[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vpn
Subject:    [vpn] Cisco VPN 3000 features vs. Checkpoint VPN drawbacks
From:       Siddhartha Jain <losttoy2000 () yahoo ! co ! uk>
Date:       2002-05-14 7:34:35
[Download RAW message or body]

I have put together Cisco VPN 3000 series features and
compared it to
Checkpoint at places. Can you add to the list? On
either side.
--------------------------------------------------------------------------
High-Performance, Distributed-Processing Architecture

Cisco SEP modules provide hardware-based encryption,
ensuring
consistent performance throughout the rated capacity
(3030 - 3080).

Checkpoint - Software encryption hence slower

Scalability (3015-3080)
Modular design (four expansion slots) provides
investment protection,
redundancy and a simple upgrade path.

Security
Full support of current and emerging security
standards allows for
integration of external authentication systems and
interoperability
with third-party products.
Firewall capabilities through stateless packet
filtering and address
translation to assure the required security of a
corporate LAN.
User and group level management offers maximum
flexibility.
Access levels are configurable by user and groups,
allowing easy
configuration and maintenance of security policies

High Availability
Redundant subsystems and multi-chassis fail-over
capabilities ensure
maximum system uptime.
VRRP protocol for multi-chassis redundancy and
fail-over
Destination pooling for client-based fail-over and
connection
re-establishment
Redundant SEP modules (optional), power supplies, and
fans (3015 -
3060)
Redundant SEP modules, power supplies, and fans (3080)
Checkpoint - No redundant subsystems and HA requires
separate modules
from either CP or third parties.

Robust Management
The Cisco VPN 3000 Concentrators can be managed using
any standard Web
browser (HTTP or HTTPS), as well as by Telnet, Secure
Telnet, SSH, and
via a console port.
Configuration and monitoring capability is provided
for both the
enterprise and the service provider.

Access levels are configurable by user and groups,
allowing easy
configuration and maintenance of security policies.

Administrator access is configurable for five levels
of authorization.
Authentication can be performed externally via TACACS+

Role-based management policy separates functions for
service provider
and end-user management
		VPN 3000 Concentrator Series Manager lets you
configure options for
assigning addresses to clients as a tunnel is
established. A client
must have an 		IP address to function as a tunnel
endpoint.

Assignment configures the prioritized methods for
assigning IP
addresses.
Pools configures the internal address pools from which
you can assign
IP addresses

Checkpoint - Management only thru' GUI or CLI on the
underlying OS. No
role based management, only a superuser controls all
policies. CP has
a separate module for IP allocation.

Client Support
The Cisco VPN 3000 Concentrator supports the widest
range of VPN
client software implementations, including the Cisco
VPN Client, VPN
3002 Hardware Client, the Microsoft Windows 2000
L2TP/IPsec Client and
the Microsoft PPTP for Windows 95, Windows 98, Windows
NT, and Windows
2000. Including centralized split-tunneling control
and data
compression
Client License - Unlimited

Automated Client update

Checkpoint - Licensing is based on the number of
users.

Other features
Supported protocols - RIP, RIP2, OSPF, Static,
Automatic endpoint
discovery, Network Address Translation (NAT),
Classless Interdomain
Routing (CIDR)

Checkpoint - No routing protocols supported.

Third-party compatibility
Certicom, iPass Ready, Funk Steel Belted RADIUS
certified, NTS
TunnelBuilder VPN Client (Mac and Windows), Microsoft
Internet
Explorer, Netscape Communicator, Entrust, GTE
Cybertrust, Baltimore,
RSA Keon, Verisign
Monitoring
Event logging and notification via e-mail (SMTP)
Automatic FTP backup of event logs
SNMP MIB-II support
Configurable SNMP traps
Syslog output
System status
Session data
General statistics
configure alarm thresholds for voltages in the system
power supplies,
CPU, and main circuit board. You set high and low
thresholds for the
voltages.

Checkpoint - Requires separate reporting module. No
auto-backup of
logs, event logging or e-mail notification. No
hardware monitoring
like power fluctuations.


Authentication and Accounting Servers
Support for redundant external authentication servers:
RADIUS (Remote Authentication Dial-In User Service)
Microsoft NT Domain authentication
RSA Security Dynamics (SecurID Ready)
Internal Authentication server for up to 100 users
TACACS+ Administrative user authentication
X.509v3 Digital Certificates
RADIUS accounting
Policy Management
By individual user or group
Filter profiles
Idle and maximum session timeouts
Time and day access control
Tunneling protocol and security authorization profiles
IP Pool
Authentication Servers

Checkpoint - Policy management is less granular.

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

VPN is sponsored by SecurityFocus.com

[prev in list] [next in list] [prev in thread] [next in thread]