Re: [Full-Disclosure] PIX vs CheckPoint

• Previous message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:063 - Updated libpng packages fix potential remote compromise"
• In reply to: Darkslaker: "[Full-Disclosure] PIX vs CheckPoint"
• Next in thread: Cyril Guibourg: "Re: [Full-Disclosure] PIX vs CheckPoint"
• Reply: Cyril Guibourg: "Re: [Full-Disclosure] PIX vs CheckPoint"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Darkslaker" <rienzi@nimrod.com.mx>, full-disclosure@lists.netsys.com
Date: Tue, 29 Jun 2004 23:01:27 +0200

Hi DarkSlaker

At 20:24 29/06/2004, Darkslaker wrote:
>My question is PIX or Checkpoint what is better and why.
I dont think I am not skilled enough to provide you an answer about this.
However, I have both solutions under my authority and I can feedback about
a few things:

First CheckPoint (NG4) does not provide ACL per interface as Pix, which
means it is better to have a Pix when you have multiple interfaces with a
"from any" source to define.

But you can manage FW-1 securely (IPsec or SSH v2) when a Pix only supports
SSHv1 that is confirmed unsecure by its author

On FW-1, you must define rules to protect against illegal access while Pix
can get rid of this because there is a parallel ACL for session access to
the box (which does not prevent from protecting the box on its possibly
other opened ports)

FW-1 will log locally while Pix requires to build a syslog server where
logs will be sent. Since Pix log selection is based on the "all but"
principle, selecting the specific log messages you want is a real pain. On
the opposite, Pix logs with much more details than FW-1. Pix is logging so
much that is also required when you have many traffic to received these
logs on the same LAN.
Just to make your own idea, my company had 20 GB traffic/day (whole
traffic). Pix was sending (full logs) 20 MB logs per minute.

Because of this logging method, a Pix can log EVERYTHING when FW-1 must
stop logging some traffic to avoid DoS because HD is too slow. This is what
we have been forced to do when there was some worm crisis and not logging
worm traffic really costs you when you have to find infected machines on
your (big) network.

FW-1 provides multiple "proxy" services when Pix only provides only the
basics (HTTP, FTP, SMTP, ...)

But at the logging level again, a Pix logs full HTTP URL & FTP URL easely
when FW-1 requires to activate the HTTP/FTP proxy that costs much CPU and
cant be done if your traffic is too heavy.

At the configuration level, FW-1 is definitely easier to manage than Pix
that is still online device (you must telnet/ssh into to make changes),
even if Pix IOS provides grouping features as with FW-1. The GUI is the
important asset here.

At the NAT level, you have to know Pix is a NATing box and everything it
does is based on NAT.
If you require to NAT, Pix is much more powerfull than FW-1.

Pix also accepts to NAT IP addresses not present on its NIC (what FW-1
refuses) and its failover system makes it easier to manage NAT 1:1 then
FW-1 that requires proxy-arp setup.
The interest of NAT 1:1 an IP that is NOT on the NIC is when like us you
have routing failovered links. When routing will be modified, the NAT being
present on ALL Firewalls, traffic keeps working. Not posible on FW-1
without manual action.

Guess this summarizes my little experience of the diff between the 2 devices

Hope this will help

Brgrds

Laurent LEVIER
Systems & Networks Security Expert, CISSP CISM

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:063 - Updated libpng packages fix potential remote compromise"
• In reply to: Darkslaker: "[Full-Disclosure] PIX vs CheckPoint"
• Next in thread: Cyril Guibourg: "Re: [Full-Disclosure] PIX vs CheckPoint"
• Reply: Cyril Guibourg: "Re: [Full-Disclosure] PIX vs CheckPoint"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]