Full Disclosure mailing list archives
RE: PIX vs CheckPoint
From: "Charlie Winckless" <charliew () netarch com>
Date: Wed, 30 Jun 2004 17:07:28 -0600
PIXes arn't really routers either, like many firewalls. This is evident by the fact that PIXes can't route traffic back out the same interface it received the traffic on. You have to be concious about these limitations when doing network design in the presence of PIXes.
When I teach the PIX class, I refer to them as 'translators'. It and the below are probably the most key points in designing around and with a PIX. (Along with the 'security level' for an interface.) I have heard rumour from Cisco, however, that the lack of the ability to 'switch' traffic in and out on the same interface will go away soon, thus changing the situation below. <Details of VPN router design snipped> I favour the PIX. I've not had enough experience with the Checkpoint to make a fair comparison (most of the other firewalls I've worked with have been application level boxen or Linux/BSD platforms). The strong points I see for the PIX are: * Small image (the GUI is 3Mb, the image as of 6.3 is still under 2Mb) * Lack of underlying OS beyond Finesse * Few moving parts to fail * CLI that's similar to IOS (NB: as a router jock this is a plus and a minus; it's close enough that some other things will fool you. But I've always found a CLI faster for most configs and for remote troubleshooting than a GUI) The largest issue I have is an arcane and awkward logging system. While I can log on the box I'm not a fan of that -- since if the box crashes for whatever reason I've lost the log -- and even when I do the complaints raised at actually finding anything are very valid. Some form of external log analysis is needed. And up until the most recent releases the lack of object groups was a bummer. Even now, a protocol group can be EITHER TCP or UDP, which I suspect is a function of the ACLs. But it's a huge improvement if networks aren't designed on binary boundaries totally. (Yeah, right..) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: PIX vs CheckPoint, (continued)
- RE: PIX vs CheckPoint Otero, Hernan (EDS) (Jun 30)
- Re: PIX vs CheckPoint Cyril Guibourg (Jun 30)
- Re: PIX vs CheckPoint Ben Nelson (Jun 30)
- Re: PIX vs CheckPoint Cyril Guibourg (Jun 30)
- Re: PIX vs CheckPoint Jim Burwell (Jun 30)
- Re: PIX vs CheckPoint Cyril Guibourg (Jun 30)
- RE: PIX vs CheckPoint Otero, Hernan (EDS) (Jun 30)
- Re: PIX vs CheckPoint Roger Howorth (Jun 30)
- Re: PIX vs CheckPoint B3r3n (Jun 30)
- RE: PIX vs CheckPoint James Patterson Wicks (Jun 30)
- RE: PIX vs CheckPoint Abraham, Antony (Cognizant) (Jun 30)
- RE: PIX vs CheckPoint Perrymon, Josh L. (Jun 30)
- RE: PIX vs CheckPoint Charlie Winckless (Jun 30)