ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1

• Previous message (by thread): ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
• Next message (by thread): ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

again, not that I care about the vendor in question.. BUT

On Thu, 5 Feb 2004, Alexei Roudnev wrote:

>
> Checkpoint is a very strange brand. On the one hand, it is _well known
> brand_, _many awards_, _editors choice_, etc etc. I know network consultant,
> who installed few hundred of them, and it works.
>
> On the other hand, every time, when I have a deal with this beasts (we do
> not use them, but some our customers use), I have an impression, that it is
> the worst firewall in the world:
> - for HA, you need very expansive Solaris cluster (compare with PIX-es) /I
> can be wrong, but it is overall opinion/.

wrong, get nokia's run checkpoint on them, they do VRRP natively, it
rocks... does stateful failover so you can't even tell when one dies.

> - VPN have numerous bugs (it is not 100% compatible with Cisco's by default;
> of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers
> which have this problem);

this actually works well, provided you config it correctly, there is an
example for pix/CP vpn config at:
http://www.phoneboy.com/bin/view.pl/FAQs/VPNsBetweenFourOneAndCisco

not that phoneboy should be anyone's substitute for support on the cisco
or CP side, of course.


> - Configuration is not packed in 1 single file, so making difficult change
> control, etc etc...

right, this is actually a huge problem for MSSP's, having to do everything
via a gui is bad :(

• Previous message (by thread): ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
• Next message (by thread): ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]