Re: PIX vs CheckPoint

["Eric Paynter" <eric () arcticbears com>]

On Tue, June 29, 2004 2:34 pm, John Kinsella said:
> On Tue, Jun 29, 2004 at 01:46:30PM -0700, Eric Paynter wrote:
> > On Tue, June 29, 2004 11:59 am, James Patterson Wicks said:
> > > CheckPoint's interface is very intuitive and easy to use.
> > Easy to use in a "Microsoft" kind of way. Last I heard, it does nice
> > things for you like always allow DNS traffic through, even if you have
> > no port 53 rule and a deny all policy. How helpful!
>
> Sounds like somebody needs to learn how to run FW-1.  There's several
> "implied" rules which are set from Global Properties, and are only
> displayed/logged if you specity to display/log implied rules.

Lots of people need to learn it. That's the point. Like Windows, FW-1 has
a nice pretty GUI that makes a novice administrator feel like a pro, while
leaving gaping holes in security. These pretty GUIs and the sense of power
they instill on novices is why we have millions of compromised systems
connected to the Internet today.

PIX may be a pain to learn, but, like Unix, you tend to see a more
professional approach to its maintenance. It is a "once learned, easy to
use" type interface. At one company I worked for, they started with FW-1.
After a couple of years they switched to PIX. At first everyone was
nervous - PIX had a CLI!! Scary!! What if mistakes are made?? Once the
administrators had finished their Cisco training, they said they would
never go back to FW-1 because the PIX interface was so much easier to use.

-Eric

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html