A note regarding EAL4. The certification only applies to the version tested.
Once the product is modified, the certification is invalid. This means that
Check Point's resolution of bugtraq issues nullifies the certification. If
EAL4 is of importance to you, make sure that the vendor is also providing
maintenance assurance. This warranties that the product will always be EAL4
certified.
-----Original Message-----
From: Ha, Jason [mailto:JHa@verisign.com.au]
Sent: Thursday, May 26, 2005 1:30 AM
To: Rossen S. Naydenov; firewalls
Subject: RE: Checkpoint vs. Juniper Netscreen
Hi Rossen,
I can just see the thread of emails now...
Alright, let me try and break it down with some structure. We'll focus
specifically on the following areas:
Security
Performance
Management
VPN (site to site)
VPN (remote access)
High Availability
IDP
Support
Nice Bonus Fluffy Stuff
Let's start with Check Point
****************************
Security:
Check Point is EAL4 certified and is regarded as a relatively secure
firewall. It does have more bugtraqs than most other firewalls, but they
are generally addressed quite quickly by the Check Point crew. The
firewall stands up against most of the standard fragmentation and
spoofing style attacks, and most large corporates trust it to secure
critical servers on the DMZ. Check Point comes with SmartDefense
(detailed later) to further limit vulnerabilities which can be exploited
on hosts.
Check Point's Internal Certificate Authority (ICA) enables all of the
Check Point components to communicate securely with each other. This
includes the SmartConsole management tools.
One thing to be mindful of regarding Check Point security is the fact
that a large number of the vulnerabilities occur at the OS level, not
necessarily at the firewall software level. It is important to choose
the correct OS for Check Point when planning your deployment.
One of Check Point's main security strengths is in the VoIP area. It can
be argued that Check Point is one of the better firewalls at handling
the vast majority of VoIP protocols securely and with minimal disruption
to the VoIP infrastructure.
Performance:
As Check Point is software loaded on a server with OS, the performance
of the firewall is really dependant on these other factors as well as
how Check Point fundamentally processes packets. In order to achieve
maximum performance, Check Point still recommends the use of Nokia's big
beefy IP2250 (costly). However, there are some SecurePlatform (Check
Point's own hardened linux OS) Check Point recommended builds to achieve
a good level of performance.
There are also a number of features available to enhance the performance
of Check Point including a performance pack, VPN accelerators etc, but
these all come at an additional cost.
From personal experience, Check Point firewalls don't always deliver to
the "marketed" performance stats.
Management:
Without a doubt, unsurpassed management is Check Point's key strength
and the reason why most organisations elect to use it. The SmartCenter
management framework allows you to easily and securely manage one or
multiple firewalls. Security policy development and deployment is
simple. All the additional management components such as logging,
licensing, software updating and monitoring are miles ahead of most
other firewalling products.
One of the niftiest things is the ability to management your perimeter
Check Point firewalls and SecureClient Desktop policies from a single
management console.
But, once again, as Check Point firewalls are installed on an OS, the OS
must also be maintained separately. This is not so much of an issue for
SecurePlatform installations (and Nokia installations to a lesser
extent). However, installation on any other OS require fairly
comprehensive management of the underlying OS. Something which may end
up being costly from a management and a maintenance perspective.
However, I should mention that one of the benefits of an OS type
platform is that it's more scalable. It's easy to add more interfaces,
memory etc as you require it. But you will need to weigh this with the
additional management burden (not to mention the increased risk of
hardware faults due to more moving parts).
VPN (Site to Site):
Configuring VPN connectivity between a Check Point firewalls or with any
other external firewall is generally a simple task. Check Point's
flexible NATing features adds a lot of flexibility to VPN configuration.
Check Point firewalls do lack some of the advanced site-to-site VPN
features now seen on other firewalls (dynamic routing support and the
like).
VPN (remote access):
Another major strength of Check Point firewalls. SecureClient is by far
the most functional and robust VPN client available. The desktop
firewall policy can be centrally configured and managed through
SmartCenter. Additional policy checks to ensure users don't disable
their firewalls as well as simple OS checks can also be performed to
ensure maximum security. With the acquisition of Zone Labs some time
ago, further functionality is being integrated into SecureClient to
further enhance its security (more advanced firewalling and desktop IDP
type functionality).
Other nice features of SecureClient include their Secure Domain Login
features (the ability for the VPN to be established before you logon to
the domain, eliminating a number of user right issues traditionally
plaguing VPN users).
Some organisations need to manage a large number (100s to 1000s) of VPN
client users, and as such, having a fat client on laptops often causes
more administrative burden than it's worth. As such, SSL VPNs are
gaining more popularity, and the benefit of Check Point firewalls is you
can utilise both... at the same time. Most firewalls only support IPSec
based VPNs and require a separate appliance for SSL VPNs.
High Availability:
There are two great features when it comes to HA/LB with Check Point
firewalls. ClusterXL (Check Point's inhouse HA/LB module) provides
simple to configure active/passive high availability as well as true
clustered active/active load balancing. Despite some of its quirks, it's
probably one of the better intrinsic firewall HA/LB solutions available.
Secondly, Check Point's ISP Load Balancing features enable you to easily
manage ISP redundancy at your perimeter without additional hardware.
IDP:
SmartDefense and WebDefense are the inbuilt IDP features available for
Check Point firewalls. Though, not as feature rich as other firewalls,
they provide sufficient attack mitigation of most types and for a good
amount of protocols.
Check Point also provides a separate appliance - InterSpect - for IDPesq
functionality.
Check Point firewalls, due to their OPSEC partnerships, are also
compatible with a few Intrusion Detection/Prevention vendors.
Support:
I believe this is one of the most critical points when selecting a
vendor. How well is your vendor going to be able to support you when you
have a business critical issue? Check Point support is generally quite
good, but it helps to be close to your local representatives (as their
support is based out of Israel). Most issues can generally be resolved
quite promptly. If electing to go with Nokia as the hardware platform,
they also have excellent support for Check Point as well as their own
product (saves you having to call Nokia and Check Point when trying to
work out who's problem it is).
Nice Fluffy Stuff:
The latest version of Check Point (NGX) further refines the Check Point
management architecture. It also includes enhancements to many VPN
features as well as tweaks to SecurePlatform. I think going forward,
with further integration of the Integrity suite (the previous Zone Labs
stuff) we're going to see some enhanced desktop firewall and IDP client
functionality.
Another nice touch that most people aren't aware of is the StormCenter
feature. This allows Check Point firewalls to obtain a dynamic list of
blacklisted IP addresses from the SANS StormCenter which it can then
apply to the security policy to ensure that these addresses are blocked
off from your network.
Now for NetScreen:
******************
Security:
NetScreen is EAL4+ certified (do note, this is based on the older v4
firmware) and is a robust and secure firewall with very few
vulnerabilities. As it is a self-contained ASIC based appliance, there
is no security concern with managing the firewall and its underlying
Operating System. NetScreen uses a proprietary firmware which is
hardened.
NetScreen firewalls also provide some interesting ways to enhance
security at a routing level (through the use of their Virtual Router
features) and also allows you to configure the firewall in layer 2 mode.
Performance:
NetScreen marketshare has exploded in the recent years purely based on
price/feature/performance. Bang-for-buck, no enterprise firewall
generally comes close to the performance delivered by a NetScreen.
I've seen the enterprise model NetScreens clock up an exhorberant amount
of connections without much of a scratch on the processor or memory.
I know of many large organisations who bench marked a range of firewall
products (including Check Point) and found that the NetScreen offered
the best performance regarding the number of connections it could
handle.
Management:
NetScreen management is simple, if not a bit rudimentary. There is the
basic command line (console, telnet or SSH), or Web based management
(HTTP or HTTPS). The only way to manage multiple NetScreen is so have
several laptops in parallel (kidding) or use NetScreen Security Manager
(NSM) - NetScreen's centralised management platform.
NSM is feature rich, provides a lot of functionality (remote upgrades,
global policies, software updating, advanced reporting) but it does come
at a significant cost.
NetScreens come in a variety of models such as the lower hardware fixed
appliances, and the high-end modular systems. The key benefits of an
appliance is reliability (especially from a hardware perspective).
However, you will need to be careful when selecting your platform to
ensure that it can scale with your business requirements.
VPN (Site to Site):
NetScreens are one of the most universally IPSec VPNable (is that even a
word?) devices. Almost any other firewall can talk with a NetScreen (and
this is important if you need to setup multiple VPNs with different
partners/suppliers). NetScreen also offer very advanced VPN features
(dynamic routing, hub-spoke, full-meshing) as well as intrinsic VPN
redundancy features.
VPN (remote access):
This is unfortunately one of the weaker areas of the NetScreen. The VPN
client is your run-of-the-mill SafeVPN client (used by numerous other
vendors) and doesn't provide much functionality (though it does do the
trick). The Sygate Personal Firewall OEMed with the more expensive
version of NetScreen's VPN Client is a nice feature, but generally not
useable for your non-IT users who may not understand much about handling
desktop firewalls. The version of Sygate personal firewall cannot be
centrally managed either (a real pain if you ask me).
High Availability:
While NetScreens provide excellent active/passive HA functionality, they
fall way short in the active/active area. Configuration of active/active
requires some significant network restructuring and as such, is
generally not recommended. >:) However, like previously mentioned, the
active/passive stuff works a treat.
IDP:
NetScreen was one of the first appliance firewalls to introduce an IDP
(called Deep Packet Inspection on NetScreens) module. Through the use of
a subscription, signatures are regularly updated. By default, the IDP
comes with a whole raft of signatures and protocol anomaly checks. One
of the benefits of DPI is the ability for you to easily craft your own
signatures.
You are correct in saying that NetScreen have a separate IDP appliance,
but it is not cross functional with the NetScreen firewall. Though there
is a new IDP coming out soon which is very similar to the firewall line
(ASIC based etc) and it would be good to see some integration between
the two.
Support:
I've had plenty of experience with NetScreen and Juniper support, and am
thankful to say that it's gotten a lot better since NetScreen was
acquired by Juniper. Their support staff are generally very
knowledgeable and prompt.
Nice Fluffy Stuff:
One of the main selling points of a NetScreen is price, especially
considering it includes HA/LB features, bandwidth management and IDP
features for free.
******
In summary, we (we as in VeriSign) provide Managed Services for both
products and have experienced the benefits and challenges of both. For
organisations where money is of less concern but desire a management
rich and integrated security solution, then I would definitely recommend
the Check Point option. However, if price/security/performance is more
along the lines of your purchasing decision, then the NetScreen solution
rarely disappoints.
Hope this helps. Please don't hesitate to contact me if you require any
further assistance.
Regards,
Jason Ha [CISSP, CCSE, JNCIS-FWV]
Senior Security Engineer,
Security Operations Centre
VeriSign Asia Pacific
E: jha@verisign.com.au
W: www.verisign.com.au
-----Original Message-----
From: Rossen S. Naydenov [mailto:rnaydenov@postbank.bg]
Sent: Wednesday, May 25, 2005 9:41 PM
To: firewalls
Subject: Checkpoint vs. Juniper Netscreen
Hi,
I have gone down to two choices:
Checkpoint or Juniper Netscreen Firewalls Both solutions meet our
technical requirements.
I would like to here from people who are using these devices. How are
they integrated in IDP network scheme? I know that Juniper offers their
own IDP module.
In terms of manageability which one is better? How about scalability?
Thanks in advance ;)
--
Rossen S. Naydenov
rnaydenov@postbank.bg
Disclaimer:
This communication is confidential. If you are not the intended
recipient, you are hereby notified that any disclosure, copying,
distribution or taking any action in reliance on the contents of this
information is strictly prohibited and may be unlawful. If you have
received this communication by mistake, please notify us immediately by
responding to this email and then delete it from your system.
Bulgarian Post Bank is not responsible for, nor endorses, any opinion,
recommendation, conclusion, solicitation, offer or agreement or any
information contained in this communication.
Bulgarian Post Bank cannot accept any responsibility for the accuracy or
completeness of this message as it has been transmitted over a public
network. If you suspect that the message may have been intercepted or
amended, please call the sender.
