|
Home > Archive > CCNP > September 2001 > Cisco Pix Vs Checkpoint
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Cisco Pix Vs Checkpoint
|
|
|
| guys comments please, in the current IT market where should we move in Security track CISCO or CHECKPOINT ?? which one is more demandable?
Thanks | |
| depamo 2001-09-09, 12:12 pm |
| When a company is ready for making a decision on VPN capability, they are faced with all these choices but the front runners are Checkpoint and Cisco right now. Lucent endorses a few good products also but they don't have the visibility of these two in the market right now.
Currently VPN for Cisco will usually be a choice if there is a strong Cisco presence in the company, and the equipment might also be there already, just not enabled. If a choice is made beyond these constraints of this type of equipment, it usually tends to fall twords Checkpoint. Checkpoint is much easier to implement, the software is more intuitive and the client software is free on the web.
So if you think about the proposal that would come to the company when they ask for a VPN solution, what each has to offer will be the determining factor, if you already have the PIX installed for DMZ, you might as well stay with Cisco. If not or you are using a system that you were looking to upgrade anyhow, Checkpoint has some pretty competative features that is usually cheaper then Cisco. | |
|
| Actually when come to think of it, both products can really complement each other...... in a way.
PIX is hardware based FW, so with the ASIC it really speed up the packet processing thus enable you to have a better throughtput. Other benefit of PIX by being HW based will be the underlying security. Since it's not running on top of any common OS, (Checkpoing would normally implemented on NT) there is little risk of being hacked in from the OS level. Off course it will not get corrupted if it is not properly shutdown.
On the other hand Checkpoint being a software based FW would need to run on top of a Server. Be it NT, or AIX. This means the implementation will not be that stright forward, you should seriouly consider hardening the underlying OS before implementing the FW. If a bug was found on NT 4.0 you would need to patch it to make sure the loop holes are covered. On the other hand you will have to retest the FW to make sure this patch work with the it. This means extra administration work for you!! Also throught put are normally lower because the FW is FAT, packet need to pass throught device driver, to OS and up to application to get processed.
But the strength of SW based FW is the rich features that HW based can never deliver. With SW based firewall, policies and rules can be set easily, user can be grouped together and FW can be configure to react differently at different time using schedule.
I have read from a study that nowadays most of the hacking is detected from the internal. In today's world, we not only need firewall to protect the network from external hacking, internal firewall is also required to ensure that user are not allow to access information that they are not suppose to see.
2 tier firewall is a more secure solution today :
Internet Router
|
|
1st tier FW (HW) --- DMZ
|
|
2nd tief FW (SW) --- Internal User
|
|
Secure Server Farm
Understand that there is now Checkpoint running on Nokia box. Have not seen them yet, anyone have any idea what the capabilites of the box ?? | |
|
| My last position used the PIX(515). The place I am working now uses Checkpoint.
I prefer the currrent platform. We run it on the Nokia series (FreeBSD). Checkpoint tailors the SW to the Nokia HW. Great system.
The Nokia is starting to be seen more and more in the field.
Easy to admin, easy to set up. The GUI w/ Checkpoint and the "central" administration really make it the run away fav. for enterprise wide Solutions.
I think they run about the same money wise.
Being a Big fan of Cisco I hope they take a few pointers from Nokia on this one. I would much rather see a Cisco box supporting my environment. | |
| depamo 2001-09-10, 10:56 am |
| I agree, Cisco is just a pain in the booty to configure and maintain in comparison to the GUI of Checkpoint. Most companies are moving this way just because it is easier to centrally manage for a lot of different distributed sites.
Hope that Cisco also takes a lesson on this one, even with their GUI interface setup programs, it is still a pain in the rear to setup reasonably large networks the way you would want to. | |
| Always Learning 2001-09-16, 5:04 am |
| I work for a very large service provider. We use only checkpoint/nokia boxes. Very nice product. |
|
|
|
|