Sean,
It looks to me that your checkpoint is NOT an issue. The issue is that
you're trying to
do too much with the Checkpoint firewall (internet access and site-2-site
VPN) on the same
device. What makes you think that you will not run into issues with the ASA?
Here is what I would do if I were you:
1) separate Internet traffic and site-2-site VPN traffics. In other words,
you use a separate
device (I like Cisco IOS router like the 3745 with encryption module) so that
you can
terminate remote access and site-2-site vpn on the cisco device). Once the
traffics are
decrypted, you can let the checkpoint firewall inspect it.
2) have the checkpoint do stateful inspection and the router handle vpn
traffics. I am willing
to bet if you follow this approach, you will NOT run into firewall
performance issues.
A lot of Cisco SEs are idiots. They can only talk but when you ask them
specific questions,
they don't know sh_t (pardon my language). One of the reasons that I like
about my job
is that whenever I have to make technical recommendations to our customers, I
almost
always have to talk to some SEs from Cisco, and nine of ten times, I can shut
them up
quickly because I know what Cisco Pix/ASA can and can not do. Somewhere in
the
conversation, I also throw in the fact that as a certified CCIE Security, I
know first hand
how difficult it is to manage a Cisco Pix/ASA device. Cisco makes good
networking
products but their security products are lousy.
I think if you prepare yourself with the pro/con of going to checkpoint to
Pix, your
manager will listen to you. The cisco person at your company, unless he is
also
knowlegable with Checkpoint, is in no position to make recommendations, IMHO.
last but not least, I am also using NetScreen NSM product from Juniper and I
can
say that the product is still buggy. NSM is nothing but Checkpoint
Provider-1 knock-off.
chkp tech <chkptech AT GMAIL DOT COM> wrote:
Sean,
It looks like Cisco4NG has given you quite a bit of ammunition for the
fight. I have to agree with him, that Check Point has some features that
just can't be done with the ASA box without some serious architecture
changes. In the past, when I've helped customers make the migration from
Check Point, a couple things always crop up. The first is that policy
migration doesn't happen without quite a bit of leg work. The second is
that the amount of time to resolve issues doubles after the migration
happens. Excluding small IT departments, usually people have been hired for
their current knowledgebase and they usually know what's currently in
place. Now you've got to deal with new headaches, and those just take
longer to work out by everyone involved.
Just to throw some more information your way, take a look at the Juniper
boxes. They are appliances, and have a GUI editor for policies (NSM). The
pricing includes support, and on top of that, Juniper support seems to be
some of the best in the industry.
Jason
>snip
Our company is considering replacing our Checkpoint firewall for a Cisco
> ASA-5520 appliance. Does anyone on this list have any experience with ASA
> box, and if so what is your opinion on them. We are currently running
> R55 on our Corrent SR200 appliance, and are looking at migrating to a Dell
> Poweredge 1950 server with R61/R62 (not sure which is best to go to).
>
> I need some ammunition on pros/cons of Cisco compared to Checkpoint.
>
> Any information would greatly be appreciated.
>
> Thanks,
>
> Sean
>snip
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Sponsored Link
Mortgage rates near 39yr lows. $420,000 Mortgage for $1,399/mo - Calculate new
house payment
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
