PIXes arn't really routers either, like many firewalls. This
is evident
by the fact that PIXes can't route traffic back out the same
interface
it received the traffic on. You have to be concious about these
limitations when doing network design in the presence of PIXes.
When I teach the PIX class, I refer to them as 'translators'. It
and the below are probably the most key points in designing around
and with a PIX.
(Along with the 'security level' for an interface.)
I have heard rumour from Cisco, however, that the lack of the ability
to 'switch' traffic in and out on the same interface will go away
soon, thus changing the situation below.
<Details of VPN router design snipped>
I favour the PIX. I've not had enough experience with the Checkpoint
to make a fair comparison (most of the other firewalls I've worked
with have been application level boxen or Linux/BSD platforms). The
strong points I see for the PIX are:
* Small image (the GUI is 3Mb, the image as of 6.3 is still under 2Mb)
* Lack of underlying OS beyond Finesse
* Few moving parts to fail
* CLI that's similar to IOS
(NB: as a router jock this is a plus and a minus; it's close enough
that some other things will fool you. But I've always found a CLI
faster for most configs and for remote troubleshooting than a GUI)
The largest issue I have is an arcane and awkward logging system. While
I can log on the box I'm not a fan of that -- since if the box crashes
for whatever reason I've lost the log -- and even when I do the
complaints
raised at actually finding anything are very valid.
Some form of external log analysis is needed.
And up until the most recent releases the lack of object groups was a
bummer. Even now, a protocol group can be EITHER TCP or UDP, which I
suspect is a function of the ACLs. But it's a huge improvement if
networks aren't designed on binary boundaries totally. (Yeah, right..)
