I use both PIX and Checkpoint, and have used Checkpoint since 3.0b.
IMHO, Checkpoint is far more intuitive and easy to use. Adding host and
network objects, placing them into groups, and employing them in rules
is straight forward. PIX also has this feature (object groups), but
it's not as quick or easy since it's CLI. I can get a basic FW1 config
up and running a lot faster than a PIX, esp if using a Nokia appliance
or something like Secure Platform where most of the OS
configuration/armoring chores are done for you already. I'm sure you
could also search/replace and copy/paste out a basic PIX configuration
too, but I find that I need to double and triple check my PIX configs
where the CP GUI presents the config in very concise/intuitive matter.
There's no checking through pages of ACL lines like on a PIX.
The NAT implementation in Checkpoint is also far more intuitive IMHO.
Just match an original source IP/dest IP/dest port set in one table on
the left side of the page, and if the original packet matches, perform
this or that NATing operation in table on the right side, all on a
single line per matching rule in the GUI. Match this, do this.
Simple. This is in contrast to the PIX with it's non-intuitive special
case NAT 0 "no NAT" rule, and somewhat confusing NAT cofiguration
syntax, etc, etc (and even worse the IOS method of NATing. Ick.). One
nice thing about PIX in this regard is you don't have to worry about
static public ARP entires. It's taken care of for you.
CP of course has it's own pains and lots of little idiosyncrasies,
undocumented features and pitfalls you need to learn about (yea for
phoneboy.com). For instance, never define a Firewall object as the
internal IP if you want VPNs to work right, etc.
VPNs are also very easy to implement, espcially in CPNG, and especially
if you have multiple sites (full meshes on Cisco are a PITA). But only
as long as it's a CP <-> CP VPN. I've had lots of trouble getting CP
<-> other vendor VPNs going and stable, although this can probably be
said of most vendors.
CP rules for multiple firewall management. From the beginning they've
had the concept of a centralized management station which could control
multiple firewall enforcement points/vpn devices. CP also has both
failover and clustering options, where PIX, AFAIK only has failover.
Having said all that, PIXes also work well for most FW tasks. They're
just a bit more awkward to configure/administrate IMHO, and lack some of
the above mentioned features/functionality of CP.
I'm also a fan of iptables/netfilter, which I also think once you get
the concept of the tables and chains down. It's also nice because you
have the power of Unix behind it, so you can easily use a real editor,
to edit your config, display them in a real pager (less), and use
scripting to modify your configs easily. There's even GUI tools like
fwbuilder to do things GUI style. I've had some performance issues on
iptables though when the data starts moving fast, but those are likely
due to the slow machine I use it on (P133) and/or the old kernel and
iptables implementation I'm using (needs upgrade really bad).
- Jim
Ray P wrote:
You sure got a whole bunch of good opinions with such a short
question. :-)
As always, the answer is that it depends on what you need to do. If
you need a basic firewall and you have no bucks, go PIX. If you need
secure remote access as well (built-in personal firewall, ability to
deny access based on the computer configuration, AD interoperability,
etc.) go Check Point (or buy additional Cisco products to gain the
same capability). If you are managing only one or two firewalls, go
PIX. If you're handling dozens or hundreds, go Check Point. If you
don't care about application-layer attacks against your
infrastructure, go PIX. If you think attacks against the applications
are the coming thing, go Check Point.
There is no right or wrong answer. They both call themselves
"firewalls" but that's where the similarity ends. I suspect most
people would find a mix of both products would provide their operation
with optimal protection.
And like all products, implementation and configuration errors can
turn either one into Swiss Cheese.
Ray
From: "Darkslaker" <rienzi@nimrod.com.mx>
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] PIX vs CheckPoint
Date: Tue, 29 Jun 2004 13:24:05 -0500 (CDT)
i am studying for the CCSA and my Friend for CSPFA in the interchange of
ideas we did not find differences significant; maybe two ; PIX run in OS
for CISCO and CheckPoint in many platforms; and checkPoit have more
products.
My question is PIX or Checkpoint what is better and why.
--
+---------------------------------------------------------------------------+
| Jim Burwell - Sr. Systems/Network/Security Engineer, JSBC |
+---------------------------------------------------------------------------+
| "I never let my schooling get in the way of my education." - Mark Twain |
| "UNIX was never designed to keep people from doing stupid things, because |
| that policy would also keep them from doing clever things." - Doug Gwyn |
| "Cool is only three letters away from Fool" - Mike Muir, Suicyco |
| "..Government in its best state is but a necessary evil; in its worst |
| state an intolerable one.." - Thomas Paine, "Common Sense" (1776) |
+---------------------------------------------------------------------------+
| Email: jimb@jsbc.cc ICQ UIN: 1695089 |
+---------------------------------------------------------------------------+
| Reply problems ? Turn off the "sign" function in email prog. Blame MS. |
+---------------------------------------------------------------------------+
