Re: [FW-1] Checkpoint vs. Cisco ASA

Subject:	Re: [FW-1] Checkpoint vs. Cisco ASA
From:	cisco4ng <cisco4ng AT YAHOO DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Wed, 22 Nov 2006 10:39:29 -0800

hi,
I've gone through several painful Checkpoint to Pix migration
(I consider Pix and ASA the same unless you want to talk about
the IPS module and WebVPN craps that cisco claimed is a good
addon feature) so I think I can share my all the nightmare that
I have with you.
  1) If you have a fairly simple policy and do not change the 
policy very often, then going to ASA is probably a good
idea.  The pix/asa provides higher performance because the OS
itself is on the flash and that makes it very fast, suitable
for E-commerce applications.
  2) Pix/ASA is NOT a router so there are things that you can
do in Checkpoint that you can not do with Pix/ASA.  For example,
if you have two networks 192.168.1.0/24 and 192.168.2.0/24 
and they are both behind the pix firewall.  The problem is that
hosts in network 192.168.1.0/24 can not communicate with hosts
in network 192.168.2.0/24 due to hairpinning.  In other words,
traffics can not go in and out of the same interface due
to security level on the pix/ASA.  Remember, pix is NOT a router.
  3) You can not assign secondary ip addresses on the ASA/Pix
devices.  You will have to use 802.1q for that.
  4) Managing the policy on the ASA/Pix is a nightmare especially
if you have 10 or more physical/logical interfaces.  There
is NO revision control so that  you can roll back the policy 
if needed.  Cisco Secuirty Manager (CSM) is piece of junk.
Cisco tries to imitate Provider-1 but it just sucks.  Do not 
buy it.
  5) Cisco ASDM is a major improvement over the old Cisco PDM but
it is still buggy.  I've found several bugs with the latest version
that cisco  has.
  6) there is no tool like web visulization tool or fw1rules.pl for
you to generate security policy in ASA like  you currently have
in Checkpoint.
  7) Just keep in mind that Pix is NOT a routing device while
  Nokia IP appliances and SPLAT is.  There are things that
  you can do with the routing device that you can not do with
  Cisco Pix/ASA.
   
  In summary, unless you have a very good reason to go from 
checkpoint to Pix/ASA, do NOT do it.  there is no upside to this.
Well, maybe one.  Cisco TAC is about 20 times more superior
than Checkpoint TAC.
   
  

Sean Donaghey/HDGH <Sean.Donaghey AT HDGH DOT ORG> wrote:
  Hi,

Our company is considering replacing our Checkpoint firewall for a Cisco 
ASA-5520 appliance. Does anyone on this list have any experience with ASA 
box, and if so what is your opinion on them. We are currently running 
R55 on our Corrent SR200 appliance, and are looking at migrating to a Dell 
Poweredge 1950 server with R61/R62 (not sure which is best to go to).

I need some ammunition on pros/cons of Cisco compared to Checkpoint.

Any information would greatly be appreciated.

Thanks,

Sean



The information contained in this e-mail message is confidential and 
protected by law. The information is intended only for the person or 
organization addressed in this e-mail. If you share or copy the 
information you may be breaking the law. If you have received this e-mail 
by mistake, please notify the sender of the e-mail by the telephone number 
listed on this e-mail. Please destroy the original; do not e-mail back 
the information or keep the original.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


 __________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Checkpoint vs. Cisco ASA, Sean Donaghey/HDGH Re: [FW-1] Checkpoint vs. Cisco ASA, sin Re: [FW-1] Checkpoint vs. Cisco ASA, cisco4ng Re: [FW-1] Checkpoint vs. Cisco ASA, cisco4ng <= Re: [FW-1] Checkpoint vs. Cisco ASA, Robby Cauwerts Re: [FW-1] Checkpoint vs. Cisco ASA, cisco4ng Re: [FW-1] Checkpoint vs. Cisco ASA, Daniel, Akos Re: [FW-1] Checkpoint vs. Cisco ASA, Vincent Gosset Re: [FW-1] Checkpoint vs. Cisco ASA, Vincent Gosset Re: [FW-1] Checkpoint vs. Cisco ASA, Vincent Gosset Re: [FW-1] Checkpoint vs. Cisco ASA, Vincent Gosset Re: [FW-1] Checkpoint vs. Cisco ASA, chkp tech Re: [FW-1] Checkpoint vs. Cisco ASA, cisco4ng Re: [FW-1] Checkpoint vs. Cisco ASA, Sean Donaghey/HDGH

Previous by Date:	Re: [FW-1] Checkpoint vs. Cisco ASA, Hoff, Chris (Fort Wayne)
Next by Date:	Re: [FW-1] Checkpoint vs. Cisco ASA, cisco4ng
Previous by Thread:	Re: [FW-1] Checkpoint vs. Cisco ASA, cisco4ng
Next by Thread:	Re: [FW-1] Checkpoint vs. Cisco ASA, Robby Cauwerts
Indexes:	[Date] [Thread] [Top] [All Lists]