nanog mailing list archives
Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
From: "Christopher L. Morrow" <chris () UU NET>
Date: Thu, 5 Feb 2004 17:45:16 +0000 (GMT)
again, not that I care about the vendor in question.. BUT On Thu, 5 Feb 2004, Alexei Roudnev wrote:
Checkpoint is a very strange brand. On the one hand, it is _well known brand_, _many awards_, _editors choice_, etc etc. I know network consultant, who installed few hundred of them, and it works. On the other hand, every time, when I have a deal with this beasts (we do not use them, but some our customers use), I have an impression, that it is the worst firewall in the world: - for HA, you need very expansive Solaris cluster (compare with PIX-es) /I can be wrong, but it is overall opinion/.
wrong, get nokia's run checkpoint on them, they do VRRP natively, it rocks... does stateful failover so you can't even tell when one dies.
- VPN have numerous bugs (it is not 100% compatible with Cisco's by default; of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers which have this problem);
this actually works well, provided you config it correctly, there is an example for pix/CP vpn config at: http://www.phoneboy.com/bin/view.pl/FAQs/VPNsBetweenFourOneAndCisco not that phoneboy should be anyone's substitute for support on the cisco or CP side, of course.
- Configuration is not packed in 1 single file, so making difficult change control, etc etc...
right, this is actually a huge problem for MSSP's, having to do everything via a gui is bad :(
Current thread:
- ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Ingevaldson, Dan (ISS Atlanta) (Feb 04)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Suresh Ramasubramanian (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Christopher L. Morrow (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Suresh Ramasubramanian (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Alexei Roudnev (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Martin Hepworth (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Crist Clark (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Alexei Roudnev (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Scott McGrath (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Christopher L. Morrow (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Christopher L. Morrow (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Suresh Ramasubramanian (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 JC Dill (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Crist Clark (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Steven M. Bellovin (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Rubens Kuhl Jr. (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Valdis . Kletnieks (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Stephen Stuart (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Randy Bush (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Laurence F. Sheldon, Jr. (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Valdis . Kletnieks (Feb 05)