Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can U recommend a good UK Check Point Support Company? 2

Status
Not open for further replies.

StoneColdDave

Technical User
Oct 3, 2002
16
GB
I am looking for a new company to support Check Point Firewall-1 4.1 & NG, yeah I know 4.1 is no longer supported by Check Point.

But I would be grateful if anyone can recommend any good UK support companies. As our current support company seems to know less about Check Point than I do!!!

Thanks
 
Who is your current support company?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Thanks for the recommendations

I don't want to state our current support company on a public board, well not until we have officially ditched them.

The problem I have with them, is that they don't seem to have greater dept of Check Point knowledge than myself, which kind of defeats the object of having them. I would like support from a company who really know their stuff, instead of a company that replies to every problem with "I will call you back" or "upgrade to the latest patch" and advising to try the obivous.
 
Integralis

we use them for our Boston, San Fran (US) and London offices.

JBead
 
I can recommend GFI-Informatics in the UK. They have been excellent in setting up our Firewall and have a great depth of knowledge.
 
Hi Dave,

Support for checkpoint is a nightmare. I have a similar problem with the company we use. I feel like i am often one step ahead in the book than them and if i have a problem its not that they know the answer its that they have the nokia or checkpoint database to search.

By far the most knowledgable company i have come across is


which is not a very big company but the chap who runs it - Nick Roffey - has the skills to troubleshoot a problem he doesnt have the answer to - very important in checkpoint.

If like us you couldnt support your infrastructure from a small company i would get nick to upgrade your infrastructure to NG and then buy an enterprise support agreement direct from checkpoint.

I think unipalm or allasso would also be good because they are one step from checkpoint. Eg. if i buy checkpoint support from the people who support us the support contract is from uniplam.

Thanks
 
Thanks for info, I'm sure someone will find this post useful.

BTW I've since ripped out the Check Point boxes and replaced them with Cisco PIXs ;)
 
Personally I don't like Firewalls to be on Linux or Windows platforms, nor on that Nokia crap (glorified 486s).

Cisco PIX use their own secured OS called Finese, plus it links into our Router & Switch structure (all Cisco) well, easy to control and manage

 
That's a pretty personal view. You should maybe take a slightly less biased look at what Linux, Solaris, Windows and Nokia can actually offer you before writing them off in such an out-of-hand manner though.

Remember Check Point don't occupy the market leading position for no good reason.

...and it's been a long time since I came across a client throwing out Check Point in favour of PIX... it's usually the other way around :)



========================================
Find out about what I do for a living at
========================================
 
Remember Check Point don't occupy the market leading position for no good reason."

Just wondering, other than sales, why you think a Check Point Firewall is better than a Cisco PIX, I've never been one to follow sheep ;)

In my experience
For one the Licencing on the PIX is striaght forward and simple, it's ready to go out of the box. You don't have to re-license to change the external IP address, no filling out of company details and typing in activation codes. There's different type of PIX for different size of solutions, all with unlimited clients.

FW-1, except perhaps for the Nokia version, is "software based" and dependent on the underlying operating system (Unix or Windows). I personal don't like this, OS can be a security hole. OS problems lead to problems with the Firewall. Certainly PIXs can boot much quicker than a Check Point on an OS platform

PIX upgrades are FREE!!! You don't have to pay like Check Point upgrades.

I know you can do this in Check Point, but I can centrally manage all my PIXs, but I can manage the Routers as the same time, which is really handy for auditing, documentnig and troubleshooting.

I can setup a PIX in just a few minutes, or replace an existing PIX in less than 5 minutes should I have a perform a hardware swap. It's much easier to backup or load a Cisco Config than a Check Point one.

I have also been using Stateful Failover on larger installations. I've tested it, if you switch off Pix A, the backup PIX kicks in after a few seconds delay, user activites currently going on such as downloads and browsing aren't effected and carry on unaware. I know Check Point offer this, but I'd though I mention it.

Finally I think PIXs are cheaper, especially if you want to do VPNs on the cheap.

I can see why people might not go for a PIX, if they are not IOS literate, but you there is a Mangement GUI you could use these days and there is always the HMTL access on the PIX. You don't need a special client to access a PIX eithe.

So, that pretty much my reasons.
 
1. Check Point can be implemented on SecurePlatform a pre-hardening OS, which from research has less published vulnerabilities at present than IOS.

2. You can manage routers with OPSEC modules, and define OSE devices to push out ACLs.

3. Upgrade Export/Import is quick and it takes less than 5 mins to install SPLAT.

4. Check Point can use ClusterXL, Nokia VRRP, StoneBeat, RainWall, REsilience, and a host of other more advanced clustering and load balancing sultions.

5. SDM & PDM do not give you the flexiablitity you require.

THE MOST IMPORTANT FACTOR IS CHECK POINT INVENTED AND SUPPORTS THE ONLY TRUE STATFUL INSPECTION, THEY OFFER SMARTDEFENSE AND ENDPOINT SECURITY SOLUTIONS NOT RIAVELED IN THE MARKET, AND IF YOU REVIEW THE LATEST RESEARCH JUNIPER NETSCREEN AND PIX HAVE BEEN VUNERABILE TO ATTACKS THAT CHECKPOINT SOLUTION PROACTIVE PROTECTS AGAINST AND WAS NOT VULNERABILITY.
 
I can think a few things right of my head about some of the
disadvantages of using Cisco Pix:

1) Cisco Pix does not support FW load balancing
(i.e. Active/Active). If you want to push more than
1GB of traffics, you have to use the FWSM (FireWall
Switch Module). That would require a purchase of
a Catalyst 6500's chassis. Guess what, the MFC-720
Supervisor module alone costs about 30k, just for a
single sup. We are not even talking about the chasis,
power supply, linecard and the FWSM module yet.
Bottom line, no support for Active/Active in Cisco Pix.
There are talks that they will be supported in version
7.0. I'll believe when I see it. Checkpoint with
ClusterXL on SPLAT Nokia IPSO Clustering can do
Active/Active/Active and can pust 3GB of throughput.

2) There is NO centralized management for Cisco Pix.
Please do NOT tell me about the Cisco Vpn Management
Solution (VMS) crap. It is completely junk. Try to
run this crap on either Windows or Solaris. It is
not that cheap either. It can NOT do the thing that
Checkpoint Provider-1 can.

3) Cisco Pix PDM is nothing junk. Whoever at Cisco
wrote the piece should be fired for that. Nokia
Voyager will blow away the PDM.

4) Logging in the Pix is a completely disaster.
Everything is done via syslog server. A complete
disaster. Logging on Checkpoint is second to none

5) Remote management of Cisco Pix is a complete
disaster. Pix does not support SSH version 2.
It only supports version 1. I don't trust version
1 because of security holes. How the hell am I
supposed to manage the pix across the Internet?
Nokia/SPLAT supports SSH version with AES.

6) Cisco Pix only supports snmp version 1. Isn't
that a security vunerability? On the contrary,
Nokia/SPLAT supports snmp version 3 which allow
the firewalls to be managed across the Internet
safely?

7) Have you ever tried to configure dual NAT
inside an VPN tunnel with Cisco Pix? It takes at
least an hour to accomplish this assuming that
you don't screw it up and take down your connection.
I can do this with Checkpoint in less than 5 minutes.

8) Have you ever tried to configure a Pix firewall
with 6 interfaces? Try to keep track of all the
security level on all interfaces can be a nightmare.
I would go with Cisco IOS that include Firewall
feature set.

9) Have you ever tried to configure, in Cisco
word, "hairpinning" with remote access? It can
NOT be done. You can do that with Cisco IOS or with
Checkpoint Office mode.

10) How do you backup the Cisco Pix? via tftp?
What a joke. Traffics over the wire in clear
text. In Checkpoint, everything can be done via
Secure Copy. Scp runs over SSH version 2 which
is very secure. At least, it is NOT tftp.

11) Cisco Pix version 6.3.4 is still in Early
Deployment (ED). Do you really want to put the
beta code on your production site? Downgrade?
Guess what, 6.3.3 is also ED too. Downgrade
again? Guess what version 6.2.2 doesn't support
PPTP.

12) If I have to choose between Cisco Pix firewalls
and Cisco IOS + Firewall set, the answer is simple,
I go with Cisco IOS.

13) Have you ever tried to run debug on Cisco Pix?
Debug command is a F! joke. "capture" command is
another joke. The only commands that I find useful
on Cisco pix are "debug crypto isakmp" and "debug
crypto ipsec". Nothing beat "tcpdump" and fwmonitor
in Checkpoint.

14) Can Cisco Pix prevent "sql injection" via http or
stop user from using instant messenger from
transferring files while allowing them to communicate
via IM like Yahoo or AOL? Checkpoint can do that
with Web Intelligence and Smartdefense in NG AI R55W.

15) Be careful when you say people don't like Pix
because they are not IOS literate. That is very
offensive. Are you CCIE security certified? Have
you ever been sitting in the CCIE security lab exam?
I've been working with Cisco products since 1998.
In my opinions, Cisco IOS is much easier to use
than Unix. I learn Cisco IOS commands in 5 days.
By the way, Cisco IOS is NOT the same as PIX OS.
Again, Cisco Pix PDM is a piece of crap. If you put
a lot of NAT (interface-name) 0 on the pix and vpn
such as crypto map, the PDM will NOT parse
these lines in the configuration and you can only
access the pix in "monitor" mode. You are F!

I am not saying that checkpoint is the end-all be-all
solution. However, it is an excellent firewall
compare with Cisco Pix. Cisco IDS is also another
lousy product but that besides the point. The other
firewall that can compete with Checkpoint is
Netscreen. Netscreen firewall is quite good and
Netscreen Security Manager(NSM) can be used to
managed multiple Enforcement Modules.

There are instances where I can see pix can be used
is that you have a two tier firewall solution. I
would put Pix in tier-1 for speed and checkpoint
in tier-2 for inspection and logging.

I do agree with you that licensing in Cisco Pix is
very simple and easy to understanding. Checkpoint
licensing is quite complicate and difficult to
understand. I have been working with checkpoint
for almost five years now and I still don't
understand how licensing in checkpoint work.

Your statement regarding "nokia" as "Nokia crap
(glorified 486s)". Did you know that the Cisco
Pix520 and the Nokia IP440 have the exact same
motherboard and same NIC. Are also aware that
both the Nokia IP740 and Pix535 also have the
exact same hardware? Basically same crappy
glorified 486s that you bashed Nokia? Does
it make Cisco Pix a crappy 486s box as well?

Finally, even though Pix is cheaper, you get what
you pay for, an inferior product.

Your comments reflect a person with NO knowledge
of security products even with Cisco. It also
comes across as someone without a formal higher
education or formal training, the type that,
if you ever become an IT manager, director or
CIO, will make a fool of himself. So next time
before you go ahead and bad mouth Checkpoint or
another vendor, please get your facts
straight and do dilligent research before opening
your mouth and sound like a complete idiot.

wirelesspeap
 
StoneColdDave,

"In my experience
For one the Licencing on the PIX is striaght forward and simple, it's ready to go out of the box. You don't have to re-license to change the external IP address, no filling out of company details and typing in activation codes. There's different type of PIX for different size of solutions, all with unlimited clients."

Every Pix hardware model has it limitations, read the F!documentation.

By the way StoneColdDave, you're my Cisco's dream customer
because I am also an SE for a Cisco VAR. I love all the
Cisco's KoolAid drinker like you. Make my job scamming customer like you much easier.

wirelesspeap

 

Wirelesspeap SLAMDUNKED StoneColdDave

I fall to me knees in respect of your knowledge. I am quite new to the real world of security, but it became obvious in about 15 minutes of reading and comparing the various firewall vendor solutions, some of the limitations you mention above. The statement knowledge is power, or perhaps common sense in this case is power, is too true.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top