nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1

From: "Christopher L. Morrow" <chris () UU NET>
Date: Thu, 5 Feb 2004 17:45:16 +0000 (GMT)

again, not that I care about the vendor in question.. BUT

On Thu, 5 Feb 2004, Alexei Roudnev wrote:



Checkpoint is a very strange brand. On the one hand, it is _well known
brand_, _many awards_, _editors choice_, etc etc. I know network consultant,
who installed few hundred of them, and it works.

On the other hand, every time, when I have a deal with this beasts (we do
not use them, but some our customers use), I have an impression, that it is
the worst firewall in the world:
- for HA, you need very expansive Solaris cluster (compare with PIX-es) /I
can be wrong, but it is overall opinion/.


wrong, get nokia's run checkpoint on them, they do VRRP natively, it
rocks... does stateful failover so you can't even tell when one dies.


- VPN have numerous bugs (it is not 100% compatible with Cisco's by default;
of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers
which have this problem);


this actually works well, provided you config it correctly, there is an
example for pix/CP vpn config at:
http://www.phoneboy.com/bin/view.pl/FAQs/VPNsBetweenFourOneAndCisco

not that phoneboy should be anyone's substitute for support on the cisco
or CP side, of course.



- Configuration is not packed in 1 single file, so making difficult change
control, etc etc...


right, this is actually a huge problem for MSSP's, having to do everything
via a gui is bad :(
Previous By Date Next
Previous By Thread Next

Current thread: