Educause Security Discussion mailing list archives
Re: CheckPoint vs ASA
From: Paul Keser <pkeser () STANFORD EDU>
Date: Mon, 14 Apr 2008 15:46:29 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian- Ripon, that's in WI isn't it? I grew up in Galesburg, IL, I think Knox is in your conference, I went to Augustana in Rock Island. First my bias...I used to work for Nokia supporting their firewalls running Check Point so I am biased in favor of Nokia and against Check Point ;-) If you are looking for bang for the buck the FWSM module in a 6500 is hard to beat, *assuming* you are already using 6500 series hardware. If you have to buy the chassis and management card to put the blade in it isn't quite such a good deal... At Stanford we had a large installed base of Juniper Netscreen's (one of the reason's I came here from NASA) and decided that our in house experience and comfort with the Netscreen UI as well as the Netscreen feature set and performance made that our choice. I know Cisco has done a lot of work on their UI in the last couple years but when we looked Netscreen ate Cisco's lunch. It you're strictly looking for performance/$ then you might want to use a Linux box running IPTables. There are a number of projects like FireStarter to give IPTables a GUI front end or Bastille-Linux to harden and configure it from the command line. It is hard to beat free. If you outgrow your firewall box, make it a web (or LDAP, SSLVPN, etc.) server and get a bigger faster box. This should work for speeds up to gigabit. If you need 10G that is a whole different (and *much* more expensive) game...give Moore's Law some time to catch up or be prepared to spend some serious coin... :-) Moving your Check Point licenses to a Linux box would let you increase your firewall performance with the only additional expense of the hardware (and of course continuing support on the CP licenses). This would also save the Nokia hardware support but you would still be using Check Point...might make a good interim step if you want to move towards an IPTables based solution. If you have an HA pair of Nokia's this probably isn't ideal solution since Linux doesn't have HA built in like IPSO, but I think you only have 1 firewall currently according to your email. By the way when I migrated from Check Point to Juniper Netscreen in a previous job I found a number of scripts to convert the CP firewall config to Netscreen format. I am sure their are similar scripts for going to Cisco as well. Good Luck - -PaulK PS When I was at Nokia (98-00) we had a customer complaint that their 4+ year old Ipsilon (pre Nokia aquisition) Firewall was obsolete and all they could do with it was re-purpose it as a web server...I tried to get my boss to take it to marketing...Lets see you do that with a Cisco :-) Paul Keser Assoc. Information Security Officer Stanford University 650.724.9051 GPG Fingerprint: DBA3 E20F CE91 28AA DA1C 4A77 3BD9 C82D 2699 24FB Disterhaft, Brian wrote:
To all: In the near future, I will be faced with the task of replacing our aging firewall (CheckPoint FW-1 running on IPSO). CheckPoint has served us very well for a number of years and it's the only firewall platform (outside of Microsoft ISA Server) that I a familiar with. However, I have grown increasingly frustrated with the hefty pricetag for support/software subscriptions as well as the quality of support received from CheckPoint. I have looked into alternatives, and at this point have decided that Cisco's ASA appliance would be a viable option at a much lower annual cost. Support, Performance, VPN capabilities and integrated IPS were factors in the decision. Realizing this is a lot like asking a GM vs. Ford question, I'd like to hear experiences from those on the list that have faced a similar situation or are currently using ASA. My main concern revolves around the management of ASA as I've heard that it can be cumbersome especially for those whose experience lies with platforms like CheckPoint. Thanks in advance for your help. Brian M. Disterhaft Systems and Network Manager Ripon College Phone: (920) 748-8381 EMail: disterhaftb () ripon edu
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIA97FO9nILSaZJPsRAkkSAJ9P6l2gdaezxfuPmJuPvT9ITuDPDgCgj9VW cF926HEBGfUtSdFgeII0+g8= =wB6F -----END PGP SIGNATURE-----
Current thread:
- CheckPoint vs ASA Disterhaft, Brian (Apr 14)
- <Possible follow-ups>
- Re: CheckPoint vs ASA Jenkins, Matthew (Apr 14)
- Re: CheckPoint vs ASA Tim Cantin (Apr 14)
- Re: CheckPoint vs ASA Consolvo, Corbett D (Apr 14)
- Re: CheckPoint vs ASA Barros, Jacob (Apr 14)
- Re: CheckPoint vs ASA Basgen, Brian (Apr 14)
- Re: CheckPoint vs ASA Paul Keser (Apr 14)
- Re: CheckPoint vs ASA Stephen John Smoogen (Apr 14)