PIX vs RapidStream 2100

[CripTiK]

I have been looking at the RapidStream 2100 which has CheckPoint on it using VPN-1/FireWall-1 NG and PIX 515UR. It sounds that the battle between CP & PIX is like the battle between Ford & Chevy. What I want to know is what does PIX do that CheckPoint doesn't? (or do better) I would like some good reasons on why I should choose PIX over CheckPoint.


Thanks in advance

CripTiK-

 

[criticalUpdate]

PIX is very stable and excellent throughput.

The security is based on a Hardended OS. It's been around for years and is a mature and supported product.

And it's from Cisco a company who certainly had more to do with creating the information superhighway than Al gore.

 

[jlavin]

choose checkpoint. It is the better firewall. It is alot more expensive to buy hardware and software wise, but all of the articles I have read always swayed me to choose checkpoint in the firewall area.

 

[gbromley]

Simple really cost, performance, support and client side features:

Checkpoint cost is:
- Cost of hardware platform + support of platform
- Cost of Checkpoint firewall softwware + support of platform
- Cost of client side software (if using SecureClient) + support of platform

Sample UK pounds cost would be:
- Nokia IP330 £6k + £800/yr
- Combined FW+Mgmt £5k + £400/yr
- Cost per user £50

Total = £11k + (£50 * No. of users using SecureClient) + Support

Cisco cost is:
- Cost of hardware+software + support of platform

Sample UK pounds cost would be:
- Cisco 515UR = £7k + £800/yr
- Client software (include personal firewalling) = £0 * No. of users

Total = £7k + £800/yr

I think the mathematics is very simple

On the other features, PIX is faster CPU for CPU as it has no OS overheads, same if not more features than Checkpoint. Checkpoint relies on firewall admins having multiple skills sets (OS vendor + Firewall vendor) therefore cost more . The one selling point for Checkpoint in the past was the GUI, but with the PIX PDM (And Cisco Secure Policy Manager) this is no longer the case.

The one feature that Checkpoint maybe still excels at is logging in the GUI, however what it logs is of very limited use for Intrusion analysis, whereas the PIX does log this data the syslog format isn't very human friendly.

I'm certified in both, and use both daily, but much prefer the PIX for all of the above reasons.

 

[ChrisAC]

Interesting point! I myself lean towards Cisco and PIX but I'm having to learn CheckPoint Firewall-1 and the Nokia platform to support our growing number of customers than use FW-1. Our sales staff are FW-1 biased and so I have to be able to support it! I was in a meeting the other day discussing the FW-1 training! The jist of the meeting was that PIX is crap and FW-1 is the business! I just sat there rolling my eyes listening to all this tripe coming from a sales person!! Oddly enough our core network used to be protected by FW-1 on Solaris, until they took them out and replaced them with PIX firewalls!

Go figure!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[berford]

So I think this thread shows that if you are in sales and want to maximize revenue you like Check Point. You really like it on RapidStream, as that platform is more expensive to deploy on rather than PCs or routers. The RapdiStream box is still a box running either Linux or Windows underneath.

Check Point and RapidStream gets even more expensive if you look at failover configurations. And based on recent reviews doesn't perform as well (NWFusion 2001: Chicago Blues tests).

If you actually put rules on your firewall and; or if you run NAT or PAT the PIX will outperform comparable a Check Point firewall every time.

If you use Syslog you'll like the PIX. Check Point still pushes info out into their own logs and require you to run additional software to convert it to Syslog.

If you look at PDM and compare it to the Check Point GUI you have parity. Both allow less experienced users administer the device.

I wouldn't say it's a Ford versus Chevy comparison. It's more like 2 wheel drive versus 4 wheel drive.

Liberty for All,

Brian

 

[Iota]

I think the 2 wheel vs 4 wheel drive is the better comparison.

Both will get you where you need to go, but if you're experienced in 4wheel offroading(Pix), you'll get there faster, and maybe with a bit more ease.

I like the PIX from an enterprise environment. We use the Cisco Secure ACS (with replication) to control the security in the majority of our network deivces.. Pixs, routers, concentrators, aps, etc.. Syslog, while not pretty right off the bat, works well with central monitoring servers. We have IDS and FaultTolerent Software systems to analyze Syslog records from across the country and to take appropriate action depending on the syslog level.

It's also been my experience that the pix gives better throughput on faster speed connections.

-Iota