SPLAT versus RHEL 3.0

Good afternoon. I'm trying to come up with some compelling
reasons to
switch from pure Enterprise Linux for our firewalls and
Smart Center to
SPLAT. I've been playing around with SPLAT for months and
much prefer it
to the standard RHEL Checkpoint installation but I'm running
into static
from my supervisor. He believes there are huge dangers due
to the NIC
driver and driver support in general. Can anybody give me
some opinions
one way or another on which is the preferred method. I think
I know the
answer to that. From what I've seen and heard Nokia and
SPLAT in one
shape or another seem to be the majority of installs. Am I
right in that
thinking?

Our Checkpoint vendor has been trying for a few years now to
convince us
to change to SPLAT. I totally agree. The last straw was some
memory
issues on a few of our clusters apparently caused from some
patching of
our regular RHEL OS. 

Any info or feedback will be greatly appreciated. Even if it
is against
SPLAT 

Thanks

Jeremy Lieb CCSE+NGX, CCSE-NGX
Firewall Administrator

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

The drivers issue is a complete pain, I agree with that, but
SPLAT is a
platform especially modified by Check Point to their
firewall or
SmartCenter, that guarantees a high level of security and
stability.

I work for a CCSP and our CP presales guys always ask for us
to suggest our
customers to go with SPLAT because their testings have
proved it has better
performance than any other platform on which you can run
Check Point.

Patching is a lot easier as you apply an upgrade to OS and
application
together and also allows you to be sure the new patch is not
going to give
you a headache.

Finally, using SPLAT you have a firewall deployment running
entirely under a
software architecture developed by the same vendor, for me
that makes a lot
easier to get difficult issues resolved, no matter if
application or OS
related, by the same support team and avoid situations in
which CP support
guys might give you the run around telling you "that's
a platform issue".

Honestly I don't have experience with RHEL deployments,
usually my customers
go with SPLAT, Solaris or Nokia IPSO, but I guess my
arguments would be
pretty much valid no matter the scenario.

Just a personal opinion, hope it helps.

Regards

On 9/4/07, Jeremy Lieb <jliebopentext.com> wrote:
>
> Good afternoon. I'm trying to come up with some
compelling reasons to
> switch from pure Enterprise Linux for our firewalls and
Smart Center to
> SPLAT. I've been playing around with SPLAT for months
and much prefer it
> to the standard RHEL Checkpoint installation but I'm
running into static
> from my supervisor. He believes there are huge dangers
due to the NIC
> driver and driver support in general. Can anybody give
me some opinions
> one way or another on which is the preferred method. I
think I know the
> answer to that. From what I've seen and heard Nokia and
SPLAT in one
> shape or another seem to be the majority of installs.
Am I right in that
> thinking?
>
> Our Checkpoint vendor has been trying for a few years
now to convince us
> to change to SPLAT. I totally agree. The last straw was
some memory
> issues on a few of our clusters apparently caused from
some patching of
> our regular RHEL OS.
>
> Any info or feedback will be greatly appreciated. Even
if it is against
> SPLAT 
>
> Thanks
>
> Jeremy Lieb CCSE+NGX, CCSE-NGX
> Firewall Administrator
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>



-- 
Sergio Alvarez
(506)8301342

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Jeremy Lieb wrote:
> Good afternoon. I'm trying to come up with some
compelling reasons to
> switch from pure Enterprise Linux for our firewalls and
Smart Center to
> SPLAT. I've been playing around with SPLAT for months
and much prefer it
> to the standard RHEL Checkpoint installation but I'm
running into static
> from my supervisor. He believes there are huge dangers
due to the NIC
> driver and driver support in general. Can anybody give
me some opinions
> one way or another on which is the preferred method. I
think I know the
> answer to that. From what I've seen and heard Nokia and
SPLAT in one
> shape or another seem to be the majority of installs.
Am I right in that
> thinking?
> 
> Our Checkpoint vendor has been trying for a few years
now to convince us
> to change to SPLAT. I totally agree. The last straw was
some memory
> issues on a few of our clusters apparently caused from
some patching of
> our regular RHEL OS. 
> 
> Any info or feedback will be greatly appreciated. Even
if it is against
> SPLAT 

I pretty much prefer RHEL (or centos) for the firewalls. I
have more 
control of what I can install on the fw (for example a real
ftp client 
like lftp, telnet client and so on) and I hate the sysconfig
wizard (it 
makes me feel dumb for making me press 1 for X, 2 for Y and
so on). We 
run our Check Point firewalls on CentOS and this is
happening for years 
without issues. One main reason I do that is to get software
RAID on my 
machines (2 s-ata disks, raid1 mirror) because Check Point
says hardware 
raid is more reliable than software raid and this is why
they ripped out 
support for it in the installer (which is bullshit in my
oppinion, but 
hey... who am I to contradict them).

For quick setups and things I know I'm not gonna work on
them on a daily 
basis I put SPLAT just to get away with it very quickly,
especially for 
fire and forget type of installs at some customers.

sin

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Jeremy Lieb a écrit :
> Good afternoon. I'm trying to come up with some
compelling reasons to
> switch from pure Enterprise Linux for our firewalls and
Smart Center to
> SPLAT. I've been playing around with SPLAT for months
and much prefer it
> to the standard RHEL Checkpoint installation but I'm
running into static
> from my supervisor. He believes there are huge dangers
due to the NIC
> driver and driver support in general. Can anybody give
me some opinions
> one way or another on which is the preferred method. I
think I know the
> answer to that. From what I've seen and heard Nokia and
SPLAT in one
> shape or another seem to be the majority of installs.
Am I right in that
> thinking?
>
> Our Checkpoint vendor has been trying for a few years
now to convince us
> to change to SPLAT. I totally agree. The last straw was
some memory
> issues on a few of our clusters apparently caused from
some patching of
> our regular RHEL OS. 
>
> Any info or feedback will be greatly appreciated. Even
if it is against
> SPLAT 
>
>   
hi,

there are pros and cons regarding using or not using splat.
the cons are IMHO :
- drivers
- you cannot install some specific stuffs
- the HCL is not that big.
pros :
- fully integrated
- most all features you need for the firewall are included.
- you have a nice web gui (is it a pro or a con ...).

You can also find some other pros and cons to RHEL3.

The only issue I had so far was that with real linux issues,
it's not 
easy to get a proper response
from checkpoint. I had it several times when a configuration
was quite 
strange (interface not
active after boot, snmp didn't work good), and sometimes you
have to 
look for a workaround
because the only solution proposed by checkpoint is to
reinstall the 
whole stuff.
> Thanks
>
> Jeremy Lieb CCSE+NGX, CCSE-NGX
> Firewall Administrator
>
>   

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Thanks for the feedback. As I mentioned I'm trying to build
a case to move to SPLAT going forward and this will be
helpful.

Jeremy Lieb CCSE+NGX, CCSE-NGX
Firewall Administrator
Open Text Corporation
100 Tri-State Intl Parkway
Third Floor
Lincolnshire IL, 60069
18472679330 ext 4295


-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of pkc_mls
Sent: Thursday, September 06, 2007 4:03 AM
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] SPLAT versus RHEL 3.0

Jeremy Lieb a écrit :
> Good afternoon. I'm trying to come up with some
compelling reasons to
> switch from pure Enterprise Linux for our firewalls and
Smart Center to
> SPLAT. I've been playing around with SPLAT for months
and much prefer it
> to the standard RHEL Checkpoint installation but I'm
running into static
> from my supervisor. He believes there are huge dangers
due to the NIC
> driver and driver support in general. Can anybody give
me some opinions
> one way or another on which is the preferred method. I
think I know the
> answer to that. From what I've seen and heard Nokia and
SPLAT in one
> shape or another seem to be the majority of installs.
Am I right in that
> thinking?
>
> Our Checkpoint vendor has been trying for a few years
now to convince us
> to change to SPLAT. I totally agree. The last straw was
some memory
> issues on a few of our clusters apparently caused from
some patching of
> our regular RHEL OS. 
>
> Any info or feedback will be greatly appreciated. Even
if it is against
> SPLAT 
>
>   
hi,

there are pros and cons regarding using or not using splat.
the cons are IMHO :
- drivers
- you cannot install some specific stuffs
- the HCL is not that big.
pros :
- fully integrated
- most all features you need for the firewall are included.
- you have a nice web gui (is it a pro or a con ...).

You can also find some other pros and cons to RHEL3.

The only issue I had so far was that with real linux issues,
it's not 
easy to get a proper response
from checkpoint. I had it several times when a configuration
was quite 
strange (interface not
active after boot, snmp didn't work good), and sometimes you
have to 
look for a workaround
because the only solution proposed by checkpoint is to
reinstall the 
whole stuff.
> Thanks
>
> Jeremy Lieb CCSE+NGX, CCSE-NGX
> Firewall Administrator
>
>   

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On Thu, 6 Sep 2007, pkc_mls wrote:

> there are pros and cons regarding using or not using
splat.
> the cons are IMHO :
> - drivers
> - you cannot install some specific stuffs

I would considere this a pro and not a con. Installing extra
things on 
firewalls is decremental to the security and stability in
most cases.

Hugo.

-- 
 	hvdkooijvanderkooij.org	http://hugo.vanderkooij.
org/
 	    This message is using 100% recycled electrons.

 	Some men see computers as they are and say
"Windows"
 	I use computers with Linux and say "Why
Windows?"
 	(Thanks JFK, for this quote of George Bernard Shaw.)

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Hugo van der Kooij a écrit :
> On Thu, 6 Sep 2007, pkc_mls wrote:
>
>> there are pros and cons regarding using or not
using splat.
>> the cons are IMHO :
>> - drivers
>> - you cannot install some specific stuffs
>
> I would considere this a pro and not a con. Installing
extra things on 
> firewalls is decremental to the security and stability
in most cases.
>
sometimes, to track some bugs or issues it's interesting to
have some 
specific tools that doesn't come with splat.
for example : splat, hping, etc.
but in most cases, adding other pieces of software leads to
mors 
unstability.
I should have been more specific.
> Hugo.
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================