PIX should be crying now -- what a POS it is. I can tell you from experience. I wouldn't deploy a PIX if you gave it to me. However, Check Point is a powerful competitor and they have a very strong product, unlike Cisco who really should get out of the software security market -- that's not their core competancy and it shows big time.
Just wait and see what ISA 2007 has for us. Then compare the prices and the feature sets. We'll see who'll be eating crow in 18 months.
C'mon Tom, tell us how you really feel about Pix. :-)
Personally, I think you seriously understated how lousy it is. The only people I know that buy Pix are ones who have bought into Cisco lock, stock and barrel.
Check Point's done some good stuff, particularly with end point security. If Microsoft turned that firewall client into a real firewall, one that could be used for laptops through servers for host protection, and had good management capabilities like configuration by groups and policy pushes, they would have one winning product.
You're right about that. I've pushed and pushed several idea on how to fully leverage the firewall client to provide "one of a kind" protection for the Firewall client machines, but my ideas never seem to stick or even get acknowledged
If you want to see a nice rant on the dreaded PIX, check out:
I've never thought much about the Netscreen. I'd put them above PIX, but below ISA and Check Point both in terms of stateful packet inspection and application layer inspection. The Cisco and Junipar application layer inspection feature sets are pretty immature at this time, which makes sense, because these are networking companies, not security companies. The job of a networking company is move packets are quickly and efficiently as possible, which is clearly not the same goal of a network security specialist.
That's why this "networking guy" grandfathering into the network security role is such a travesty and why its created such a gaping security hole on most networks I know. It's sort of like when in the 1920's the USA moved into the era of modern medicine, but the barbers were grandfathered in. We ISA firewall admins are like the new docters post Flexner, and the "networking guys" are the barbers still applying leeches for a good "bleeding" (unfortunatley, they're bleeding their employers dry with insanely expensive "hardware" crap that doesn't work).
Do you have a more accurate estimate as to when they think they will release ISA 2007? I think you mentioned once that one of the improvements in ISA 2007 will be automatic fail-over from Forms-based authentication to basic for OWA so that we don't have to worry about jumping through hoops with different listeners and such.
I still haven't been able to get my TREO 700P to work with ActiveSync because of the "No Trusted Root Certificate" problem when using self issued certificates.
Is there a thread that talks about setting up ISA to work with Exchange using just Basic authentication for both OWA and OMA and ActiveSync?
I just upgraded to a MotoQ and had the same issue. There is a utility on the Microsoft site that will allow you to add Certificates to VZW mobile phones. I have not tried it on the Treo but it has worked on multiple Motorola Q's.