nanog mailing list archives
Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
From: Martin Hepworth <martinh () solid-state-logic com>
Date: Thu, 05 Feb 2004 17:41:25 +0000
Alexei Roudnev wrote:
Checkpoint is a very strange brand. On the one hand, it is _well known brand_, _many awards_, _editors choice_, etc etc. I know network consultant, who installed few hundred of them, and it works. On the other hand, every time, when I have a deal with this beasts (we do not use them, but some our customers use), I have an impression, that it is the worst firewall in the world: - for HA, you need very expansive Solaris cluster (compare with PIX-es) /I can be wrong, but it is overall opinion/. - to change VPN, you must reapply all policy, causing service disruption (I saw 1 day outage due to unsuccesfull Checkpoint reconfiguration); - VPN have numerous bugs (it is not 100% compatible with Cisco's by default; of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers which have this problem); - Configuration is not packed in 1 single file, so making difficult change control, etc etc... All this is _very_ subjective, of course; but - those customers, who uses Checkpoints, are the only ones who had a problems with firewalls. If I compare it with plain, reliable and _very simple_ PIX (PIX is not state of art, of course) and some others... I begin to think about checkpoint as about one more _brand bubble_. At least, I always advice _against_ it. PS. Security for dummies... interesting idea. Unfortunately, this book should start with _100% secure computer = dead computer_ -:) Why not? People really need such book!
Of course 'back in days' when Firewall-1 started and firewalls () greatcircle com was *the* network security ML, PIX was an utter pile of poo and F-1 was very nice thankyou.
Now PIX is quite good, and Firewall-1 has become the Microsoft of firewalls - ie everywhere and not particularly well administratored.
Interesting how things change isn't it? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **********************************************************************
Current thread:
- ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Ingevaldson, Dan (ISS Atlanta) (Feb 04)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Suresh Ramasubramanian (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Christopher L. Morrow (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Suresh Ramasubramanian (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Alexei Roudnev (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Martin Hepworth (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Crist Clark (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Alexei Roudnev (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Scott McGrath (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Christopher L. Morrow (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Christopher L. Morrow (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Suresh Ramasubramanian (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 JC Dill (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Crist Clark (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Steven M. Bellovin (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Rubens Kuhl Jr. (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Valdis . Kletnieks (Feb 05)