Re: CheckPoint vs ASA

["Basgen, Brian" <bbasgen () PIMA EDU>]

 This is from Will McCullen, our Firewall administrator:

<my 2 cents>
I have worked with both platforms.  The main difference is that the ASA
is very much a layer 4 firewall and will not give you the luxuries that
you get from the Checkpoint.  Checkpoint as you know will give you such
creature comforts as filtering what ftp commands you can pass/deny
(layer 7).  The ASA however will be pretty much the standard
source/dest./prot/port kind of firewall.  The IPS solution on the ASA
integrated with the MARS product.  I found MARS to be difficult,
unwieldy and slower that molasses in January.
Click...(wait)...(whistle)...(sigh)..."Ah finally!".

We just got a new checkpoint and put it on a couple of beefy boxes with
a third for management.  I must say, the rule categories are much easier
to administer and the filtering in reports is quite straight forward.
Reporting trumps ASA dramatically.

That said, I would assume that the ASA would pass packets faster as it
has less overhead.  Latency might be less...assuming of course that you
would need better performance then what the Gig interfaces on the
Checkpoints would dish out.

There are also some advantages to the ASA command line.  The ability to
copy and paste a config is like an old warm couch that you are
accustomed to for a Cisco jockey.

The ASA might be more affordable depending on your pricing but
considering that you also have checkpoint experience, I would bet you
would be happier with the Checkpoint.  Download the docs for the Mars
solution and make sure that you get a good preview before you buy.  The
filter sets are non-trivial and a pain.  Keep in mind that on the MARS
box I administered, it was really slow from screen to screen.

All told however, I have not logged enough hours on the Checkpoint to
feel really strong about my opinion.  Those are my initial thoughts.

</my 2 cents>

If you have any questions feel free to call or write.
Hope this helps.

Will McCullen
IT Network Services
Pima Community College
Phone: 520-206-4565



~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
 
 
 

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob
> Sent: Monday, April 14, 2008 1:54 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] CheckPoint vs ASA
>
> Echo the management comment about ASDM.  I learned PIX 
> management and configuration on command line and was 
> reluctant to use the ASDM, but now I do most changes and 
> maintenance through the GUI.  We migrated from PIX to ASA 
> 5500 this summer seamlessly.
>
> The Cisco VPN client can be repackaged with preconfigured 
> settings, so rolling out VPN to previous users was painless.  
> I have the installer out on our portal and just sent an email 
> with the instructions.  So far I have no complaints. 
>
> I have had nothing but good experiences with Cisco support.
> Documentation is always out there, updates are easy to find, 
> tech support calls are resolved in a timely fashion.
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, Matthew
> Sent: Monday, April 14, 2008 3:25 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] CheckPoint vs ASA
>
> I have not used Checkpoint in the past.  I have used a 
> variety of other vendors in the past.  We use Cisco ASAs 
> here.  The ASDM GUI makes it very easy to learn, especially 
> for folks new to the ASAs.  Because I have had previous PIX 
> experience, I still use the console for some tasks, however 
> most of the everyday maintenance is done through the ASDM 
> now.  I think it is Cisco Security Manager that allows you to 
> centrally manage the ASAs.  We don't use the product, but saw 
> it advertised once.
> That may be more similar to the management style the 
> Checkpoint firewalls use.  Overall we have had great success 
> with the ASAs.  Unless you are doing more advanced stuff like 
> ospf route maps, the ASDM GUI will take care of most tasks.
>
> Matt
>
> Matthew Jenkins
> Network/Server Administrator
> Fairmont State University
> 304.367.4955
> Visit us online at www.fairmontstate.edu
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Disterhaft, Brian
> Sent: Monday, April 14, 2008 2:57 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] CheckPoint vs ASA
>
> To all:
>
> In the near future, I will be faced with the task of 
> replacing our aging firewall (CheckPoint FW-1 running on 
> IPSO).  CheckPoint has served us very well for a number of 
> years and it's the only firewall platform (outside of 
> Microsoft ISA Server) that I a familiar with.  However, I 
> have grown increasingly frustrated with the hefty pricetag 
> for support/software subscriptions as well as the quality of 
> support received from CheckPoint.
>
> I have looked into alternatives, and at this point have 
> decided that Cisco's ASA appliance would be a viable option 
> at a much lower annual cost.  Support, Performance, VPN 
> capabilities and integrated IPS were factors in the decision.
>
> Realizing this is a lot like asking a GM vs. Ford question, 
> I'd like to hear experiences from those on the list that have 
> faced a similar situation or are currently using ASA.  My 
> main concern revolves around the management of ASA as I've 
> heard that it can be cumbersome especially for those whose 
> experience lies with platforms like CheckPoint.
>
> Thanks in advance for your help.
>
> Brian M. Disterhaft
> Systems and Network Manager
> Ripon College
> Phone: (920) 748-8381
> EMail: disterhaftb () ripon edu