[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] PIX vs CheckPoint

I use both PIX and Checkpoint, and have used Checkpoint since 3.0b. IMHO, Checkpoint is far more intuitive and easy to use. Adding host and network objects, placing them into groups, and employing them in rules is straight forward. PIX also has this feature (object groups), but it's not as quick or easy since it's CLI. I can get a basic FW1 config up and running a lot faster than a PIX, esp if using a Nokia appliance or something like Secure Platform where most of the OS configuration/armoring chores are done for you already. I'm sure you could also search/replace and copy/paste out a basic PIX configuration too, but I find that I need to double and triple check my PIX configs where the CP GUI presents the config in very concise/intuitive matter. There's no checking through pages of ACL lines like on a PIX.

The NAT implementation in Checkpoint is also far more intuitive IMHO. Just match an original source IP/dest IP/dest port set in one table on the left side of the page, and if the original packet matches, perform this or that NATing operation in table on the right side, all on a single line per matching rule in the GUI. Match this, do this. Simple. This is in contrast to the PIX with it's non-intuitive special case NAT 0 "no NAT" rule, and somewhat confusing NAT cofiguration syntax, etc, etc (and even worse the IOS method of NATing. Ick.). One nice thing about PIX in this regard is you don't have to worry about static public ARP entires. It's taken care of for you.

CP of course has it's own pains and lots of little idiosyncrasies, undocumented features and pitfalls you need to learn about (yea for phoneboy.com). For instance, never define a Firewall object as the internal IP if you want VPNs to work right, etc.

VPNs are also very easy to implement, espcially in CPNG, and especially if you have multiple sites (full meshes on Cisco are a PITA). But only as long as it's a CP <-> CP VPN. I've had lots of trouble getting CP <-> other vendor VPNs going and stable, although this can probably be said of most vendors.

CP rules for multiple firewall management. From the beginning they've had the concept of a centralized management station which could control multiple firewall enforcement points/vpn devices. CP also has both failover and clustering options, where PIX, AFAIK only has failover.

Having said all that, PIXes also work well for most FW tasks. They're just a bit more awkward to configure/administrate IMHO, and lack some of the above mentioned features/functionality of CP.

I'm also a fan of iptables/netfilter, which I also think once you get the concept of the tables and chains down. It's also nice because you have the power of Unix behind it, so you can easily use a real editor, to edit your config, display them in a real pager (less), and use scripting to modify your configs easily. There's even GUI tools like fwbuilder to do things GUI style. I've had some performance issues on iptables though when the data starts moving fast, but those are likely due to the slow machine I use it on (P133) and/or the old kernel and iptables implementation I'm using (needs upgrade really bad).

- Jim

Ray P wrote:

You sure got a whole bunch of good opinions with such a short question. :-)

As always, the answer is that it depends on what you need to do. If you need a basic firewall and you have no bucks, go PIX. If you need secure remote access as well (built-in personal firewall, ability to deny access based on the computer configuration, AD interoperability, etc.) go Check Point (or buy additional Cisco products to gain the same capability). If you are managing only one or two firewalls, go PIX. If you're handling dozens or hundreds, go Check Point. If you don't care about application-layer attacks against your infrastructure, go PIX. If you think attacks against the applications are the coming thing, go Check Point.

There is no right or wrong answer. They both call themselves "firewalls" but that's where the similarity ends. I suspect most people would find a mix of both products would provide their operation with optimal protection.

And like all products, implementation and configuration errors can turn either one into Swiss Cheese.

Ray

From: "Darkslaker" <rienzi@xxxxxxxxxxxxx>
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] PIX vs CheckPoint
Date: Tue, 29 Jun 2004 13:24:05 -0500 (CDT)

i am studying for the CCSA and my Friend for CSPFA in the interchange of
ideas we did not find differences significant; maybe two ; PIX run in OS
for CISCO and CheckPoint in many platforms;  and checkPoit have more
products.

My question is PIX or Checkpoint what is better and why.


--
+---------------------------------------------------------------------------+
|         Jim Burwell - Sr. Systems/Network/Security Engineer, JSBC         |
+---------------------------------------------------------------------------+
| "I never let my schooling get in the way of my education." - Mark Twain   |
| "UNIX was never designed to keep people from doing stupid things, because |
|  that policy would also keep them from doing clever things." - Doug Gwyn  |
| "Cool is only three letters away from Fool" - Mike Muir, Suicyco          |
| "..Government in its best state is but a necessary evil; in its worst     |
|  state an intolerable one.." - Thomas Paine, "Common Sense" (1776)        |
+---------------------------------------------------------------------------+
|   Email:  jimb@xxxxxxx                              ICQ UIN:  1695089     |
+---------------------------------------------------------------------------+
|  Reply problems ?  Turn off the "sign" function in email prog.  Blame MS. |
+---------------------------------------------------------------------------+


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html