Comments on: Opinion:Checkpoint Buys Nokia Security Appliances – Time to Change http://etherealmind.com/checkpoint-buys-nokia-security-appliances-time-to-change/ Network design, architecture, thinking, working. Tech. Fri, 10 Feb 2012 18:43:00 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Brandon Stevens http://etherealmind.com/checkpoint-buys-nokia-security-appliances-time-to-change/#comment-778 Brandon Stevens Thu, 18 Aug 2011 15:22:00 +0000 http://etherealmind.com/?p=1141#comment-778 I've posted a retort here... http://fwadmin.blogspot.com/2011/08/little-firewall-debate-is-healthyright.html I’ve posted a retort here…

http://fwadmin.blogspot.com/2011/08/little-firewall-debate-is-healthyright.html

]]> By: Sam http://etherealmind.com/checkpoint-buys-nokia-security-appliances-time-to-change/#comment-777 Sam Wed, 28 Oct 2009 23:42:09 +0000 http://etherealmind.com/?p=1141#comment-777 Not to Worry. The OS that the Nokia Siemens Networks (NSN) GGSN and SGSN runs on branched off of IPSO many years ago. NSN has ample software development knowledge and resources to continue supporting their OS for years to come. Not to Worry. The OS that the Nokia Siemens Networks (NSN) GGSN and SGSN runs on branched off of IPSO many years ago. NSN has ample software development knowledge and resources to continue supporting their OS for years to come.

]]> By: Greg Ferro http://etherealmind.com/checkpoint-buys-nokia-security-appliances-time-to-change/#comment-776 Greg Ferro Thu, 08 Jan 2009 20:13:59 +0000 http://etherealmind.com/?p=1141#comment-776 I have to disagree. Because the troubleshooting on the Checkpoint / Nokia is not integrated you don't get a coherent view of problems on the firewall. That is, the fact that logging is one in multiple places, with different interfaces and language makes it very difficult to use, learn and maintain. Sure, if all you do is trace packets then it works well enough but if you are attempting to work out why an intermittent fault occurs then CP/NK is the most frustrating product to work on. When this is coupled with the <em>very</em> high price of purchase and support, Checkpoint is an unsuitable choice for almost every situation. Even if you have a CP/NK in place, you can usually get ROI in less than one year by replacing with Cisco/Juniper. I have to disagree. Because the troubleshooting on the Checkpoint / Nokia is not integrated you don’t get a coherent view of problems on the firewall. That is, the fact that logging is one in multiple places, with different interfaces and language makes it very difficult to use, learn and maintain. Sure, if all you do is trace packets then it works well enough but if you are attempting to work out why an intermittent fault occurs then CP/NK is the most frustrating product to work on.

When this is coupled with the very high price of purchase and support, Checkpoint is an unsuitable choice for almost every situation. Even if you have a CP/NK in place, you can usually get ROI in less than one year by replacing with Cisco/Juniper.

]]> By: Charles http://etherealmind.com/checkpoint-buys-nokia-security-appliances-time-to-change/#comment-775 Charles Thu, 08 Jan 2009 18:45:21 +0000 http://etherealmind.com/?p=1141#comment-775 Greg, I always enjoy reading your opinions. They are well thought out and justified. This is no exception. However, there are lots of folks who prefer CP over Cisco or Juniper and actually have experience to back it. I too have worked all three products in small and large environments. They each have their good and bad side. In the end, A layer 3 firewall is exactly that. Layer 3 (or 4 or both whatever you want to call it). If that is your entire defense your are seriously lacking. You need layer 7 FWs, IDS/IPS, logging correlation, etc. I'm a command line fan and had a tough time adjusting to CPs mostly GUI only options. I was much happier with PIX or NetScreen. This is trivial at least in my opinion as I spend very little time actually configuring. Once a configuration is in place, it's usually stagnant. What we spend more time doing than anything is troubleshooting. To clarify: I mean that the world seems more and more complicated and the people who understand networking and security and "black boxes" seem to be a smaller and smaller subset of the IT population. So we spend a lot of time explaining to people (a) what we see and (b) what is actually happening. For this, I actually prefer IPSO and CP. TCPDUMP with headers only tells me what is broken and where 90% of the time on the network. 1. It's not getting to me. 2. You're sending a RST. 3. I'm NATting like you asked but you are blocking me. Captures on PIX and snoops on Juniper are ok but not as efficient to me. Being able to apply custom scripts is very convenient as well. That said, the cost of maintenance and licensing on CP is ridiculous. Especially compared to other platforms. We are a mixed vendor shop due to mergers and whatnot and won't think twice about pulling a pair of 515s out of the lab and throwing them in production if we have a small implementation or need a quick solution. PS: We get our maintenance thru another source as opposed to going thru CP for the same reasons most people do. It is painful. Your comment about IPS is interesting. We actually separate these functions by design. It may mean more gear but it simplifies troubleshooting and management/control issues as well. IDS/IPS is a separate group from the FW guys. Checks and balances so to speak. In the end I think they all balance out. We are having our CP and reseller come talk to us in the next few weeks to get a gauge for how much panic we really need to apply to this announcement. We'll see how things go. Greg,
I always enjoy reading your opinions. They are well thought out and justified. This is no exception. However, there are lots of folks who prefer CP over Cisco or Juniper and actually have experience to back it. I too have worked all three products in small and large environments. They each have their good and bad side. In the end, A layer 3 firewall is exactly that. Layer 3 (or 4 or both whatever you want to call it). If that is your entire defense your are seriously lacking. You need layer 7 FWs, IDS/IPS, logging correlation, etc. I’m a command line fan and had a tough time adjusting to CPs mostly GUI only options. I was much happier with PIX or NetScreen. This is trivial at least in my opinion as I spend very little time actually configuring. Once a configuration is in place, it’s usually stagnant. What we spend more time doing than anything is troubleshooting. To clarify: I mean that the world seems more and more complicated and the people who understand networking and security and “black boxes” seem to be a smaller and smaller subset of the IT population. So we spend a lot of time explaining to people (a) what we see and (b) what is actually happening. For this, I actually prefer IPSO and CP. TCPDUMP with headers only tells me what is broken and where 90% of the time on the network.

1. It’s not getting to me.
2. You’re sending a RST.
3. I’m NATting like you asked but you are blocking me.

Captures on PIX and snoops on Juniper are ok but not as efficient to me. Being able to apply custom scripts is very convenient as well.

That said, the cost of maintenance and licensing on CP is ridiculous. Especially compared to other platforms. We are a mixed vendor shop due to mergers and whatnot and won’t think twice about pulling a pair of 515s out of the lab and throwing them in production if we have a small implementation or need a quick solution.

PS: We get our maintenance thru another source as opposed to going thru CP for the same reasons most people do. It is painful.

Your comment about IPS is interesting. We actually separate these functions by design. It may mean more gear but it simplifies troubleshooting and management/control issues as well. IDS/IPS is a separate group from the FW guys. Checks and balances so to speak.

In the end I think they all balance out. We are having our CP and reseller come talk to us in the next few weeks to get a gauge for how much panic we really need to apply to this announcement. We’ll see how things go.

]]> By: Greg Ferro http://etherealmind.com/checkpoint-buys-nokia-security-appliances-time-to-change/#comment-774 Greg Ferro Sat, 03 Jan 2009 23:31:24 +0000 http://etherealmind.com/?p=1141#comment-774 Yes, the SGSN and GGSN platforms are worrying because Nokia are very big in this space. If Nokia is moving to focus on handsets, where does this leave the telcos ? Yes, the SGSN and GGSN platforms are worrying because Nokia are very big in this space. If Nokia is moving to focus on handsets, where does this leave the telcos ?

]]> By: J.G http://etherealmind.com/checkpoint-buys-nokia-security-appliances-time-to-change/#comment-773 J.G Sat, 03 Jan 2009 11:29:27 +0000 http://etherealmind.com/?p=1141#comment-773 For me its just anything that comes from Nokia/siemens that's just a pain. I have to say though the IPSO platform up till a while back was not so badly off. I have used their GGSN and 3G sgsn running on the said platform...what I wonder is who will lead the development/enhancements for IPSO for other products? For me its just anything that comes from Nokia/siemens that’s just a pain. I have to say though the IPSO platform up till a while back was not so badly off. I have used their GGSN and 3G sgsn running on the said platform…what I wonder is who will lead the development/enhancements for IPSO for other products?

]]> By: Tim http://etherealmind.com/checkpoint-buys-nokia-security-appliances-time-to-change/#comment-772 Tim Fri, 26 Dec 2008 04:37:52 +0000 http://etherealmind.com/?p=1141#comment-772 Spot on there brother. HATE Checkpoint support with a passion. Spot on there brother. HATE Checkpoint support with a passion.

]]>