lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6.1.1.1.2.20040629224848.01d39b40@213.30.158.180>
From: llevier at argosnet.com (Laurent LEVIER)
Subject: PIX vs CheckPoint

Hi DarkSlaker

At 20:24 29/06/2004, Darkslaker wrote:
>My question is PIX or Checkpoint what is better and why.
I dont think I am not skilled enough to provide you an answer about this.
However, I have both solutions under my authority and I can feedback about 
a few things:

First CheckPoint (NG4) does not provide ACL per interface as Pix, which 
means it is better to have a Pix when you have multiple interfaces with a 
"from any" source to define.

But you can manage FW-1 securely (IPsec or SSH v2) when a Pix only supports 
SSHv1 that is confirmed unsecure by its author

On FW-1, you must define rules to protect against illegal access while Pix 
can get rid of this because there is a parallel ACL for session access to 
the box (which does not prevent from protecting the box on its possibly 
other opened ports)

FW-1 will log locally while Pix requires to build a syslog server where 
logs will be sent. Since Pix log selection is based on the "all but" 
principle, selecting the specific log messages you want is a real pain. On 
the opposite, Pix logs with much more details than FW-1.  Pix is logging so 
much that is also required when you have many traffic to received these 
logs on the same LAN.
Just to make your own idea, my company had 20 GB traffic/day (whole 
traffic). Pix was sending (full logs) 20 MB logs per minute.

Because of this logging method, a Pix can log EVERYTHING when FW-1 must 
stop logging some traffic to avoid DoS because HD is too slow. This is what 
we have been forced to do when there was some worm crisis and not logging 
worm traffic really costs you when you have to find infected machines on 
your (big) network.

FW-1 provides multiple "proxy" services when Pix only provides only the 
basics (HTTP, FTP, SMTP,  ...)

But at the logging level again, a Pix logs full HTTP URL & FTP URL  easely 
when FW-1 requires to activate the HTTP/FTP proxy that costs much CPU and 
cant be done if your traffic is too heavy.

At the configuration level, FW-1 is definitely easier to manage than Pix 
that is still online device (you must telnet/ssh into to make changes), 
even if Pix IOS provides grouping features as with FW-1. The GUI is the 
important asset here.

At the NAT level, you have to know Pix is a NATing box and everything it 
does is based on NAT.
If you require to NAT, Pix is much more powerfull than FW-1.

Pix also accepts to NAT IP addresses not present on its NIC (what FW-1 
refuses) and its failover system makes it easier to manage NAT 1:1 then 
FW-1 that requires proxy-arp setup.
The interest of NAT 1:1 an IP that is NOT on the NIC is when like us you 
have routing failovered links. When routing will be modified, the NAT being 
present on ALL Firewalls, traffic keeps working. Not posible on FW-1 
without manual action.

Guess this summarizes my little experience of the diff between the 2 devices

Hope this will help

Brgrds

Laurent LEVIER
Systems & Networks Security Expert, CISSP CISM

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ