Cisco ASA 5510 vs Checkpoint R65

[yipster]

Hi,

I am think of upgrading our firewall from Checkpoint NGX R62 on Splat to Cisco ASA 5510.

The performance on our Checkpoint isn't that great. Plus software maintenance is very costly and there support is horrible.

Can anyone give me some feedback on the performances of the ASA 5510. VPN is a very important functionality.

thanks

 

[brianinms]

How many VPN users do you plan on having? Are you planning to use client based or SSL based VPNs?

 

[yipster]

10 VPN users, I perfer ssl due to the performance.

The most important thing is the Site to Site VPN.

 

[brianinms]

How many site to site vpns will you have?

 

[yipster]

3 vpn sites

 

[brianinms]

Oh yeah, that will be a piece of cake for a 5510

 

[Supergrrover]

I had an old office that used the Checkpoint. It worked but required a lot of baby sitting and was expensive to boot. I really like the Cisco products. I have used a number of different firewall products and I keep liking the Cisco over them all.
Once you get used to it, configuring it is a snap and there is a lot of support docs. The people here are also a great resource.
My 2 cents, amyway.




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[NetworkGhost]

So Ill try to be vendor independent. (Although Im a Cisco Mark)


Your Checkpoint performance issue could be several things.

Are you doing any proxying?

What do you define by poor performance? Slow http, slowness in general, VPN Traffic Slow?

What hardware is it running on?

Checkpoint is a good firewall and has alot of capabilities. Managing it is somewhat easy if your only doing filtering. Move pretty pictures around and create a policy. Anything beyond that can be cumbersome at times. If you dont have support on the product you wont get as much help on forums like this but they do have a good knowledgebase for paying customers. Running on a hard drive is the biggest peeve I have with Checkpoint. So many times the hardware fails and then your fiewall is in the crapper. Oh yeah good luck with your failover, CP Cluster, VRRP, StoneBeat

Cisco in my opinion is the most reliable firewall Ive experienced. Very fast reliable and straight forward. The config file tells it like it is and you dont have to hunt for hidden settings. Something checkpoint lacks.

Cisco Support is the best in the industry and like Brent said you are going to get more documentation about how to configure, how something works than anywhere else. And the good part is the documentation gets made continuously.

VPN is very easy to configure maintain and update. Cisco is RFC compliant and will work with most vendors for VPN. Here is a link to the data sheet. You could probably get better numbers from a sales rep:

http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802930c5.html

http://www.wr-mem.com

 

[yipster]

Also what is the difference between the ASA VPN and IOS VPN.

 

[Supergrrover]

The ASA/PIX OS works only on PIX and ASA hardware platforms. The IOS firewall/VPN only works on routers.


Which one you get depends on your current needs and future growth plans.
Basically ASA/PIX hardware is mostly a security device (VPN, firewall, IPS, IDS, etc.) It doesn't do all the functionality that a router will do. But for most environments it will do perfectly.

Routers do much, much more but the firewall, VPN, IPS, IDS capabilities are a little less robust.





Brent
Systems Engineer / Consultant
CCNP, CCSP