RE: PIX vs Checkpoint vs Sonicwall vs Netscreen - comments?

["Clint Harris" <clinton.harris () peace com>]

Totally agree.
They are quick! , easy to use, IPSec interoperabilty is a dream.
Netscreen's licensing isn't confusing and expensive. It is buy the box and
protect as many nodes as you can. You do have to buy remote user licenses, but
that is not rediculously over priced and is pretty relaxed. Sort of an honesty
scheme.
Another plus is they are apparently planning to use a CVP for Trend Micro
Interscan VirusWall (netscreen 50 and above I beleive).

I did some evaluation between Watchguard, Checkpoint, Netscreen 204and Cisco PIX
515 and in my opinion 9 times out of 10 I found that Netscreen came out on top.
I think the closest was Cisco, but their price blew them out of the water.
I didn't like checkpoint by the fact that it is software and you have to run it
on a PC ???? They try and sell you a "hardened appliance" to run it on, but that
is just a RH linux box so you'll have to keep on top of it, and their licensing
sucked.
Watchguard was just plain slow, they are what I used to used and I hated
everyday.

The ASIC's chip idea to run a firewall on is a good one (just compare a switch
with a bridge)

Screen OS is nice, they do say "security by obscurity" but I don't beleive that.

Netscreen is the way to go!! :-)

Cheers
Clint

-----Original Message-----
From: Dave Mitchell [mailto:dave () jnsnet com]
Sent: Sunday, 28 July 2002 4:31 a.m.
To: John Adams
Cc: Erik M. Bataller; security-basics () securityfocus com;
firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen -
comments?


I personally prefer Netscreen's to either PIX or Checkpoint.
My main factors for liking Netscreen are:

1) ASIC based appliance. More flows, more tunnels & faster crypto.
2) Many different models to fit the need of a particular site.
3) Much better price point.
4) Easier to manage. Great CLI and GUI.
5) Great IPSec interoperability.
6) Ability to cheaply provide RAS IPSec services. Windows or
   Linux. (freeswan)
7) Multiple authentication schemes. Local, RADIUS, NT, SecureID...
8) DS codepoint marking for traffic shaping.
9) Mechanisms for detecting and throttling widely used attacks.
10) Ability to use a websense server.
11) HA, Hub/spoke IPSec routing, OSPF support coming...

Just my $.02.

-dave



On Sat, Jul 27, 2002 at 02:35:04AM -0400, John Adams wrote:
> On Fri, 26 Jul 2002, Erik M. Bataller wrote:
>
> > There will be several hundred at least and I figure
> > that some folks out there may have some interesting
> > thoughts or comments on the different platforms that
> > may have escaped us.  We are looking for the good, the
> > bad and the ugly.  The critical issues are:
> >
> >   security issues of the individual platform
> >   management issues (sw, firmware, policy)
> >   mechanisms for managing virus sw revisions
> >   dual vs triple interfaces
> >     we'd like to separate "home" from "work"
>
> Have you considered the Nokia IP120's running Checkpoint? They work
> extremely well for branch offices, and you can admin all of the policies
> from one place using the checkpoint management server.
>
> I was a big fan of PIX for many years, but after adminstering a 80+
> firewall site at a large search engine provider, all of the issues I could
> discover with checkpoint were outweighed by the fact that you had true,
> functional, central administration.
>
> -john
>
> --
> J. Adams                                      http://www.retina.net/~jna
>
> Fiber line / Shine, Enlight the Globe / In Light, communicate / Connect.
>       ~~ Lassigue Bendthaus - Fiber
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

--

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards