Summary: Firewalls

From: R. Marc Baldus <>
Date: Wed Jun 19 2002 - 14:18:26 EDT
Thanks to:

Adam L.
Lonnie R.
Jennifer S.
Asher F.
Wade S.
Steve P.
Ed M.

Most comments are below with the original question at the end.

A very humble thanks to all those who responded so quickly.  With the 
exception of one individual, I received very helpful comments.  Though 
the jury is still out, most seemed to find that anything utilizing Check 
Point was favorable.

Again thanks,
Marc B.


We used to run Sun E250's with Checkpoint FW1.  I understand that the
Nokia appliances kick butt in performance over a standard Sun.

We then switched to PIX 515s.  Couldn't stand them.  Cisco upgraded us to
520s at no cost because of the problems we had.

I generally don't deal with the firewalls, because I don't speak
Cisco-ese, but I can't *stand* the PIXes.  I'll take a Checkpoint firewall
any day.  I understand they're powerful, but frankly, the interface and
rules system is so convoluted that it drives me nuts.  Also, it's
apparently not easy to just add an intermediate rule -- you have to tear
down the whole ruleset and rebuild it.  Checkpoint is much friendlier in
this regard.  As for logging, I don't know what the Nokia can do, but I
wish I had better logging from the PIX.

I haven't even looked at the Nokia, but I'd be inclined to buy it over the



Have you looked at the Netscreen gear???

Easy to manage, very good throughput, however it may be a little bit more


We are using Nokia IP530 w/ Check Point. (I'm sure of the Nokia model)
I think we went for that solution due to $$$ but not sure. The Nokia's are
very stable and we haven't had a problem yet. We implemented about 2 months

Thank you,

          Jennifer S


I would definitely go for the checkpoint/nokia direction if cost is not the
checkpoint configuration flexibility  is alot better.
IMHO PIX works fine in simple/typical networks, but gets really complicated
when you're on a larger network with a lot of subnet and
the only complain I have for checkpoint is it's pricing.



I have used both and prefer the checkpoint solution for the following

Admin is easy and intuitive.
Add ons such as transparent http/smtp/ftp virus scanning / filtering are
Logging and reporting are way better on checkpoint.



I use both in our environment, and I find the Nokia/FW1 mix to be a good
choice if you have to deal with PHB's and GUI-only types.  While the PIX
offers some nice GUI tools, I like being able to SSH or telnet in and work
on the command line.  Since VPN isn't an issue, you won't go wrong with
either.  I think it's going to be a matter of price and personal

Ed M.


I run 26 firewalls world wide. 22 are Check Point on Sun, 4 are Pix. 
I've set
up Nokia two different times with license problems each time. I use 
Check Point for it's logging, debugging, support, and the way it hides 
most of the
complexity so others understand the firewall too. I'm replacing the 4 
Pix with
Check Point, and moving all VPN to Cisco as all sites are fully meshed 
VPNs to
all other sites, and I don't like that attacks bring down my VPN tunnels at



Your opinion is valued...

We are trying to decide between the Cisco PIX 525 and the Nokia IP530 
w/Check Point.

Does anyone have any opinions about either of these, be it good or bad?
sunmanagers mailing list
Received on Wed Jun 19 14:23:25 2002

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:47 EST