Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: PIX vs CheckPoint

From: "Charlie Winckless" <charliew () netarch com>
Date: Wed, 30 Jun 2004 17:07:28 -0600


PIXes arn't really routers either, like many firewalls.  This 
is evident 
by the fact that PIXes can't route traffic back out the same 
interface 
it received the traffic on.  You have to be concious about these 
limitations when doing network design in the presence of PIXes. 



When I teach the PIX class, I refer to them as 'translators'. It
and the below are probably the most key points in designing around
and with a PIX.

(Along with the 'security level' for an interface.)

I have heard rumour from Cisco, however, that the lack of the ability
to 'switch' traffic in and out on the same interface will go away
soon, thus changing the situation below.

<Details of VPN router design snipped>

I favour the PIX. I've not had enough experience with the Checkpoint
to make a fair comparison (most of the other firewalls I've worked
with have been application level boxen or Linux/BSD platforms). The
strong points I see for the PIX are:

* Small image (the GUI is 3Mb, the image as of 6.3 is still under 2Mb)
* Lack of underlying OS beyond Finesse
* Few moving parts to fail
* CLI that's similar to IOS
  (NB: as a router jock this is a plus and a minus; it's close enough
  that some other things will fool you. But I've always found a CLI
  faster for most configs and for remote troubleshooting than a GUI)

The largest issue I have is an arcane and awkward logging system. While
I can log on the box I'm not a fan of that -- since if the box crashes
for whatever reason I've lost the log -- and even when I do the
complaints
raised at actually finding anything are very valid. 

Some form of external log analysis is needed.

And up until the most recent releases the lack of object groups was a 
bummer. Even now, a protocol group can be EITHER TCP or UDP, which I
suspect is a function of the ACLs. But it's a huge improvement if 
networks aren't designed on binary boundaries totally. (Yeah, right..)




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: