OSE with Cisco routers

[willmac]

I cannot seem to find much on the checkpoint website - but can checkpoint be used to control acls on cisco routers?
If so how effective is it?

[cciesec2006]

you really want to do this? It's like putting a yugo engine into
a Acurra NSX race car.

[melipla]

Centralized management. Need I say more?

[willmac]

I am looking a many options - but as melipla says it is an option to keep security policies in sync.
Anyway why would the method of ACL deployment affect performance - surely it's just about the amount of ACLS?

[chillyjim]

It doesn't affect performance. I have to assume the yugo here is the router and not the Check Point.

As for the question, it works with in its limitation. VMS or whatever its called now, is probably a little more flexible but unless Cisco has changed it, it tends to write ACLs that no one can understand.

I at one point had a customer with a Management Module (predisesor to SmartCenter) who was running nothing but OSEs to manage several 100's of routers and PIXen. The PIX/ASA isn't supported any more though.

[cciesec2006]

Cisco VMS (VPN Management Server) is a piece of sh_t.
Cisco has re-branded a new product called Cisco
Security Manager (CSM) which is an enhanced product
of VMS. CSM is another piece of sh_t.

The point I am trying to make here is that Checkpoint
SmartCenter or CMA is designed to manage
Checkpoint products (InterSpect, Firewall, Connectra, etc...)
Checkpoint SmartCenter or CMA is NOT designed to
manage Cisco Pix/ASA or IOS routers. Cisco and
Checkpoint are competitiors and checkpoint will NOT
design a product to help cisco manage its security
device and vice versa. Checkpoint is a security
company while cisco is NOT. There will always a "lag"
behind for SmartCenter or CMAs to support the latest
revision of either IOS or Pix/ASA code. Last but
not least, use it at your own risk.

If I have to pick a product to manage cisco security
devices, Solsoft seems to be the best product out
there at this time. Solsoft still sucks but it is
better than both VMS and CSM combined.

[willmac]

Thanks for the advice on Solsoft I will take a look.

But whilst I agree Cisco will never help with checkpoint the other way round is always a possibility.

Checkpoint are a software company and do not deal in routing and layer 3.
The software uses the underlying operating system whether it be linux , nokia or windows.
So they are not in competion with Cisco for routing and realise a large proportion of their client base use Cisco routers.


So although for us the first answer is to look at Cisco products for ACLs - checkpoint is still worth a look.
Being able to apply polcies from the same security interface and even review log through the tracker maybe of some benefit.

I take the point about tha lag in the latest code revisons - but this would probably be the case for any vendor other than Cisco.

Also in a large scale environment turn around in upgrading IOS is not fast and generally there is a delay anyway with product revision testing and waiting for any bugs/flaws to be spotted and fixed first anyway.

[chillyjim]

H*ll Cisco's management lags its IOS :)

OSE is a solution, though there are likely better ones out there.
I don't see a lot of OSE in the field, so I would doubt there is a lot of development effort on it.

As for logs, SmartCenter can take in SYSLOG and Eventia can even alert on Cisco events.