Educause Security Discussion mailing list archives
Re: CheckPoint vs ASA
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Mon, 14 Apr 2008 14:13:03 -0700
This is from Will McCullen, our Firewall administrator: <my 2 cents> I have worked with both platforms. The main difference is that the ASA is very much a layer 4 firewall and will not give you the luxuries that you get from the Checkpoint. Checkpoint as you know will give you such creature comforts as filtering what ftp commands you can pass/deny (layer 7). The ASA however will be pretty much the standard source/dest./prot/port kind of firewall. The IPS solution on the ASA integrated with the MARS product. I found MARS to be difficult, unwieldy and slower that molasses in January. Click...(wait)...(whistle)...(sigh)..."Ah finally!". We just got a new checkpoint and put it on a couple of beefy boxes with a third for management. I must say, the rule categories are much easier to administer and the filtering in reports is quite straight forward. Reporting trumps ASA dramatically. That said, I would assume that the ASA would pass packets faster as it has less overhead. Latency might be less...assuming of course that you would need better performance then what the Gig interfaces on the Checkpoints would dish out. There are also some advantages to the ASA command line. The ability to copy and paste a config is like an old warm couch that you are accustomed to for a Cisco jockey. The ASA might be more affordable depending on your pricing but considering that you also have checkpoint experience, I would bet you would be happier with the Checkpoint. Download the docs for the Mars solution and make sure that you get a good preview before you buy. The filter sets are non-trivial and a pain. Keep in mind that on the MARS box I administered, it was really slow from screen to screen. All told however, I have not logged enough hours on the Checkpoint to feel really strong about my opinion. Those are my initial thoughts. </my 2 cents> If you have any questions feel free to call or write. Hope this helps. Will McCullen IT Network Services Pima Community College Phone: 520-206-4565 ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob Sent: Monday, April 14, 2008 1:54 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] CheckPoint vs ASA Echo the management comment about ASDM. I learned PIX management and configuration on command line and was reluctant to use the ASDM, but now I do most changes and maintenance through the GUI. We migrated from PIX to ASA 5500 this summer seamlessly. The Cisco VPN client can be repackaged with preconfigured settings, so rolling out VPN to previous users was painless. I have the installer out on our portal and just sent an email with the instructions. So far I have no complaints. I have had nothing but good experiences with Cisco support. Documentation is always out there, updates are easy to find, tech support calls are resolved in a timely fashion. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, Matthew Sent: Monday, April 14, 2008 3:25 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] CheckPoint vs ASA I have not used Checkpoint in the past. I have used a variety of other vendors in the past. We use Cisco ASAs here. The ASDM GUI makes it very easy to learn, especially for folks new to the ASAs. Because I have had previous PIX experience, I still use the console for some tasks, however most of the everyday maintenance is done through the ASDM now. I think it is Cisco Security Manager that allows you to centrally manage the ASAs. We don't use the product, but saw it advertised once. That may be more similar to the management style the Checkpoint firewalls use. Overall we have had great success with the ASAs. Unless you are doing more advanced stuff like ospf route maps, the ASDM GUI will take care of most tasks. Matt Matthew Jenkins Network/Server Administrator Fairmont State University 304.367.4955 Visit us online at www.fairmontstate.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Disterhaft, Brian Sent: Monday, April 14, 2008 2:57 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] CheckPoint vs ASA To all: In the near future, I will be faced with the task of replacing our aging firewall (CheckPoint FW-1 running on IPSO). CheckPoint has served us very well for a number of years and it's the only firewall platform (outside of Microsoft ISA Server) that I a familiar with. However, I have grown increasingly frustrated with the hefty pricetag for support/software subscriptions as well as the quality of support received from CheckPoint. I have looked into alternatives, and at this point have decided that Cisco's ASA appliance would be a viable option at a much lower annual cost. Support, Performance, VPN capabilities and integrated IPS were factors in the decision. Realizing this is a lot like asking a GM vs. Ford question, I'd like to hear experiences from those on the list that have faced a similar situation or are currently using ASA. My main concern revolves around the management of ASA as I've heard that it can be cumbersome especially for those whose experience lies with platforms like CheckPoint. Thanks in advance for your help. Brian M. Disterhaft Systems and Network Manager Ripon College Phone: (920) 748-8381 EMail: disterhaftb () ripon edu
Current thread:
- CheckPoint vs ASA Disterhaft, Brian (Apr 14)
- <Possible follow-ups>
- Re: CheckPoint vs ASA Jenkins, Matthew (Apr 14)
- Re: CheckPoint vs ASA Tim Cantin (Apr 14)
- Re: CheckPoint vs ASA Consolvo, Corbett D (Apr 14)
- Re: CheckPoint vs ASA Barros, Jacob (Apr 14)
- Re: CheckPoint vs ASA Basgen, Brian (Apr 14)
- Re: CheckPoint vs ASA Paul Keser (Apr 14)
- Re: CheckPoint vs ASA Stephen John Smoogen (Apr 14)