Re: [Full-Disclosure] PIX vs CheckPoint

From: David T Hollis (dhollis_at_davehollis.com)
Date: 06/29/04

  • Next message: Otero, Hernan (EDS): "RE: [Full-Disclosure] PIX vs CheckPoint" 
    To: Darkslaker <rienzi@nimrod.com.mx>
Date: Tue, 29 Jun 2004 16:16:16 -0400

    On Tue, 2004-06-29 at 13:24 -0500, Darkslaker wrote:
    > i am studying for the CCSA and my Friend for CSPFA in the interchange of
    > ideas we did not find differences significant; maybe two ; PIX run in OS
    > for CISCO and CheckPoint in many platforms; and checkPoit have more
    > products.
    >
    > My question is PIX or Checkpoint what is better and why.

    "Better" would really be relative here. I've used both quite a bit and
    my personal preference is for PIX. The reasons being: 1) Cost, 2)
    Simplicity, 3) reliability. Checkpoint throws more stuff in the box,
    but you may never use a large portion of that stuff. I've also found
    that each version of Checkpoint (and we aren't talking major version
    like 1.0 vs 2.0, but 4.1 FP3 vs 4.1 FP4) seems to introduce all kinds of
    new quirks and quibbles that make things quite a pain to deal with.
    I've never used the PIX gui for anything, I understand recent versions
    are better, but I prefer command line myself. The Checkpoint GUI is ok,
    nothing to write home about, but it is quite functional. VPN setup with
    Checkpoint is quite easy (especially if you tried to do IPSEC in other
    arenas). Failover with PIX is tremendously simpler and Just Works (tm)
    compared with Checkpoint. I much prefer the straight text config which
    I can keep in a CVS repo and do diffs on the configs over periods of
    time to see what has changed. Has proven useful in employee termination
    scenarios as well.

    In the end, both are viable solutions for a firewall. If you already
    have an investment in Checkpoint stuff, it is the obvious choice. If
    you are a big Cisco shop, PIX will fit in quite easily (it's OS isn't
    IOS, but it's not really that far off).

    If you do go with Checkpoint, do the world a favor and don't run it on a
    Windows box. Run it on Linux or Solaris or buy a Nokia IPxxx to run it
    on. 

    -- 
David T Hollis <dhollis@davehollis.com>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Otero, Hernan (EDS): "RE: [Full-Disclosure] PIX vs CheckPoint"

    Relevant Pages

    • VPN - Cisco PIX to Checkpoing FW-1 troubleshooting
      ... I was trying to establish VPN between a pix and a checkpoint. ... isakmp policy 10 authentication pre-share ...
      (comp.security.firewalls)
    • Re: [Full-Disclosure] PIX vs CheckPoint
      ... I use both PIX and Checkpoint, and have used Checkpoint since 3.0b. ... where the CP GUI presents the config in very concise/intuitive matter. ... CP rules for multiple firewall management. ...
      (Full-Disclosure)
    • Re: Nokia and CheckPoint or Cisco?
      ... you don't have to worry about maintaing OS and maintaining CheckPoint. ... maintainance cost then compare to Nokia's maintainance cost. ... If you have any doubt about that, set up a web server behind Pix ... Check Point's only product is security; it's a sideline for Cisco. ...
      (comp.security.firewalls)
    • Re: Nokia and CheckPoint or Cisco?
      ... Currently use a Nokia IP330 box with CheckPoint on. ... Cisco PDM has a basic GUI for PIX. ... active/standby mode, except when PIX 7.x is configured using multiple ...
      (comp.security.firewalls)
    • RE: Firewall recommendations?
      ... I have run both Checkpoint and PIX in my environment. ... The PIX is a true stateful inspection firewall. ... I am not a big fan of the pix and I have never played with the ISA ...
      (Security-Basics)