 | ||
 Appliances Make Good VPN Solutions ? | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2008-06-05 | |||
| |||
 Appliances Make Good VPN Solutions ? Hello, We typically use Checkpoint on Nokia and Cisco PIX/ASA. We are looking into a better approach to doing our VPN sites. I'm looking into the Checkpoint appliances. Like to know if these CheckPoint appliances make good VPN solutions. We are looking at about 100 small remote sites going into a central location. The remotes we are looking at: UTM-1 270 The Host site we are looking at: Power-1 5070 Anyone have good or bad experince using these devices as VPN siste to site. Can they be managed by SPLAT? Thanks -pat13b  |
| 2008-06-05 | |||
| |||
| Re: Appliances Make Good VPN Solutions ? Both work quite well and can easily be managed by a central Check Point SmartCenter Sever. SPLAT should be running on both models. Depending of the size of your small remote size you might also want to consider going for UTM-1 Edge appliances. They can also be managed centrally on your SmartCenter Server and out into simplified VPN communities to connect with all other offices. That's the good thing about Check Point, central management, logging and monitoring of all kind of Check Point appliances. Compared to UTM-1 appliances UTM-1 Edges are really affordable (in most cases even a UTM-1 Edge cluster is cheaper as the license already includes hardware and software). |
| 2008-06-05 | |||
| |||
| Re: Appliances Make Good VPN Solutions ? dantro, thanks for the response. I'm confused about your SPLAT comment. If we already have a SPLAT box that just manages our Nokia's, can I use this with these appliances or do I still need SPLAT on each appliance? thanks again -pat13b |
| 2008-06-05 | |||
| |||
| Re: Appliances Make Good VPN Solutions ? SPLAT = Check Point SecurePlatform SPLAT is just an operating system (basically a RedHat Linux hardened by Check Point and offered for free to all Check Point users to save license costs for Windows, Linux or Solaris that are also supported). You say a SPLAT box manages your Nokias. What is running on SPLAT? A SmartCenter Server? Then it would make sense. Otherwise not. As SPLAT is just an OS, it can't do nothing else than providing a shell and running some applications. So you don't need SPLAT on each appliance. However, it would be the recommended OS. |
| 2008-06-05 | |||
| |||
| Re: Appliances Make Good VPN Solutions ? Thanks for clearing that up. We use SPLAT as a managment server only (smart center server) I think I understand that the OS on these appliances is SPALT as well. As opposed to say the Nokia's that use ISPO. thanks -pat13b |
| 2008-06-06 | |||
| |||
| Re: Appliances Make Good VPN Solutions ? We have a checkpoint/nokia central cluster with windows smartcentre and we have a couple of edge devices out there too managed centrally. It all works good with good visibility and control centrally. We are now just looking into a solution for some remote sites and after looking into nokia/checkpoint cisco asa's and some checkpoint hardware offerings we have decided on a cluster of UTM-1050's. Under the total solution package all the licensing and support is in the one box. Much cheaper than the same cisco asa solution. sam |
| 2008-06-06 | |||
| |||
| Re: Appliances Make Good VPN Solutions ? Good to hear. Thanks for the reply. We are also looking at the ASA price comparision / functionality and management. but I'm hoping the Checkpoint product will win. -pat13b |
| 2008-07-13 | |||
| |||
| Re: Appliances Make Good VPN Solutions ? I understand that this is a CHeckpoint forum, and I am a big fan of Checkpoints, however I would have to say that from a management and troubleshooting perspective, I would go with an ASA. CHeckpoint VPNs are the easiest to setup but the hardest to fix. They are notorious for subernetting encryption domains for no reason. Their Phase I and II tokens reveal no useful information regarding the tunnel. And any useful VPN debugs have to be copied off of the firewall and reviewed with an a special application (IKEVIEW) that Checkpoint does not offer to everyone. Netleets.com IT Security news IT Security news and information. |
| 2008-07-14 | |||
| |||
| Re: Appliances Make Good VPN Solutions ? Quote:
Thanks for the information. |
| 2008-07-14 | |||
| |||
| Re: Appliances Make Good VPN Solutions ? Quote:
I have to respectful disagree with you on this. ASA is is better to manage and troubleshoot than CP? I do not think so. Are you telling me that ASA "capture" command is a better troubleshooting than tcpdump or fw monitor? debug crypto isakmp and debug crypto ipsec is better than vpn debug ikeon/trunc? in ASA, how are you going to handle a rulebase with 25,000 objects and about 800 rule in the security policy and that you have about 16 interfaces to deal and complex NAT on top of that? How are you going to manage 200 of these devices? If you're telling me that you're going to use Cisco Security Manager, CSM, to do this, then you do not know what is coming. Solsoft Policy Security Manager is not that great either. Back in 2005 when I worked for a Managed Security Service Provider, MSSP, Cisco did come in and asked me to eval the CSM because we were thinking of ASA at the time. The cisco team told me that CSM is the greatest thing since slice bread and it could do a lot of things. I sat down with Cisco and showed them Provider-1 and told them my requirements. In other words, I told Cisco that I want manage Cisco ASA the same way I managed Checkpoint and I want the look-and-feel of Provider-1. Well, they told me that CSM can not do that because it is more of a tool geared toward enterprise and not service provider. By the way, I did try CSM and it is really crappy and unstable. Checkpoint has its disavantages too but overall, I would take Checkpoint as firewalls over Cisco ASA any days now. For remote access VPN, I would stick with Cisco VPN concentrator and for site-to-site VPN, I would stay with Cisco IOS. For SSL VPN, I will go with Juniper. I stay away from Cisco ASA. I work in an environment where we have 3 CCIE Security but when it comes to firewalls, we unanimously picked Checkpoint firewalls. That said something about Cisco ASA platforms. |
| 2008-07-14 | |||
| |||
| Re: Appliances Make Good VPN Solutions ? Quote:
The IKE log is a fully human readable file. It does contain a LOT of information, much more than a "crypto isakmp debug" and can be a little daunting to read if you don't a lot about how IPSEC works. IKEDEBUG is a good tool, much better than anything I've seen from Cisco, but is not required. In fact I tend not use it and just read the log file. Also can you expand on this comment Quote:
One final comment on this, if you can use the same VPN headend at all sites, you will be a lot better off. Interoperabl VPN is still a bit of a misnomer. Can you make it work? Sure, but its a lot easer to go VPN-1 to VPN-1 or ASA to ASA! |
| 2008-07-15 | |||
| |||
| Re: Appliances Make Good VPN Solutions ? Without quoting any specific text, I have to also respectfully disagree with your assessment. There are always a few 'gotchas' in ANY system. CP does seem to have maybe slightly more than it's fair share, but overall I have think CP is easier to troubleshoot nearly any issue because the logging ability is second to none. The tools available for in-depth (packet level) troubleshooting are also superior when properly utilized. __________________ There's no place like 127.0.0.1 |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
