Re: CheckPoint vs ASA

[Paul Keser <pkeser () STANFORD EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian-

Ripon, that's in WI isn't it?  I grew up in Galesburg, IL, I think Knox
is in your conference, I went to Augustana in Rock Island.

First my bias...I used to work for Nokia supporting their firewalls
running Check Point so I am biased in favor of Nokia and against Check
Point ;-)

If you are looking for bang for the buck the FWSM module in a 6500 is
hard to beat, *assuming* you are already using 6500 series hardware.  If
you have to buy the chassis and management card to put the blade in it
isn't quite such a good deal...

At Stanford we had a large installed base of Juniper Netscreen's (one of
the reason's I came here from NASA) and decided that our in house
experience and comfort with the Netscreen UI as well as the Netscreen
feature set and performance made that our choice.  I know Cisco has done
a lot of work on their UI in the last couple years but when we looked
Netscreen ate Cisco's lunch.

It you're strictly looking for performance/$ then you might want to use
a Linux box running IPTables.  There are a number of projects like
FireStarter to give IPTables a GUI front end or Bastille-Linux to harden
and configure it from the command line.  It is hard to beat free.  If
you outgrow your firewall box, make it a web (or LDAP, SSLVPN, etc.)
server and get a bigger faster box.  This should work for speeds up to
gigabit.  If you need 10G that is a whole different (and *much* more
expensive) game...give Moore's Law some time to catch up or be prepared
to spend some serious coin... :-)

Moving your Check Point licenses to a Linux box would let you increase
your firewall performance with the only additional expense of the
hardware (and of course continuing support on the CP licenses).  This
would also save the Nokia hardware support but you would still be using
Check Point...might make a good interim step if you want to move towards
an IPTables based solution.  If you have an HA pair of Nokia's this
probably isn't ideal solution since Linux doesn't have HA built in like
IPSO, but I think you only have 1 firewall currently according to your
email.

By the way when I migrated from Check Point to Juniper Netscreen in a
previous job I found a number of scripts to convert the CP firewall
config to Netscreen format.  I am sure their are similar scripts for
going to Cisco as well.

Good Luck

- -PaulK

PS  When I was at Nokia (98-00) we had a customer complaint that their
4+ year old Ipsilon (pre Nokia aquisition) Firewall was obsolete and all
they could do with it was re-purpose it as a web server...I tried to get
my boss to take it to marketing...Lets see you do that with a Cisco  :-)


Paul Keser
Assoc. Information Security Officer
Stanford University
650.724.9051
GPG Fingerprint:  DBA3 E20F CE91 28AA DA1C  4A77 3BD9 C82D 2699 24FB


Disterhaft, Brian wrote:
> To all:
>
> In the near future, I will be faced with the task of replacing our aging
> firewall (CheckPoint FW-1 running on IPSO).  CheckPoint has served us
> very well for a number of years and it's the only firewall platform
> (outside of Microsoft ISA Server) that I a familiar with.  However, I
> have grown increasingly frustrated with the hefty pricetag for
> support/software subscriptions as well as the quality of support
> received from CheckPoint.
>
> I have looked into alternatives, and at this point have decided that
> Cisco's ASA appliance would be a viable option at a much lower annual
> cost.  Support, Performance, VPN capabilities and integrated IPS were
> factors in the decision.
>
> Realizing this is a lot like asking a GM vs. Ford question, I'd like to
> hear experiences from those on the list that have faced a similar
> situation or are currently using ASA.  My main concern revolves around
> the management of ASA as I've heard that it can be cumbersome especially
> for those whose experience lies with platforms like CheckPoint.
>
> Thanks in advance for your help.
>
> Brian M. Disterhaft
> Systems and Network Manager
> Ripon College
> Phone: (920) 748-8381
> EMail: disterhaftb () ripon edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIA97FO9nILSaZJPsRAkkSAJ9P6l2gdaezxfuPmJuPvT9ITuDPDgCgj9VW
cF926HEBGfUtSdFgeII0+g8=
=wB6F
-----END PGP SIGNATURE-----