lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <C8936A4FF306F34898B8F384BF62C1AB43C095@cybermail.netarch.com>
From: charliew at netarch.com (Charlie Winckless)
Subject: PIX vs CheckPoint

> PIXes arn't really routers either, like many firewalls.  This 
> is evident 
> by the fact that PIXes can't route traffic back out the same 
> interface 
> it received the traffic on.  You have to be concious about these 
> limitations when doing network design in the presence of PIXes. 
> 

When I teach the PIX class, I refer to them as 'translators'. It
and the below are probably the most key points in designing around
and with a PIX.

(Along with the 'security level' for an interface.)

I have heard rumour from Cisco, however, that the lack of the ability
to 'switch' traffic in and out on the same interface will go away
soon, thus changing the situation below.

<Details of VPN router design snipped>

I favour the PIX. I've not had enough experience with the Checkpoint
to make a fair comparison (most of the other firewalls I've worked
with have been application level boxen or Linux/BSD platforms). The
strong points I see for the PIX are:

* Small image (the GUI is 3Mb, the image as of 6.3 is still under 2Mb)
* Lack of underlying OS beyond Finesse
* Few moving parts to fail
* CLI that's similar to IOS
  (NB: as a router jock this is a plus and a minus; it's close enough
  that some other things will fool you. But I've always found a CLI
  faster for most configs and for remote troubleshooting than a GUI)

The largest issue I have is an arcane and awkward logging system. While
I can log on the box I'm not a fan of that -- since if the box crashes
for whatever reason I've lost the log -- and even when I do the
complaints
raised at actually finding anything are very valid. 

Some form of external log analysis is needed.

And up until the most recent releases the lack of object groups was a 
bummer. Even now, a protocol group can be EITHER TCP or UDP, which I
suspect is a function of the ACLs. But it's a huge improvement if 
networks aren't designed on binary boundaries totally. (Yeah, right..)





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ