Thursday, August 18, 2011

A little firewall debate is healthy...right?

Hi all,

I recently ran across an opinion piece from a few years ago where a guy posted the question "Why WOULD you buy Check Point firewalls?"
 http://etherealmind.com/checkpoint-buys-nokia-security-appliances-time-to-change/


First of all I'll go one better than this guy and clearly state my allegiance...I have been working with Check Point firewalls since 1998 v3.0b and feel quite strongly that as an overall product the Check Point firewall is a far superior product to either Cisco or Juniper products.
I'll summarize my opinion of this article by saying this...although it is true to say that Check Point products are expensive to license...but when  you factor in all of the costs associated with actually operating a firewall in the enterprise it is clear that the Check Point firewall is actually very competitively priced.
When comparing price a lot of people will fall into the unrealistic trap of just comparing licensing/cap-ex costs and not taking into account the soft costs.  Such as effort to operate them in the enterprise...this gets very sticky but one thing is abundantly clear.  If you have an environment that is distributed AND you process a large number or rules every month then you are MUCH better off with a Check Point firewall.  This bold statement can be empirically tested and proven.
Here is a good example...
Lets say you are an administrator for a large enterprise and you are given a rule request with 5 sources, 10 destinations, and 5 ports and this rule needs to be applied to 30 firewalls (this is not an unusual request in large enterprises).  With a Check Point firewall this request can be completed in a matter of minutes from a single User Interface with a single rule.  This is a HUGE time and effort savings for a Check Point firewall admin over Cisco or Juniper admins.



Here are his main points:

"Let me give you a brief list of my complaints and problems with Nokia / Checkpoint firewalls:
  • The price of Nokia and Checkpoint maintenance contracts is astronomical.
  • New features and capabilities take a l-o-n-g time to appear in the product, usually after every other vendor has delivered.
  • Upgrading and managing Provider-1 is much harder and more painful than Cisco Security Manager or Netscreen Security Manager. Yes, I have installed and operated them all.
  • Using Cisco Security Manager and Netscreen Security Manager is much easier and intuitive than using Provider-1
  • The process for upgrading IPSO / Firewall-1 software is painful compared to Cisco ASA / Juniper NetScreen.
  • IPSO / Firewall-1 performance is low and poor value for money. Delivering multi-gigabit performance is pointless exercise since its costs so much in licenses and hardware.
  • legendary support – so legendarily bad that many people don’t even bother contacting Checkpoint with problems.
  • poor integration – loading a static arp in IPSO for every NAT rule in Firewall-1 makes my teeth ache.
  • Documentation is atrocious, and hidden behind a paywall.
and I could go on. And on."


No comments:

Post a Comment