True on pretty much all counts, but, when dealing with certain "audit" agencies (especially for banks), if you have anything other than a name brand (Cisco ASA) firewall then you have 3,987 more pages of paperwork to fill out and justify your reasons/selection.
We maintain several, you just keep a virtual PC with each version of ASDM and the appropriate JAVA (they only talk realiably to one specific version for each version of ASDM) and there's nothing to it. -- Larry Smith lesm...@ecsis.net On Thu November 15 2018 18:58, Ken Hohhof wrote: > If it’s company CEO, they should purchase Smartnet contract and keep the > firmware updated. That’s about the only way you are going to fix > vulnerabilities, hope Cisco fixes them, and keep up with the latest > firmware. > > > > IMHO the only reason to have a Cisco ASA at home is he needs a > site-to-site VPN to an ASA at the office. Meaning he has multiple devices > at home that need to work across the VPN, otherwise he could probably use a > software VPN client on his computer. Or maybe non computer devices like > his phone needs to work across the VPN. > > > > Also IMHO if this is the case, he needs a Cisco security trained/certified > IT person to manage it. I was OK dealing with IOS but the ASA series I > always found very difficult to configure and maintain, I pretty much > wouldn’t touch them. One of my customers who had ASAs at HQ and every > branch office had a big IT company under contract to do all their ASA > maintenance and even though they were supposedly Cisco experts, they would > screw up and mess everything up trying to do a simple change and end up > taking a whole day to get it working again. > > > > A common approach seems to be start with ASDM to get a basic working config > because you’ll never get there from the command line, but then SSH in and > do the rest of the config manually. Then be sure to save a copy of the > config for when you inevitably break everything trying to make a change. > > > > If the CEO just needs a fancy router, there are probably better choices > than an ASA. Just not a Sonicwall. Maybe a nice Netgear AX8, which will > look it’s about to take off and fly around the living room. Or maybe a > nice Google WiFi, he can put one in every room. > > > > But you’re probably going to say it’s the VPN thing. Some people say it’s > because they need a true firewall, not just a router. But then I ask them > what custom firewall rules they defined. And who monitors the IDS logs and > responds to the identified threats. If the answers are none and nobody, > then it’s just an expensive router. And BTW, in my experience ASAs are > like every other router, first troubleshooting step is to power cycle them > and see if the VPN light comes back on. > > > > I have some customers now using firewall appliances at every site that they > contract out to a big telco which I think is using firewall appliances > based on pfSense. I don’t really know enough to have an opinion, but that > seems a reasonable way to go. No Cisco maintenance contract to buy just to > get firmware updates. Just finding someone to sell you Smartnet is a pain, > I used to call up a place like CDW. I swear Cisco doesn’t really want your > business unless you’re a Fortune 500 company, or government, or a big > telco. > > > > > > From: AF <af-boun...@af.afmug.com> On Behalf Of Jaime Solorza > Sent: Thursday, November 15, 2018 5:32 PM > To: AnimalFarm Microwave Users Group <af@af.afmug.com> > Subject: Re: [AFMUG] Router vulnerability > > > > Friend has one for ceo of his company...can you point me to sure for ideas? > > > > On Thu, Nov 15, 2018, 12:15 PM Josh Luthman <j...@imaginenetworksllc.com > <mailto:j...@imaginenetworksllc.com> wrote: > > Who's using an ASA at home? > > > > ASA has a bunch of vulnerabilities - most fixed, some not... > > > > > > > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > > > > On Thu, Nov 15, 2018 at 11:42 AM, Jaime Solorza <losguyswirel...@gmail.com > <mailto:losguyswirel...@gmail.com> > wrote: > > What is the latest on router vulnerability to hacks on ASA and home > versions? > > > -- > AF mailing list > AF@af.afmug.com <mailto:AF@af.afmug.com> > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
