Why choose FW1 instead of PIX ? - Firewalls
This is a discussion on Why choose FW1 instead of PIX ? - Firewalls ; Hi, Iīm supposed to explain to customer why he is paying a little bit more
from FW1 firewall service,
instead of Cisco Pix fw service, which would be a little bit cheaper.
But thatīs a good question. Customer in not ...
-
Why choose FW1 instead of PIX ?
Hi, Iīm supposed to explain to customer why he is paying a little bit more
from FW1 firewall service,
instead of Cisco Pix fw service, which would be a little bit cheaper.
But thatīs a good question. Customer in not using any VPNs or anything other
special that Checkpoint could provide.
Their just want their networks to be secured with firewall. Does anyone have
any suggestions why FW1 would be just "better" product
of these two?
best regards mez
-
Re: Why choose FW1 instead of PIX ?
Funny you mention VPN's. If their primary focus was VPN with a rudimentary
firewall, I'd recommend the PIX. If they need granular control of what comes
in and out and a easy to read rulebase, as well as the best stateful
inspection of packets, plus speed, go with Checkpoint.
I have both and I like both of them for different reasons. Cisco seems to
'play nicer' when it comes to establishing VPN's with diverse peers. I like
Checkpoint for its granularity, speed and extra security. Checkpoint is also
available on a number of hardware platforms and several OS'es. Checkpoint
seems to scale better. Cisco seems to provide acceptable function for a much
cheaper price.
By the way, have you discussed SofaWare with your customer?
-
Re: Why choose FW1 instead of PIX ?
A couple of months ago I played with a Safe@Home box. The idea was to use
the cheap Safe@Home boxes to tunnel home users with our company, secured by
a Netscreen firewall.
The basic setup was indeed very easy but I could't establish a VPN tunnel
with the Netscreen wall. On the SofaWare website I found that only tunnels
with a VPN-1 server were supported.
Now I wonder how you made the Safe@Office tunnel to the PIX.
--
Regards, Jan.
"Alex" wrote in message
news:f3090034.0307022343.2e7b6e9e@posting.google.c om...
> > By the way, have you discussed SofaWare with your customer?
>
> I chose a S-box Safe@Office appliance over a PIX, and I don't regret
> it. The cheapest CP firewall is the Safe@Home, which street price is
> just around $250 including both the appliance + the software. My
> Safe@Office was a bit more expensive. These SofaWare line boxes are so
> much easier to operate than the PIX, I couldn't believe my eyes. Plus
> the box gets automatic security updates from the Internet and other
> goodies. And by the way - I did succeed to establish VPN between the
> Safe@Office and a PIX without a hitch.
>
> Alex
-
Re: Why choose FW1 instead of PIX ?
> The basic setup was indeed very easy but I could't establish a VPN tunnel
> with the Netscreen wall. On the SofaWare website I found that only tunnels
> with a VPN-1 server were supported.
This is my PIX configuration that talks with my Safe@Office(SofaWare
support gave me a document that explains this in detail, ask them for
it). The SofaWare side is trivial.
isakmp key ******** address 212.150.8.90 netmask 255.255.255.255
no-xauth no-config-mode
isakmp policy 20 authen pre-share
isakmp policy 20 encrypt 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp enable outside
name 192.168.10.0 sbox_lan
pdm location 192.168.10.0 255.255.255.0 outside
access-list inside_out permit ip 192.168.20.0 255.255.255.0
192.168.10.0 255.255.255.0
nat (inside) 0 access-list inside_out
access-list outside_crypto_20 permit ip 192.168.20.0 255.255.255.0
192.168.10.0 255.255.255.0
crypto map outside_map 20 set peer 212.150.8.90
crypto map outside_map 20 match address outside_crypto_20
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds
28800 kilobytes 4608000
crypto map outside_map interface outside
sysopt connection permit-ipsec
