CheckPoint vs ASA?

itdaddyitdaddy Senior MemberMember Posts: 2,089 ■■■■□□□□□□
hey guys

do you see many companies going to checkpoint firewalls and is checkpoint cisco (my gut says it is not) but why are many companies not
going with Cisco ASA type is it because Cisco is less user friendly for non
Network Engineers?

thanks

Comments

  • jovan88jovan88 Member Posts: 393
    checkpoints are very popular firewalls, we use the UTM-1 a lot. They're easy to configure but their support isn't that great
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    I know a lot of compinies go for Checkpoint, but you do also see a LOT of PIX firewalls around on job specs, which are of course cisco.

    The reson you see PIX rather than ASA is just becuse many compinies are not going to upgrade untill there PIX gets towards end of life.

    I think one reson is cost, Cisco are expensive, so many smaller compinies can't justifie the cost, and as yousiad you need expertise to install a ASA firewall. They seemed to be aimed more at thecompanies with a dedicated network department, rather than the more generic compinies where the network not the driving force behine the business, which look for the plug and play options.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • shednikshednik Member Posts: 2,005
    One key thing has kept my company from moving from checkpoint to ASAs. Crappy management tools, ASDM is nice but not for managing MANY clusters of firewalls. Provider-1 with check point is much easier to use for troubleshooting, rule management, and other stuff of that nature. We're beta testing the new Cisco Security Manager though so we will see if it matches up.
  • chrisonechrisone Senior Member Member Posts: 2,251 ■■■■■■■■■□
    I would say your assumption of checkpoint being easier / user friendly for non network engineers is dead on the spot. I have never worked with checkpoint but if its a GUI based firewall then yeah i can see why non-networking engineers would have a blast with click and point setup.

    I prefer Cisco ASA because when **** hits the fan I can get granular in my troubleshooting. Anything software based your stuck calling in tech support trying to figure out probably the simplest of problems. I also prefer the ASA because i spent countless hours studying and working with the device. icon_study.gificon_thumright.gif

    I was looking at their certifications and wow their official book materials and labs are pretty steep. $600 bucks!
    https://www.checkpoint.com/CourseWare/OrderHomePage.jsp

    I figured its probably not bad to look into one or two certs from these guys since they are infact one of the top firewall companies out their. But wow im not going to invest 600 on reading material.

    Edit: nevermind i guess its a full course class.
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2022 Goals:
    Certs: EnCE (Phase 1 - Passed, Phase 2 - awaiting results), eCPTXv2 (in progress), SC-300 (in progress), AZ-500, SC-100
    Course: BC Security - Empire Operations 1 (completed), Zero Point Security - CRTO (course completed)
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    wow thanks guys for your insight....yeah hope cisco gets on the ball with their ASDM..you would think they would
  • SettSett Member Posts: 187
    I have worked with both, and must say that I like Checkpoint better. Not because it is "easy", it just let you achieve the same results much faster. You can also keep track of your configurations and rules much more effective and it is less error-prone.
    I can not see ASDM to become so well designed any time soon.

    However, the main advantage of a FW is not how nice interface it has, it is all about productivity and reliability. The experts should tell which one is better by this criteria.
    Non-native English speaker
  • laidbackfreaklaidbackfreak Member Posts: 991
    Sett wrote: »
    I have worked with both, and must say that I like Checkpoint better. Not because it is "easy", it just let you achieve the same results much faster. You can also keep track of your configurations and rules much more effective and it is less error-prone.
    I can not see ASDM to become so well designed any time soon.

    However, the main advantage of a FW is not how nice interface it has, it is all about productivity and reliability. The experts should tell which one is better by this criteria.

    +1 for this, I have also worked with both and while everyone has mentioned the gui keep in my that checkpoint does also have a cli too. So while most work is done through the gui every now and then you need\can go to the cli and trouble shoot\change etc there too.
    if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-)
  • Chris:/*Chris:/* Member Posts: 658 ■■■■■■■■□□
    I see either Checkpoint or Sidewinder (McAfee Enterprise) firewalls being used mostly.

    Watch security trends and see which has more vulnerabilities released against them.

    Review Monster.com, Indeed.com, Dice.com and Clearancejobs.com, to see what related certifications for those firewalls are most desired. The results will point you to where you need your training in.

    Food for thought though in multi-tier networks do not choose the same firewall for each tier. Different vendor hardware/software improves security because the same exploit does not work in all tiers.
    Degrees:
    M.S. Information Security and Assurance
    B.S. Computer Science - Summa Cum Laude
    A.A.S. Electronic Systems Technology
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    Chris:/* wrote: »

    Food for thought though in multi-tier networks do not choose the same firewall for each tier. Different vendor hardware/software improves security because the same exploit does not work in all tiers.

    That's subjective. If you can provide the same level of expertise for each vendor's appliances then it's true, but that is rare. What you gain in multi-tier exposure reduction from diversity you can quite easily lose in the levels to which each is configured correctly, also added complexity when attempting troubleshooting and forensics later.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • Chris:/*Chris:/* Member Posts: 658 ■■■■■■■■□□
    Ahriakin wrote: »
    That's subjective. If you can provide the same level of expertise for each vendor's appliances then it's true, but that is rare. What you gain in multi-tier exposure reduction from diversity you can quite easily lose in the levels to which each is configured correctly, also added complexity when attempting troubleshooting and forensics later.

    Very good points, but when moving to multi-tier networks and security the architecture and training should have been thought out long before implementation. This is almost never the case as you stated. I do agree with you unfortunately the average System Admin (SA) or Network Admin (NA) shop does not have the experience or skills needed for deploying or maintaining such a setup.
    Degrees:
    M.S. Information Security and Assurance
    B.S. Computer Science - Summa Cum Laude
    A.A.S. Electronic Systems Technology
Sign In or Register to comment.