«

Hi,

I am working on a security proposal for an SMB size company (about 200
nodes with a remote data center). I am trying to cover the following
areas:

Perimeter firewalling, VPN, IPS/IDS, Anti Virus at Gateway level, Web
Content Filtering (including URL Filtering) and finally Wireless
security.

>From my previous expeiences, a combination of PIX and a security
appliance (such as Symantec Gateway Security Appliance) can cover all
of the above, however, I have been asked to consider a Nokia/Checkpoint
solution as well because it can also cover all the above requirements
in one appliance.

I know PIX but have no experience with Nokia and have not been able to
find any comparison or evaluation for both PIX and Nokia. My questions:


1. Can someone who has worked with both PIX and Nokia solutions let me
know the pros and cons for each (I myslef obviously prefer PIX but need
a technical rational behind my proposal).

2. Am I right that PIX cannot support all the above features? I know
that with WebSense I can almost get the Web Content Filtering portion
from PIX but what about Gateway AntiVirus? Also PIX IDS capabilities is
very limited. Is there any other Add-On feature set or third party
software available for PIX for these features?

3. What is the major highlight feature/capability of PIX that can be
used to beat other solutions in the market? As far as I know, ASIC
level OS and speed/performance ... Any thing else !? (this cannot be a
winner feature for a SMB site with limited size and budget)

Any input is highly appreciated.

Regards,
Ali

"Ali A" <raha-> wrote in message
news: oups.com...
> Hi,
>
> I am working on a security proposal for an SMB size company (about 200
> nodes with a remote data center). I am trying to cover the following
> areas:
>
> Perimeter firewalling, VPN, IPS/IDS, Anti Virus at Gateway level, Web
> Content Filtering (including URL Filtering) and finally Wireless
> security.
>
> >From my previous expeiences, a combination of PIX and a security
> appliance (such as Symantec Gateway Security Appliance) can cover all
> of the above, however, I have been asked to consider a Nokia/Checkpoint
> solution as well because it can also cover all the above requirements
> in one appliance.
<snip>

Ive used both frequently, and imho the nokia solution wins hands down in
terms of an overall proposition.
The Pix's achilles heel has always been its management. Sure they bought
out PDM, but frankly PDM sucks in comparison to Checkpoints management
tools. So does CSPM in comparison to Provider-1.

As for the devices, well Nokia has moved on significantly since the old 440
days, and now you have, with the 2250, a device that is ratified at 7.5gbps
throughput (at standard ethernet frame testing). Even the 1U ip380 has been
tested at almost 1.5gbps throughput. Not only that but the newer models are
now diskless, using flash based logic instead of disks. As well as that,
they have started using network processors on their feed linecards, each
being totally independant of the system cpu (which is pretty much where the
old bottleneck used to be).

The Pix has 3 fixed unit models and 1 linecard (fwsm), the fwsm is rated at
5gbps. The 535 is rated at 2gbps. So in terms of raw horsepower, again the
cisco solution is left flagging.

VPN -- Nokia/CP solution wins this hands down for me. The Pix is just plain
not meant to be the tool to deploy VPNs on. Cisco will tell you to use vpn
concentrators for a VPN deployment. The Nokia/CP solution comfortably
manages VPN configuration from within the same gui as you administrate the
firewall policy.

HA -- Nokia again. What does the Pix offer ? same old stuff it offered
7yrs ago... effectively hot standby. Nokia offers Clustering as well as
VRRP and VRRP load sharing.

Logging -- dont get me started.

Max number of vlans supported - in 6.3 code I remember that the 535
supported 22 (the 515 supported 8 !!!). The nokia supported over 1000.
Depending on your design, that alone could be a big one.

But hey, the cisco pix is ok for what it is, heck I have a 515 in my rack at
home thanks to ebay prices. I would possibly use it for a small office
deployment as it quite probably works out cheaper than an SME nokia/CP
offering. But cost aside, I'd take the nokia solution every time.

YMMV
SysAdm

Thanks a lot for your response.

With the Nokia/CheckPoint solution, would I need to purchase add-on
modules or third party products for any of the following requirements?
In other words what comes with the original box?

- VPN (this one probably is answered already in your response but I
wanted to double check)
- IPS/IDS
- Email Gateway (Email Anti Virus like what comes with Symantec Gateway
Security Appliances)
- Web Content Filtering (e.g. URL Blocking)

Regards,
Ali

Hi Ali,

You may want to investigate the New Features and Benefits of Cisco PIX
7.0

http://www.cisco.com/en/US/products/...d80225ae1.html

Sincerely,

Brad Reese
BradReese.Com Cisco Repair Worldwide
United Kingdom: 44-20-70784294
U.S. Toll Free: 877-549-2680
International: 828-277-7272
Fax: 775-254-3558
Website: http://www.bradreese.com/cisco-big-iron-repair.htm

> But hey, the cisco pix is ok for what it is, heck I have a 515 in my rack
> at
> home thanks to ebay prices. I would possibly use it for a small office
> deployment as it quite probably works out cheaper than an SME nokia/CP
> offering. But cost aside, I'd take the nokia solution every time.
>
> YMMV
> SysAdm
>

I agree with all your points. The only downside for a SME is the price of a
Checkpoint solution. I've seen a number of almost Checkpoint orders where
the customer has balked at the price an ended up going elsewhere and getting
a Pix or Sonicwall from someone else. Checkpoint's solution, the Edge box!
We have number of Edge boxes and quite frankly, I would only choose to use
one as a door stop!

Ali A wrote:
> Thanks a lot for your response.
>
> With the Nokia/CheckPoint solution, would I need to purchase add-on
> modules or third party products for any of the following requirements?
> In other words what comes with the original box?
>


Ali,

I'll admit 1st I know little about PIXes or what may be appropriate for
a smallish install & budget. However some things to bear in mind:

- You're looking at PIX vs Checkpoint, *not* PIX vs Nokia.
Nokia is only one platform that Checkpoint runs on, and an expensive
low-throughput unreliable one at that (my bias is from experience).
Have a look at Checkpoint's comparisons
http://www.checkpoint.com/products/c...ms_matrix.html

Nokia's big success, IMHO, comes from supplying a platform running VRRP
(like HSRP), so people with little high-availability network experience
think they've bought an easy 100% uptime. This is not the case. If HA
is a requirement for you, remember end-to-end connectivity, and include
layer-3 in the design.

- You look to be trying to do everything in one box. Don't. Let the
box at the edge do the minimum, and offload other services to dedicated
units. VPN stuff is usually fine, but email virus-scanning / web
content-filtering / etc is better off on separate hosts. This can be
done easily, cheaply & much more flexibly. You'll also look a lot less
silly when you don't have to shut down all VPNs, web-access & public
web-sites because of a bug in a virus-scanner.

- Checkpoint's big plus is management. If your deployment is small this
may be irrelevant, but their licencing is a complex beast.

In answer to your specific questions:

> - VPN (this one probably is answered already in your response but I
> wanted to double check)
CP does it very well out of the box.

> - IPS/IDS
Not really.

> - Email Gateway (Email Anti Virus like what comes with Symantec Gateway
> Security Appliances)
> - Web Content Filtering (e.g. URL Blocking)
Does both on built-in servers that you connect (via 'OPSEC') to
3rd-party products. As stated above, the 3rd-party products on their
own do a better job with less hassle.

HTH,
Ian
--
ian dot mulvihill at computer dot org

"Ian M" <> wrote in message
news:421ba145$0$23533$...

>
> Ali,
>
> I'll admit 1st I know little about PIXes or what may be appropriate for
> a smallish install & budget. However some things to bear in mind:
>
> - You're looking at PIX vs Checkpoint, *not* PIX vs Nokia.
> Nokia is only one platform that Checkpoint runs on, and an expensive
> low-throughput unreliable one at that (my bias is from experience).
> Have a look at Checkpoint's comparisons
> http://www.checkpoint.com/products/c...ms_matrix.html
>
> Nokia's big success, IMHO, comes from supplying a platform running VRRP
> (like HSRP), so people with little high-availability network experience
> think they've bought an easy 100% uptime. This is not the case. If HA
> is a requirement for you, remember end-to-end connectivity, and include
> layer-3 in the design.

huh ? from the OP's original post.... "I have been asked to consider a
Nokia/Checkpoint"....
now tell me how that means Checkpoint and not Nokia/Checkpoint ?

low-throughput... well like I said, back in the *old* days of the old nokia
appliances you were very much limited to the under riding PCI architecture
that the appliance was based on. The new Nokia appliances boast a
completely differnt architecture. In fact, since IPSO 3.8 Nokia has
integrated the CP Performance Pack into IPSO, so anyone with an existing
Nokia could achieve potentially between a 2-6x improvement in VPN
performance and concurrent connections achieved. (FWIW, the pix chassis
still utilises an old PCI architecture.)

Unreliable... The lions share of Nokia's success in the Corporate world is
precisely because of its reliability. IPSO has had about 2 security flaws
in the past 5yrs, and they were SSHD based. How many bugs have you seen on
other OS's in that time.

HA... VRRP adds a whole lot more to the table than what the PIX HA solution
does. Additionaly, Nokia Clustering provides Active/Active clustering
without any requirement to purchase any additional Checkpoint license.
If you're going to buy architecture like this and then get as you say
"...people with little high-availability network experience" to install and
configure it *dont* blame the equipment.

Checkpoints SPLAT is in a different class to IPSO (hell, the routing daemon
is a bolt on and its got half the stuff available that ipso has as
standard). Checkpoint bought Splat out because they couldnt carry on with
their complete reliance on Nokia to help them sell their product (after all,
not too many corporates wanted to put checkpoint on windoze).
IPSO provides a carrier-grade kernel that is time-served. Corporates like
things they can trust to work. After all, as the saying goes, no IT manager
ever lost their job buying IBM...

Whether Nokia wish to remain tied to Checkpoint for much longer is more the
pertinent question... (and thats not because they want to bring their own
complete firewall solution out either)

SysAdm

Now well off topic, so posted to comp.security.firewalls
Sorry for delay in response; in-line...

SysAdm wrote:

>>Have a look at Checkpoint's comparisons
>>http://www.checkpoint.com/products/c...ms_matrix.html
>>
> huh ? from the OP's original post.... "I have been asked to consider a
> Nokia/Checkpoint"....
> now tell me how that means Checkpoint and not Nokia/Checkpoint ?

The customer is always right, but sometimes the customer's rightness can
benefit from a few additional facts. If they knew all about everything
they wouldn't be employing technical professionals to do their work

> low-throughput... well like I said, back in the *old* days of the old nokia
> appliances you were very much limited to the under riding PCI architecture
> that the appliance was based on. The new Nokia appliances boast a

Based on Checkpoint's own comparisons in the above link (I don't know
how up to date it is): in the '>3Gbps' column the Nokias' $/Gbps come in
from 8.1 to 8.9 times that of the Sun iForce appliance, i.e. 8+ times
more expensive.

> Unreliable... The lions share of Nokia's success in the Corporate world is
> precisely because of its reliability. IPSO has had about 2 security flaws
> in the past 5yrs, and they were SSHD based. How many bugs have you seen on
> other OS's in that time.

In the last 5yrs I've seen a shocking number of failed disks &
interfaces. Smoking PSUs (multiple) from new top-of-range units is not
a comfortable situation in a bank's datacentres.

> HA... VRRP adds a whole lot more to the table than what the PIX HA solution
> does. Additionaly, Nokia Clustering provides Active/Active clustering
> without any requirement to purchase any additional Checkpoint license.

VRRP & HSRP have their uses; all I said was remember the application
relies on end-to-end connection. Have you seen a firewall able to send
VRRP advertisments, but not do anything else, such as forward traffic or
allow login? If not, believe me, it looks as alive to it's backup
partners as it looks dead to all else.

> If you're going to buy architecture like this and then get as you say
> "...people with little high-availability network experience" to install and
> configure it *dont* blame the equipment.

Agreed, but include 'design' with 'install and configure'.


Good luck,
Ian
--
ian dot mulvihill at computer dot org