Hi,
I am not saying that we won't have a problem after going to ASA. I am not
the one suggesting we go to it. By bringing all the Checkpoint traffic
onto the ASA box, along with all the other traffic, I know we will have
some kind of traffic issue.
Our Cisco guy, is not the person recommending ASA to my director (AFAIK),
but I think the vendor is. The vendor is pretty Cisco certified, and I am
sure that he has his CCIE also, but I am not sure of his experience with
PIX/ASA. Our Cisco guy has taken the CCNA course (and so have I over a
year ago), and that is all the experience he has. He has played with our
current PIX over the last little bit, but nothing much. He was my
Checkpoint backup at one point, but I pushed him out, as he was really bad
at it, and I couldn't trust him with anything. I also think he is the one
giving false information to my director, so he can get back at me.
I really do not want to look at implementing a Cisco router for the VPN
stuff right now. That would just fuel the migration to ASA even more. I
am looking at getting a more powerful server to run Splat on though, so
firewall performance should improve quite a bit. I have to change the
hardware, as the current box (Corrent SR200) does not have any support on
it, as the vendor went out of business this year.
I greatly appreciate your honesty on this, as I need to come up with
something for my director, and hopefully change his mind on this once and
for all.
Thanks,
_______________________________________
Sean P. Donaghey
Information Services - Sr. Technical Analyst
Hôtel-Dieu Grace Hospital
1030 Ouellette Avenue
Windsor, Ontario N9A 1E1
Canada
Tel:(519) 973-4411 Ext. 3717
Fax:(519) 255-2206
Email: Sean.Donaghey AT hdgh DOT org
cisco4ng <cisco4ng AT YAHOO DOT COM>
Sent by: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
11/22/2006 03:35 PM
Please respond to
Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To
FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
cc
Subject
Re: [FW-1] Checkpoint vs. Cisco ASA
Sean,
It looks to me that your checkpoint is NOT an issue. The issue is that
you're trying to
do too much with the Checkpoint firewall (internet access and
site-2-site VPN) on the same
device. What makes you think that you will not run into issues with
the ASA?
Here is what I would do if I were you:
1) separate Internet traffic and site-2-site VPN traffics. In other
words, you use a separate
device (I like Cisco IOS router like the 3745 with encryption module) so
that you can
terminate remote access and site-2-site vpn on the cisco device). Once
the traffics are
decrypted, you can let the checkpoint firewall inspect it.
2) have the checkpoint do stateful inspection and the router handle vpn
traffics. I am willing
to bet if you follow this approach, you will NOT run into firewall
performance issues.
A lot of Cisco SEs are idiots. They can only talk but when you ask them
specific questions,
they don't know sh_t (pardon my language). One of the reasons that I
like about my job
is that whenever I have to make technical recommendations to our
customers, I almost
always have to talk to some SEs from Cisco, and nine of ten times, I can
shut them up
quickly because I know what Cisco Pix/ASA can and can not do. Somewhere
in the
conversation, I also throw in the fact that as a certified CCIE
Security, I know first hand
how difficult it is to manage a Cisco Pix/ASA device. Cisco makes good
networking
products but their security products are lousy.
I think if you prepare yourself with the pro/con of going to checkpoint
to Pix, your
manager will listen to you. The cisco person at your company, unless he
is also
knowlegable with Checkpoint, is in no position to make recommendations,
IMHO.
last but not least, I am also using NetScreen NSM product from Juniper
and I can
say that the product is still buggy. NSM is nothing but Checkpoint
Provider-1 knock-off.
chkp tech <chkptech AT GMAIL DOT COM> wrote:
Sean,
It looks like Cisco4NG has given you quite a bit of ammunition for the
fight. I have to agree with him, that Check Point has some features that
just can't be done with the ASA box without some serious architecture
changes. In the past, when I've helped customers make the migration from
Check Point, a couple things always crop up. The first is that policy
migration doesn't happen without quite a bit of leg work. The second is
that the amount of time to resolve issues doubles after the migration
happens. Excluding small IT departments, usually people have been hired
for
their current knowledgebase and they usually know what's currently in
place. Now you've got to deal with new headaches, and those just take
longer to work out by everyone involved.
Just to throw some more information your way, take a look at the Juniper
boxes. They are appliances, and have a GUI editor for policies (NSM). The
pricing includes support, and on top of that, Juniper support seems to be
some of the best in the industry.
Jason
>snip
Our company is considering replacing our Checkpoint firewall for a Cisco
> ASA-5520 appliance. Does anyone on this list have any experience with
ASA
> box, and if so what is your opinion on them. We are currently running
> R55 on our Corrent SR200 appliance, and are looking at migrating to a
Dell
> Poweredge 1950 server with R61/R62 (not sure which is best to go to).
>
> I need some ammunition on pros/cons of Cisco compared to Checkpoint.
>
> Any information would greatly be appreciated.
>
> Thanks,
>
> Sean
>snip
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Sponsored Link
Mortgage rates near 39yr lows. $420,000 Mortgage for $1,399/mo - Calculate
new house payment
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
The information contained in this e-mail message is confidential and
protected by law. The information is intended only for the person or
organization addressed in this e-mail. If you share or copy the
information you may be breaking the law. If you have received this e-mail
by mistake, please notify the sender of the e-mail by the telephone number
listed on this e-mail. Please destroy the original; do not e-mail back
the information or keep the original.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
