Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Full-Disclosure] PIX vs CheckPoint
From: David T Hollis (dhollisdavehollis.com)
Date: Tue Jun 29 2004 - 15:16:16 CDT
On Tue, 2004-06-29 at 13:24 -0500, Darkslaker wrote:
> i am studying for the CCSA and my Friend for CSPFA in the interchange of
> ideas we did not find differences significant; maybe two ; PIX run in OS
> for CISCO and CheckPoint in many platforms; and checkPoit have more
> My question is PIX or Checkpoint what is better and why.
"Better" would really be relative here. I've used both quite a bit and
my personal preference is for PIX. The reasons being: 1) Cost, 2)
Simplicity, 3) reliability. Checkpoint throws more stuff in the box,
but you may never use a large portion of that stuff. I've also found
that each version of Checkpoint (and we aren't talking major version
like 1.0 vs 2.0, but 4.1 FP3 vs 4.1 FP4) seems to introduce all kinds of
new quirks and quibbles that make things quite a pain to deal with.
I've never used the PIX gui for anything, I understand recent versions
are better, but I prefer command line myself. The Checkpoint GUI is ok,
nothing to write home about, but it is quite functional. VPN setup with
Checkpoint is quite easy (especially if you tried to do IPSEC in other
arenas). Failover with PIX is tremendously simpler and Just Works (tm)
compared with Checkpoint. I much prefer the straight text config which
I can keep in a CVS repo and do diffs on the configs over periods of
time to see what has changed. Has proven useful in employee termination
scenarios as well.
In the end, both are viable solutions for a firewall. If you already
have an investment in Checkpoint stuff, it is the obvious choice. If
you are a big Cisco shop, PIX will fit in quite easily (it's OS isn't
IOS, but it's not really that far off).
If you do go with Checkpoint, do the world a favor and don't run it on a
Windows box. Run it on Linux or Solaris or buy a Nokia IPxxx to run it
David T Hollis <dhollisdavehollis.com>
Full-Disclosure - We believe in it.