CheckPoint vs ASA?

itdaddy

hey guys

do you see many companies going to checkpoint firewalls and is checkpoint cisco (my gut says it is not) but why are many companies not
going with Cisco ASA type is it because Cisco is less user friendly for non
Network Engineers?

thanks

jovan88

checkpoints are very popular firewalls, we use the UTM-1 a lot. They're easy to configure but their support isn't that great

DevilWAH

I know a lot of compinies go for Checkpoint, but you do also see a LOT of PIX firewalls around on job specs, which are of course cisco.

The reson you see PIX rather than ASA is just becuse many compinies are not going to upgrade untill there PIX gets towards end of life.

I think one reson is cost, Cisco are expensive, so many smaller compinies can't justifie the cost, and as yousiad you need expertise to install a ASA firewall. They seemed to be aimed more at thecompanies with a dedicated network department, rather than the more generic compinies where the network not the driving force behine the business, which look for the plug and play options.

shednik

One key thing has kept my company from moving from checkpoint to ASAs. Crappy management tools, ASDM is nice but not for managing MANY clusters of firewalls. Provider-1 with check point is much easier to use for troubleshooting, rule management, and other stuff of that nature. We're beta testing the new Cisco Security Manager though so we will see if it matches up.

chrisone

I would say your assumption of checkpoint being easier / user friendly for non network engineers is dead on the spot. I have never worked with checkpoint but if its a GUI based firewall then yeah i can see why non-networking engineers would have a blast with click and point setup.

I prefer Cisco ASA because when **** hits the fan I can get granular in my troubleshooting. Anything software based your stuck calling in tech support trying to figure out probably the simplest of problems. I also prefer the ASA because i spent countless hours studying and working with the device.

I was looking at their certifications and wow their official book materials and labs are pretty steep. $600 bucks!
https://www.checkpoint.com/CourseWare/OrderHomePage.jsp

I figured its probably not bad to look into one or two certs from these guys since they are infact one of the top firewall companies out their. But wow im not going to invest 600 on reading material.

Edit: nevermind i guess its a full course class.

itdaddy

wow thanks guys for your insight....yeah hope cisco gets on the ball with their ASDM..you would think they would

Sett

I have worked with both, and must say that I like Checkpoint better. Not because it is "easy", it just let you achieve the same results much faster. You can also keep track of your configurations and rules much more effective and it is less error-prone.
I can not see ASDM to become so well designed any time soon.

However, the main advantage of a FW is not how nice interface it has, it is all about productivity and reliability. The experts should tell which one is better by this criteria.

laidbackfreak

Sett wrote: »

I have worked with both, and must say that I like Checkpoint better. Not because it is "easy", it just let you achieve the same results much faster. You can also keep track of your configurations and rules much more effective and it is less error-prone.
I can not see ASDM to become so well designed any time soon.

However, the main advantage of a FW is not how nice interface it has, it is all about productivity and reliability. The experts should tell which one is better by this criteria.

+1 for this, I have also worked with both and while everyone has mentioned the gui keep in my that checkpoint does also have a cli too. So while most work is done through the gui every now and then you need\can go to the cli and trouble shoot\change etc there too.

Chris:/*

I see either Checkpoint or Sidewinder (McAfee Enterprise) firewalls being used mostly.

Watch security trends and see which has more vulnerabilities released against them.

Review Monster.com, Indeed.com, Dice.com and Clearancejobs.com, to see what related certifications for those firewalls are most desired. The results will point you to where you need your training in.

Food for thought though in multi-tier networks do not choose the same firewall for each tier. Different vendor hardware/software improves security because the same exploit does not work in all tiers.

Ahriakin

Chris:/* wrote: »

Food for thought though in multi-tier networks do not choose the same firewall for each tier. Different vendor hardware/software improves security because the same exploit does not work in all tiers.

That's subjective. If you can provide the same level of expertise for each vendor's appliances then it's true, but that is rare. What you gain in multi-tier exposure reduction from diversity you can quite easily lose in the levels to which each is configured correctly, also added complexity when attempting troubleshooting and forensics later.

Chris:/*

Ahriakin wrote: »

That's subjective. If you can provide the same level of expertise for each vendor's appliances then it's true, but that is rare. What you gain in multi-tier exposure reduction from diversity you can quite easily lose in the levels to which each is configured correctly, also added complexity when attempting troubleshooting and forensics later.

Very good points, but when moving to multi-tier networks and security the architecture and training should have been thought out long before implementation. This is almost never the case as you stated. I do agree with you unfortunately the average System Admin (SA) or Network Admin (NA) shop does not have the experience or skills needed for deploying or maintaining such a setup.