Re: Comparisons of Firewall-1 vs. PIX

["Chris Hughes" <chughes () rpm com>]

In my research the striking differences between PIX and FW1 were:

- Reporting features
- Third-party security tools to support
- Centralized policy management
- Bi-directional authentication
- Number of sessions supported concurrently
- Encryption key security
- Price
- Performance (using Unix for the FW1 platform instead of WinNT)

One point that I did not grasp was the following comparison:

(Check Point:)  True high availability maintains connections in the event of
firewall failure. State information is synchronized between multiple
FireWall-1 modules to ensure that connections are not dropped when a single
FireWall-1 module fails.

(Cisco:) No synchronization of state information. All connections are
dropped in the event of firewall failure. If failover is configured, load
balancing is not supported.
(could someone clarify?)

There are other differences, but these stood out.  The problem (for Cisco)
is that Firewall1 seems to be the winner in all these points except price.
Any other reasons to purchase PIX??

-----Original Message-----
From: Jean-Christophe Touvet <jct () EdelWeb fr>
To: Mark Horn [ Net Ops ] <mhornNOSPAM () nospamfunb com>
Cc: Chris Hughes <chughes () rpm com>; firewall-wizards () nfr net
<firewall-wizards () nfr net>
Date: Wednesday, September 30, 1998 4:21 AM
Subject: Re: Comparisons of Firewall-1 vs. PIX


> > Date: Tue, 29 Sep 1998 15:14:28 -0400
> > From:  "Mark Horn [ Net Ops ]" <mhornNOSPAM () NOSPAMfunb com>
> > To:  Chris Hughes <chughes () rpm com>
> > cc:  firewall-wizards () nfr net
> >
> > Chris Hughes says:
> > > I have been tasked (on short notice) to evaluate Checkpoint Firewall-1
vs
> > > the Cisco PIX firewall.  I am new to firewalling and would appreciate
> > > commentary on the strenghths and weaknesses of these two solutions.
> >
> > About the only commentary that I have about Cisco PIX is that there seems
> > to be no way to specify source ports in the filter rules.
>
> I think your reply raises an interesting question: should source port
> filtering be considered mandatory for a firewall ?
>
> I'd say generally no, because firewalls are mainly used to protect
networks
> from untrusted hosts, and if you don't trust a host, you can't trust source
> port of connections coming from it. In many cases, source port filtering
even
> gives one a false sense of security: I've seen too many network
administrators
> astonished when presented results of TCP scans using source port 20 or UDP
> scans using source port 53, for example.
>
> Source port filtering is useful when writing outgoing stateless filtering
> rules, for instance if one authorizes incoming packets for a given service
> port, only packets with this source port should be going out (with ACK bit
set
> if it's TCP), but stateful filtering doesn't require to specify the second
> rule. Theorically, it should be also useful to control source port of
> connections coming from trusted UNIX hosts, because one can (almost ;-) be
> sure that only a root-owned process opened a privileged socket, but that
> source port control is generally enforced on the target host.
>
> This is why I'd understand very well that PIX may not allow source port
> filtering: basically, it's a diode, which trusts everything in the internal
> network and noting outside. To answer the original question (FW1 vs PIX), I
> think that it's also the most fundamental difference between these
products:
> FW1 can be used to control bidirectional traffic between many network
> interfaces and is designed to allow complex rulesets, while PIX's design is
> simplistic.
>
> Comments ?
>
>    -JCT-