[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Checkpoint vs. Cisco VPN Client
We're rolling out the Cisco Unified VPN client with their 3000 series concentrators. I don't really know the SecureRemote solution very well. The Cisco VPN software 3.5 now provides for pushed security policies on the Windows client. You can require various brands of firewall on the client and actively monitor to make sure the firewall software is still running. Also, the Cisco client does a great job of tunneling IPSec over UDP or now TCP to get past NAT devices that don't pass IPSec. The Cisco client software is free (unlimited copies) with purchase of a concentrator and support. The Cisco client also works on some *nix variants and MacOS X, but those platforms don't support the pushed firewall policies. Consensus on the web seems to be that Checkpoint has a better interface for managing multiple concentrators / servers, though. James Fraser [email protected] |---------+----------------------------------------------> | | "Atkinson, Ron" | | | <[email protected]> | | | Sent by: Mailing list for | | | discussion of Firewall-1 | | | <[email protected]| | | kpoint.com> | | | | | | | | | 01/24/2002 02:28 PM | | | Please respond to Mailing list for | | | discussion of Firewall-1 | | | | |---------+----------------------------------------------> >----------------------------------------------------------------------------------------------| | | | To: [email protected] | | cc: | | Subject: Re: [FW-1] Checkpoint vs. Cisco VPN Client | >----------------------------------------------------------------------------------------------| Most VPN solutions (other than CheckPoint) support both their own VPN and Microsoft clients (PPTP and L2TP/IPSEC). It really comes down to two reasons: 1. Supporting Microsoft native clients, 2. IPSEC issues. IPSEC currently only supports shared-secret and digital certificates for authentication. Any other method is proprietary, hence the reasons why everyone releases their own clients that support other modes such as XAUTH (which I believe was dispproved by the IETF), mode config, etc. Since PPTP and L2TP/IPSEC actually have been standardized, this is one case in which Microsoft supports a standard and everybody else does it proprietary. This is also the reason why Microsoft did not release a remote access IPSEC VPN client but instead released it by using L2TP for authentication and IPSEC for the encryption piece. CheckPoint does support IPSEC in LAN-to-LAN mode, so you can use Windows 2000/XP in that mode by configuring the firewall for each client manually. You're going to have to know the clients IP address, and if it changes, you need to update the firewall. Also I believe that Windows 2000 by default has shared-secrets disabled and you need to make a registry change to enable it. The reason why is that shared-secret is only supported in the IPSEC specification as an interim solution while people are rolling out digital certificates. Plus shared-secrets are clear-text, the other reason why Microsoft doesn't leave it on by default. The reasons to stick with a custom client over Microsoft ones are actually pretty easy. One is the support for alternative authentication methods, such as SecurID next token and change PIN, basic authentication, etc. But what I feel is the primary reason is client control. Most of the VPN clients out there can be somewhat configured or controlled remotely by the server. CheckPoint has SecureClient in which a security administrator can write security policies and force it upon the client to make sure the client is secure before allowing access (great feature, minus the quirks it has). CheckPoint is probably ahead of about everybody on this and it's probably the best reason to stick with it if you already have it rolled out. Other clients may have use methods of control, such as diabling split-tunneling, forcing the client to not save users passwords/PIN numbers, etc. When you use a client made for the VPN box you get these extra features, when you use the native Microsoft client you lose these features and have no idea if the clients computer is secure or not (e.g. the user can control things locally like split-tunneling instead of a security admin at the server level). Since IPSEC basically only really supports LAN-to-LAN and is seriously lacking remote access features, the IETF is working on new standards for supporting remote access. When these standards are finalized, then you'll probably see VPN clients finally compatible with each other. For now though you're stuck with native clients with features, or Microsoft without the features (sounds strange to say 'Microsoft without the features', doesn't it?). Ron Atkinson -----Original Message----- From: Gasaway, Troy [mailto:[email protected]] Sent: Thursday, January 24, 2002 2:18 PM To: [email protected] Subject: [FW-1] Checkpoint vs. Cisco VPN Client Okay, we have a new boss how loves Cisco and he thinks it is the answer to all. So, he has already ruled that all Site-to-Site VPNs are to be replace with Cisco gear. Now he is asking about the client side of Checkpoint. So, I need some strong facts as to why Checkpoint has a better VPN setup for the client side than Cisco. Unfortunately I am not up on Cisco products to much, but I hear that you can use Microsoft's IPSEC client to connect to a Cisco VPN device instead of using the Cisco client. I think this is the main reason he wants to use Cisco. Can you use Windows 2K to connect to Checkpoint or do I have to use the Checkpoint Client? Thanks, Troy ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|