Firewall Wizards mailing list archives
Re: Comparisons of Firewall-1 vs. PIX
From: "Chris Hughes" <chughes () rpm com>
Date: Wed, 30 Sep 1998 09:16:03 -0400
In my research the striking differences between PIX and FW1 were: - Reporting features - Third-party security tools to support - Centralized policy management - Bi-directional authentication - Number of sessions supported concurrently - Encryption key security - Price - Performance (using Unix for the FW1 platform instead of WinNT) One point that I did not grasp was the following comparison: (Check Point:) True high availability maintains connections in the event of firewall failure. State information is synchronized between multiple FireWall-1 modules to ensure that connections are not dropped when a single FireWall-1 module fails. (Cisco:) No synchronization of state information. All connections are dropped in the event of firewall failure. If failover is configured, load balancing is not supported. (could someone clarify?) There are other differences, but these stood out. The problem (for Cisco) is that Firewall1 seems to be the winner in all these points except price. Any other reasons to purchase PIX?? -----Original Message----- From: Jean-Christophe Touvet <jct () EdelWeb fr> To: Mark Horn [ Net Ops ] <mhornNOSPAM () nospamfunb com> Cc: Chris Hughes <chughes () rpm com>; firewall-wizards () nfr net <firewall-wizards () nfr net> Date: Wednesday, September 30, 1998 4:21 AM Subject: Re: Comparisons of Firewall-1 vs. PIX
Date: Tue, 29 Sep 1998 15:14:28 -0400 From: "Mark Horn [ Net Ops ]" <mhornNOSPAM () NOSPAMfunb com> To: Chris Hughes <chughes () rpm com> cc: firewall-wizards () nfr net Chris Hughes says:I have been tasked (on short notice) to evaluate Checkpoint Firewall-1
vs
the Cisco PIX firewall. I am new to firewalling and would appreciate commentary on the strenghths and weaknesses of these two solutions.About the only commentary that I have about Cisco PIX is that there seems to be no way to specify source ports in the filter rules.I think your reply raises an interesting question: should source port filtering be considered mandatory for a firewall ? I'd say generally no, because firewalls are mainly used to protect
networks
from untrusted hosts, and if you don't trust a host, you can't trust source port of connections coming from it. In many cases, source port filtering
even
gives one a false sense of security: I've seen too many network
administrators
astonished when presented results of TCP scans using source port 20 or UDP scans using source port 53, for example. Source port filtering is useful when writing outgoing stateless filtering rules, for instance if one authorizes incoming packets for a given service port, only packets with this source port should be going out (with ACK bit
set
if it's TCP), but stateful filtering doesn't require to specify the second rule. Theorically, it should be also useful to control source port of connections coming from trusted UNIX hosts, because one can (almost ;-) be sure that only a root-owned process opened a privileged socket, but that source port control is generally enforced on the target host. This is why I'd understand very well that PIX may not allow source port filtering: basically, it's a diode, which trusts everything in the internal network and noting outside. To answer the original question (FW1 vs PIX), I think that it's also the most fundamental difference between these
products:
FW1 can be used to control bidirectional traffic between many network interfaces and is designed to allow complex rulesets, while PIX's design is simplistic. Comments ? -JCT-
Current thread:
- Re: Comparisons of Firewall-1 vs. PIX Chris Hughes (Oct 01)
- <Possible follow-ups>
- Re: Comparisons of Firewall-1 vs. PIX Paul D. Robertson (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Jean-Christophe Touvet (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Kevin Steves (Oct 07)
- Re: Comparisons of Firewall-1 vs. PIX Jean-Christophe Touvet (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Mark Horn [ Net Ops ] (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Jan . Bervar (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Woody Weaver (Oct 14)