We currently use both Checkpoint and Cisco ASA firewalls, however our boss has decided that he wants to get rid of the checkpoint firewalls which currently serve the purpose of connecting our secureclient VPN users and Internet/dmz access.

I prefer the checkpoint's but wonder how i could convince him to not go ahead with his plan. I do need some strong technical reasons though.

Any help appreciated.

 

You mean he's planning on removing them entirely or replace them with something else? I take it your current set up is the Checkpoint is your edge router handing off to the internet and the Cisco is the "back" of the DMZ which protects your internal LAN/campus network?

If so, you have a textbook security set-up: multi-vendor, DMZ. If you remove a layer, you have lost your DMZ although you could set this up via a VLAN but this relies entirely on your remaining router not being comprimised. That's not somthing I'd bet my career on.

I'd ask him the following questions for starters:

What's the Checkpoint costing you a year to maintain? How will you service your VPN requirements with the Checkpoint gone? How will you mitigate against the remaining Cisco getting attacked and it being the single ingress point to your network? Are you out of your gourd?

 

as above..

I wouldnt replace checkpoint / nokia's with much, we use nokia's / asa's for our web / app tiers and also use a sonicwall for some internal dmz's but I wouldnt ever rip out a checkpoint fw, just because I fancied using something different.

What technical point is he basing this decision on? and what quantifiable gains are to be had by changing? None or backhanders I suspect.

David

 

His idea is to remove the checkpoint's and have ASA's only, currently we only have the CP's but we proposed to have a dual layer with both firewalls. He is having none of it, he seems obsessed with having ASA's everywhere and yes he does get backhanders from our Cisco supplier in the form of footy tickets he never shares with his team.

What gets me is the simplicity of the checkpoints for troubleshooting and administering, it's such a backward step going to ASA's. He wants to make use of the VPN licensing from the ASA's that they come with.

 

I would agree with all said above, I am by no means an expert in this area but I would agree with your preference for dual layer multi vendor implementation. Depends what his motives are for the change, a few footy tickets aint much when you enterprise is lying open to the world becasue your boundary protection is compromised.

I am a little out of date in this area so my statements may need checking before you run with them... I have had limited exposure to 5510s and Checkpoint NGX.

I think the checkpoint solution offers more off the shelf functionality than the 5510s, checkpoint offered IPS built in, cisco ASA needed another module to enable this functionality. So that was one plus point for Checkpoint.

Consider also the true throughput figures for each system, Cisco will often quote theoretical figures based on clear text - this may not be achieveable in your working enviroment.

If I recall rightly ASA will not support VPN in secuirty contexts, the deeper you get into security contexts the more buggy and problematic they are.

What is most likly to sway the arguement one way or another in the current climate is the total cost of ownership. Three column headings - Procurement, Operations, Growth / Change then against each of these show supported costs for factors such as hardware, training, resilience etc If you can back this up with business benefits of staying with a dual layer multi vendor solution, he will have to take a conscious decision to ignore your documented proposal based on sound reasoning, in favour of a perhaps less beneficial and more costly solution.

By the way I read an interesting article earlier this week which stated the following;

Check Point has a broad range of security gateways, available as software as well as Check Point's UTM-1 and Power-1 dedicated appliances. More than 700,000 Check Point security gateways have been licensed with over 100,000 customers worldwide. The Check Point customer base includes 100 percent of Fortune 100 and 98 percent of Fortune 500 companies.

Cisco are in the top 10 of the Fortune 100 rankings.