lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1088540176.4443.7.camel@dhollis-lnx.kpmg.com>
From: dhollis at davehollis.com (David T Hollis)
Subject: PIX vs CheckPoint

On Tue, 2004-06-29 at 13:24 -0500, Darkslaker wrote:
> i am studying for the CCSA and my Friend for CSPFA in the interchange of
> ideas we did not find differences significant; maybe two ; PIX run in OS
> for CISCO and CheckPoint in many platforms;  and checkPoit have more
> products.
> 
> My question is PIX or Checkpoint what is better and why.

"Better" would really be relative here.  I've used both quite a bit and
my personal preference is for PIX.  The reasons being: 1) Cost, 2)
Simplicity, 3) reliability.  Checkpoint throws more stuff in the box,
but you may never use a large portion of that stuff.  I've also found
that each version of Checkpoint (and we aren't talking major version
like 1.0 vs 2.0, but 4.1 FP3 vs 4.1 FP4) seems to introduce all kinds of
new quirks and quibbles that make things quite a pain to deal with.
I've never used the PIX gui for anything, I understand recent versions
are better, but I prefer command line myself.  The Checkpoint GUI is ok,
nothing to write home about, but it is quite functional.  VPN setup with
Checkpoint is quite easy (especially if you tried to do IPSEC in other
arenas).  Failover with PIX is tremendously simpler and Just Works (tm)
compared with Checkpoint.  I much prefer the straight text config which
I can keep in a CVS repo and do diffs on the configs over periods of
time to see what has changed.  Has proven useful in employee termination
scenarios as well.

In the end, both are viable solutions for a firewall.  If you already
have an investment in Checkpoint stuff, it is the obvious choice.  If
you are a big Cisco shop, PIX will fit in quite easily (it's OS isn't
IOS, but it's not really that far off).

If you do go with Checkpoint, do the world a favor and don't run it on a
Windows box.  Run it on Linux or Solaris or buy a Nokia IPxxx to run it
on.  

-- 
David T Hollis <dhollis@...ehollis.com>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ