Checkpoint is a very strange brand. On the one hand, it is _well known
brand_, _many awards_, _editors choice_, etc etc. I know network consultant,
who installed few hundred of them, and it works.
On the other hand, every time, when I have a deal with this beasts (we do
not use them, but some our customers use), I have an impression, that it is
the worst firewall in the world:
- for HA, you need very expansive Solaris cluster (compare with PIX-es) /I
can be wrong, but it is overall opinion/.
- to change VPN, you must reapply all policy, causing service disruption (I
saw 1 day outage due to unsuccesfull Checkpoint reconfiguration);
- VPN have numerous bugs (it is not 100% compatible with Cisco's by default;
of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers
which have this problem);
- Configuration is not packed in 1 single file, so making difficult change
control, etc etc...
All this is _very_ subjective, of course; but - those customers, who uses
Checkpoints, are the only ones who had a problems with firewalls. If I
compare it with plain, reliable and _very simple_ PIX (PIX is not state of
art, of course) and some others... I begin to think about checkpoint as
about one more _brand bubble_. At least, I always advice _against_ it.
PS. Security for dummies... interesting idea. Unfortunately, this book
should start with _100% secure computer = dead computer_ -:)
Why not? People really need such book!
Of course 'back in days' when Firewall-1 started and
firewalls@greatcircle.com was *the* network security ML, PIX was an
utter pile of poo and F-1 was very nice thankyou.
