Re: some comparison between checkpoint and Palo Al...

paul200310 · ‎12-16-2017

I see some comparison between checkpoint and Palo Alto. I just share some difference.

Checkpoint coded top of Linux kernel. **Palo Alto coded on top of free BSD similar to Juniper firewall.
Checkpoint called unified blade. **In Palo alto similarly provide same feature with different license.
Checkpoint we called URL filtering blade. **In Palo Alto we see bride cloud for URL filtering.
Checkpoint IPS called IPS blade. **In Palo Alto we call it Wildfire.
Checkpoint called Identity awrenes. **In Palo Alto User ID.
Checkpoint called say serial processing. **In Palo Alto it is parallel processing.

Ultimately while we see data britches we should go by history and debates come through and see similar code being manipulated in different firewall in different name.

Checkpoint and Palo Alto both work on tasteful firewall technology finally who is most popular. Are we not thinking that reverse engineering still alive and codes are still siphoned off one same technology to other same type of technology.

History says that someone coded NetScreen OS and same code being merged with Juniper but who wrote NetScreen he itself form a company called Fortinet.

If you go via bit by bit see Symantec file multiple law suit against Zscaler, Inc.

You may thing that why I am explaining all this bogus topic!!!!..

Are Firewall coding enough Secure no one can run espionage tool and collect core of it's coding.

Just to give an heads up to all folks.

Cyber

Badfilemagic · ‎12-17-2017

Wildfire isn’t PAN’s IPS engine, it is their malware analysis sandbox. Also, pretty sure PanOS is based on Linux, not FreeBSD (I have been involved with FreeBSD for years and this is the sort of thing I notice). Also, Juniper didn’t get NetScreen from Fortinet. One of the NetScreen foundere left to start Fortinet, which is not the same thing.

I just finished testing PAN, Check Point, and a few other solutions as breach prevention systems. Results were published last week. See https://www.nsslabs.com/security-value-maps/breach-prevention-system-bps/ for the results graphic.

-- wdf//CISSP, CSSLP

asheesh1_2000 · ‎12-17-2017

Hi,

If you go into the history of Checkpoint, it all started when the checkpoint was running on IPSO, back in the NOKIA days. NOKIA (yes, the phone company) was making the hardware and IPSO, the operating system, on which Checkpoint used to run. This IPSO was also a customised and hardened free BSD. So, not to brag, Checkpoint has crossed those waters which Juniper and PaloAlto are now sailing.

paul200310 · ‎12-17-2017

No PAN based on FreeBSD only. Similar to Juniper OS.

Cyber

paul200310 · ‎12-17-2017

Juniper not get screen from Fortinet but who develop he detach from screen. Finally screen take care by Juniper.

https://en.wikipedia.org/wiki/NetScreen_Technologies

Cyber

Badfilemagic · ‎12-17-2017

I am curious what you're basing this assertion on. Consider PANW's own open source software listing: https://www.paloaltonetworks.com/documentation/oss-listings/oss-listings/pan-os-oss-listings/pan-os-... -- highlights include SELinux utilities and a base system package described as defining the base of a Red Hat Linux system. There are BSD-licensed utilities, but that is proof of nothing. The two mentions of FreeBSD on that page are related to a FIPS utility. The general list of known freebsd-based appliances has PAN not included: https://en.m.wikipedia.org/wiki/List_of_products_based_on_FreeBSD

as noted, the check point IPSO was FreeBSD based, but the boxes I've had occasion to handle were Linux-based.

hell, even Juniper has Wind River Linux running on the actual hardware these days. JCP (JunOS Control Plane) runs inside a we qemu hypervisor and then controls the hardware through virtio/virtnet drivers. This is mostly due to lack of aarch64 in older FreeBSD kernels, meaning the Linux + hypervisor layer is needed to facilitate use of Cavium processors. X86 is software emulated for JunOS.

-- wdf//CISSP, CSSLP

paul200310 · ‎12-17-2017

Looks like report is quit old.there is no evidence that PAN is based on EL Kernel.

How we can ensure NSS report is correct and there is no pseudo information.

I did some research from my end. It is not completely correct information.

https://www.paloaltonetworks.com/documentation/oss-listings/oss-listings/pan-os-oss-listings/pan-os-...

Cyber

paul200310 · ‎12-17-2017

I was very familiar with this IPSO voyager interface. Correct statement.

Cyber

Badfilemagic · ‎12-17-2017

First of all, what OS the devices were based on is immaterial to their efficacy, except potentially where performance is concerned. Second of all, I have confirmed with a contact at PAN that PAN-OS is based on Linux. Additionally, I never said it was based on a RHEL kernel build, but has elements borrowed from RedHat and many other Generic Linux/unix components. Using a generic kernel would be be stupid, because it is an appliance and a kernel image for a GPOS would not be properly tuned.

Therefor, continuing to offer incorrect technical information which does nothing to actually draw a meaningful distinction between PAN, Check Point, or any other vedors in terms of whether they protect the enterprise or even their own TCB seems like a waste.

If you’re interested generally, SFLinuxOS (on FirePOWER from Cisco) started life as Slackware, but has since been heavily modified. Originally then first SourceFire appliances almost shipped on OpenBSD, but didn’t for reasons somewhat lost to time. As a former Sourcefire engineer, I can confirm that though.

-- wdf//CISSP, CSSLP

Badfilemagic · ‎12-17-2017

Additional information, PAN virtual appliances are based on CentOS, which explains the redhat basesystem metapackage on their foss disclosure list.

-- wdf//CISSP, CSSLP