE: Firewall recommendations? Fields, James (Mar 10)
- RE: Firewall recommendations? Marc Suttle (Mar 10)
- RE: Firewall recommendations? Tim Donahue (Mar 12)
  - Re: Firewall recommendations? planz (Mar 13)
- RE: Firewall recommendations? Clark, Steve (Mar 13)
- RE: Firewall recommendations? Chris Berry (Mar 13)
  - RE: Firewall recommendations? mhunt (Mar 21)
- RE: Firewall recommendations? SimonChan (Mar 19)
  - Re: Firewall recommendations? Meritt James (Mar 20)