On Thu, Jan 26, 2006 at 12:29:14AM +0300, ArkanoiD wrote:

> (well, for PIXen i do not see a reason for them to exist at all, except
> "our network is Cisco-based" which does look valid for me. If you need a
> good packet filter, get a Netscreen)

But precisely this reason is the weakest of all - of course
most people only discover this after the sale ;-)

If you've done years of IOS configuration and maintenance
and then encounter a PIX for the first time, I predict very
bad effects on your blood pressure and your overall health.
Boy, are these devices stupid!

The "all of our products run IOS" mantra is a big marketing lie.
PIXen don't run IOS. Their command line interface mimics IOS
to some extent. But any IOS firewall feature set router can
do more things than a PIX (at least up to 6.3.something).

> And, after all, implicit rules are terrible so Checkpoint
> config is quite obscure.

Implicit NAT and implicit permit if you happen to use the
PIX Device Manager seems even worse to me.

OK, enough of this product specific rant.

punkt.de GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe http://punkt.de
firewall-wizards mailing list