Originally posted by: cmetz
Sunner, my understanding is that the ASA is the next generation of the PIX with PIX-derived software. Cisco denies this. So my understsanding is unconfirmed rumor and such.
Cisco products are usually underpowered and underperforming, it just goes with the territory. Folks with a lot of Cisco experience over-engineer their networks to compensate.
I have been extremely unhappy with Cisco's software QA in the past couple of years. Something's going on over there and it's not something good. Cisco, new product, buggy - I hear this all the time. The ISRs are still buggy and I still have major software regression problems.
In my personal opinion, CheckPoint has always sucked. I don't know why they have such a good rep. They're expensive, underperforming, they have some silly products (um, yeah, I want to run my firewall on *Windows*), and they've had security problems.
The firewall space is still not really as mature as it should be - there are plenty of bad products to choose from. You have to make your trade-offs and pick your poison.
Well, CheckPoint was the first "proper" firewall I ever got training on, so maybe I'm biased
What I like about it is that the policy editor itself is generally excellent, at least if you huge rule bases(yeah, that's not good, but sometimes unavoidable), and their log viewer is very very nice for some things.
I can't say I've had any major performance headaches with them either.
They certainly have plenty of downsides though, licensing being the most annoying in my mind, I think it'd be far easier to get a solid understand of their entire range of firewall products than getting a grasp of their licensing.
As for the ASA's, since I was more of a bystander there, occasionally helping out with some minor stuff, I don't really have any detailed info about it.
From what I've gathered though, it's kind of a mish mash of different products.
They certainly have some PIX like things in there, probably running on some old piece of junk 68040 or something.
Then the IPS part, that's running some OS of it's own, probably some Linux or BSD derived thingy, and I believe I heard out network guy talking about some PowerPC processor running that.
Oh and policy editor sucked to begin with, Cisco gradually kept improving it to the point where our network guy(who was a Cisco guy after all, not a Check Point guy like I was) at least wouldn't start screaming after a few minutes of using it.
They seemed to have lots of problems with OSPF and VPN connectivity as well, one new firmware would fix something and break something else.
Then we have the lovely MARS that's more or less a must have to make sense of the logging from the ASA's(at least it was when we bought them)...
It was made by Protego that Cisco bought, it's a PC in a 1u rack case, it even has the usual PS2/VGA/etc ports, PC99 color coded and all, if you hook up a monitor to it, you'll see it's a Supermicro motherboard, booting some custom Linux distro.
It runs and stores it logs on two RAID-0'd IDE hard drives(bigger models have more drives, unsure if any model includes mirroring), which is less than comforting, so you'd have to keep a separate log server around for any kind of reliable storage.
The rack kit sucks ass, and the case isn't exactly exceptional either, Cisco didn't even bother to remove the Protego stickers on it.
Considering it's price, it's rather underwhelming.
Myeah, sorry about the rant, I guess maybe they're better these days, they were brand new when we got them, so I guess maybe our problems were typical v1.0 problems