Full Disclosure mailing list archives
Re: PIX vs CheckPoint
From: Laurent LEVIER <llevier () argosnet com>
Date: Tue, 29 Jun 2004 23:01:27 +0200
Hi DarkSlaker At 20:24 29/06/2004, Darkslaker wrote:
My question is PIX or Checkpoint what is better and why.
I dont think I am not skilled enough to provide you an answer about this.However, I have both solutions under my authority and I can feedback about a few things:
First CheckPoint (NG4) does not provide ACL per interface as Pix, which means it is better to have a Pix when you have multiple interfaces with a "from any" source to define.
But you can manage FW-1 securely (IPsec or SSH v2) when a Pix only supports SSHv1 that is confirmed unsecure by its author
On FW-1, you must define rules to protect against illegal access while Pix can get rid of this because there is a parallel ACL for session access to the box (which does not prevent from protecting the box on its possibly other opened ports)
FW-1 will log locally while Pix requires to build a syslog server where logs will be sent. Since Pix log selection is based on the "all but" principle, selecting the specific log messages you want is a real pain. On the opposite, Pix logs with much more details than FW-1. Pix is logging so much that is also required when you have many traffic to received these logs on the same LAN. Just to make your own idea, my company had 20 GB traffic/day (whole traffic). Pix was sending (full logs) 20 MB logs per minute.
Because of this logging method, a Pix can log EVERYTHING when FW-1 must stop logging some traffic to avoid DoS because HD is too slow. This is what we have been forced to do when there was some worm crisis and not logging worm traffic really costs you when you have to find infected machines on your (big) network.
FW-1 provides multiple "proxy" services when Pix only provides only the basics (HTTP, FTP, SMTP, ...)
But at the logging level again, a Pix logs full HTTP URL & FTP URL easely when FW-1 requires to activate the HTTP/FTP proxy that costs much CPU and cant be done if your traffic is too heavy.
At the configuration level, FW-1 is definitely easier to manage than Pix that is still online device (you must telnet/ssh into to make changes), even if Pix IOS provides grouping features as with FW-1. The GUI is the important asset here.
At the NAT level, you have to know Pix is a NATing box and everything it does is based on NAT.
If you require to NAT, Pix is much more powerfull than FW-1.Pix also accepts to NAT IP addresses not present on its NIC (what FW-1 refuses) and its failover system makes it easier to manage NAT 1:1 then FW-1 that requires proxy-arp setup. The interest of NAT 1:1 an IP that is NOT on the NIC is when like us you have routing failovered links. When routing will be modified, the NAT being present on ALL Firewalls, traffic keeps working. Not posible on FW-1 without manual action.
Guess this summarizes my little experience of the diff between the 2 devices Hope this will help Brgrds Laurent LEVIER Systems & Networks Security Expert, CISSP CISM _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- PIX vs CheckPoint Darkslaker (Jun 29)
- Re: PIX vs CheckPoint David T Hollis (Jun 29)
- Re: PIX vs CheckPoint John Kinsella (Jun 29)
- Re: PIX vs CheckPoint Laurent LEVIER (Jun 29)
- Re: PIX vs CheckPoint Cyril Guibourg (Jun 30)
- Re: PIX vs CheckPoint Jaroslaw Sajko (Jun 30)
- Re: PIX vs CheckPoint Laurent LEVIER (Jun 30)
- Re: PIX vs CheckPoint Cyril Guibourg (Jun 30)
- <Possible follow-ups>
- RE: PIX vs CheckPoint James Patterson Wicks (Jun 29)
- RE: PIX vs CheckPoint Eric Paynter (Jun 29)
- RE: PIX vs CheckPoint Gary E. Miller (Jun 29)
- Re: PIX vs CheckPoint John Kinsella (Jun 29)
- Re: PIX vs CheckPoint Eric Paynter (Jun 29)
- RE: PIX vs CheckPoint Tom Curry (Jun 29)
- Re: PIX vs CheckPoint Gary E. Miller (Jun 29)
- RE: PIX vs CheckPoint Eric Paynter (Jun 29)