do you prefer Pix as your firewall or ?

Discussion in 'Cisco' started by Kerry, Jan 20, 2004.

  1. Kerry

    Kerry Guest

    I am curious as to what your firewall of choice is...say Pix (include model)
    or what (software or hardware), and why?

    Or, what your customers prefer?

    thanks, Kerry
     
    Kerry, Jan 20, 2004
    #1
    1. Advertisements

  2. Kerry

    Jason Kau Guest

    I use CheckPoint, NetScreen, and Cisco for my customers, depending on
    their needs, wants, and beliefs--and my own beliefs.

    I generally use a PIX when:

    1) The customer is already Cisco-heavy shop and the customer is
    comfortable managing network appliances via the command-line (if they
    intend to eventually manage the firewall themselves). Or the customer has
    Cisco Catalyst 6500's as their switching/routing core--the PIX-based
    Firewall Services Module is very convenient.

    2) The customer doesn't need any of the fancy features found in CheckPoint
    or Netscreen (i.e. tranparent mode, good deep packet inspection, virtual
    firewalls, etc.).

    3) If I'm going to manage it remotely (because you can do everything via
    the CLI over a very slow SSH/dial-up connection).

    4) Doesn't intend to use the firewall as a feature-rich VPN gateway
    (because they already have a VPN server/gateway/appliance or they don't
    like to do both VPN and firewalling on the same box).

    5) The customer isn't going to have dozens and dozens of firewalls to
    manage. Cisco VMS/Management Cosole for Firewalls will get the job done
    but in a barely adequate fashion.

    I generally use a NetScreen when:

    1) The customer prefers to use a web-based GUI (NetScreen's WebGUI is far
    superior to PDM).

    2) The customer needs transparent/bridging mode. CheckPoint appliances
    support this too but I suspect NetScreen does this better.

    3) The customer needs virtual firewalls/routers in one appliance.

    4) The customer is going to use Neoteris SSL VPN appliances. Neoteris was
    acquired by NetScreen, so this allows them to get everything from the same
    vendor.

    5) The customer does have a dozen or so firewalls and is relatively
    satisfied with GlobalPRO (NetScreen's centralized management). In my
    opinion, Netscreen GlobalPRO is better than Cisco VMS/Manage Center for
    Firewalls--but CheckPoint SmartCenter/SmartConsole is better than both.

    I generally use CheckPoint when:

    1) The customer has MANY firewalls and needs the most powerful centralized
    management.

    2) There customer wants a specific platform. For example, they already
    have a Crossbeam X40 for IDS and they can just buy additional blades to
    add a CheckPoint firewall. If the customer is a Nortel shop, they're
    often more comfortable with the idea of using a Nortel Alteon CheckPoint
    appliance or running CheckPoint on their Nortel Contivity VPN appliances
    (yes, you can run CheckPoint on a Nortel Contivity) than investing in a
    completely new vendor.

    3) The customer likes the idea that a CheckPoint license is not tied to a
    specific platform. This allows the customer to abandon a platform, e.g.
    Nokia IPSO, and move the license to another platform, e.g. Crossbeam C30,
    as their needs change.

    4) The customer wants a single box that does everything very well, VPN,
    firewall, IDS/deep packet insepection, etc. and wants a very powerful VPN
    thick-client. IMO, CheckPoint SecureClient is better than Cisco VPN
    client and NetScreen VPN client--but of course you pay more for it too.

    5) Cost is not as much of a concern. A certified CheckPoint appliance
    with the CheckPoint licenses that performs as well as a NetScreen at
    stateful packet filtering is going to cost you a lot more than the
    NetScreen. Although, CheckPoint fanatics might argue this is not true
    because you can go with SecurePlatform (CheckPoint's customized Linux OS
    for running CheckPoint) or Linux and use cheap but high-quality COTS PC
    hardware.

    All three of these vendors make adequate products (although Cisco PIX is
    very close to be inadequote IMO).

    In general, I find myself recommending Cisco PIX less and less and
    NetScreen more and more.
     
    Jason Kau, Jan 21, 2004
    #2
    1. Advertisements

  3. Kerry

    Kerry Guest

    I appreciate the detailed reply...

    thanks, Kerry
     
    Kerry, Jan 21, 2004
    #3
  4. Hi,

    I agree, Netscreen are in a very strong possition - I believe the
    original designers were PIX (cisco) and Intel employees ?.

    The netscreen has a lot of Cisco like features - but with all the nice
    virtualization / SPI and bridging features - the PIX is still trying
    to catch up.

    Not to keen on checkpoint as I have had bad experiences with the
    midrange Nokia boxes.

    But saying all that I still have around 16 Pix installed (525's /
    506's / 515 's ):) and just about to buy the inline 6000 modules.

    Rich
     
    Richard Sanderson, Jan 21, 2004
    #4
  5. Kerry

    Seb Maz Guest

    Hi,

    My current company uses Netscreen, and I help my brother's small hosting
    company which uses Cisco.

    First of all, note that my company's firewall's loads are far heavier than
    my brother's firewalls' ones, so my judgement may be biased.

    IMO

    Netscreen strong points:
    - a novice can actually make a working config with their easy WebUI.
    - Fancy features
    - In an NS box, you can have routing functions (I thought to put this in the
    fancy features, but well, let's give them credits for their efforts...)
    - Performance very good for their price
    - VPN settings on WebUI take less 1 min. to complete

    Netscreen weak points:
    - No support (maybe there is in the US ?)
    - No documentation. When there is, it's plain wrong or incomplete; you
    wonder if they actually tried what they write
    - Very few support available on the web, no many developped communities
    - You better purchase 2 boxes at once, because if one box dies you wait ages
    before a replacement (maybe it's different in the US ?)
    - WebUI is incomplete; many critical commands are available only in the CLI
    - New versions of the NetOS are published too often; you feel like you
    upgrade all the time.
    - Their router features implementation is messy (totally proprietary imo)
    - Remote access (via VPN) config is a nightmare, and is very limited
    - No port forwarding (or maybe in the latest version ?)

    -> I didn't choose to use NS in my job. That's OK now, but I felt so much
    pain at the beginning of their implementation, that if I have one day to
    decide a firewall for my company, that won't be Netscreen. Moreover, I am
    always afraid that some issue appears and that I won't be able to fix
    quickly because there is no (or little) support available.


    Cisco strong points:
    - So much documentation available out there ! Including this NG...
    - Courses and/or books can teach you how to correctly setup Cisco boxes
    - Cisco support (including hardware support that can be garanteed in x
    hours)
    - I prefer PDM to the NS WebUI; it requires more in-depth knowledge from the
    admin, but at least you understand what will happen when you select this
    option A or this option B. You feel much more confident (hey, that's just a
    feeling ! it does not garantee you won't crash the box). To compare with NS:
    NS hides the networking concepts, Cisco requires you to know your stuff.
    - PIX command line *looks* the same than the IOS. Key commands are totally
    different, but once again you feel confident with a PIX prompt (on the
    contrary of a NS CLI prompt)
    - Remote access (via VPN) config is sooo easier than NS's
    - Port forwarding feature available

    Cisco weak points:
    - VPN settings under command line is a nightmare
    - I'd think attacks against PIX are more documented on the net than against
    NS's
    - You will always need a Cisco pro in your team to maintain a PIX (or an
    expensive maintenance contract with some service provider); maintenance cost
    is higher for PIX than for NS.

    I feel more confortable with Cisco than NS...personal taste maybe. Netscreen
    is for sure increasing its quality, support, perf. and starts to be a
    pioneer on firewalling, but still, if I were (remember, I'm not!) a big
    company, just wanting to be sure that my network admin (or anyone else) can
    fix the box in case of any problem, I'd take Cisco.

    If I want a box easily setup, easily maintained, and that I'd like good
    perf., I'd take Netscreen.

    Sebastien
     
    Seb Maz, Jan 22, 2004
    #5
  6. Kerry

    Bikespace Guest

    If you're considering Netscreen, then you have to look at Fortinet
    www.fortinet.com

    Its like Netscreen with a development program. Company set up by previos CEO
    of Netscreen
     
    Bikespace, Jan 24, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.