In the enterprise scenario, I would go so far as to say that 1 device is
not enough, and that each device is part of an overall security
policy. Perhaps access list/firewall protection, and a user/pass
authorization, and nat for the more secure info.
Brian
On Fri, 23 Mar 2001, Moe Tavakoli wrote:
> It was assumed that the question was a result of an
> implementation in an enterpise system. Of course in a
> school or a small comapny where uptime does not = $
> there is no issue, use Linux, use MS Proxy for all
> that matters. But in an enterprise where uptime is
> Essentail, there is money at stake and information has
> lots of value, I would sleep easier at night knowing
> that I have an enterprise level platform with a solid
> proven track record, backed by a company who is
> focused on producing and supporting systems to enable
> me to focus on doing what I'm good at...
>
> Moe.
>
> --- Priscilla Oppenheimer <[EMAIL PROTECTED]> wrote:
> > How about if the customer is strapped for money. I
> > work at a school.
> > Luckily our students haven't gotten sophisticated
> > enough to break into the
> > Linux firewall but I don't the think that day is too
> > far away. Some of them
> > are very smart and they are learning Linux and
> > networking in their classes.
> > But PIX is too expensive, I think??
> >
> > Priscilla
> >
> > At 09:24 AM 3/23/01, Rik wrote:
> > >I have seen way too many Linux firewalls hacked as
> > a result of
> > >mis-administration. Now, I'm not assuming anything
> > about your abilities as
> > >the last confirmed hack that I was notified about
> > was a Linux FW setup by 2
> > >guys that I know to be excellent Linux admins. The
> > problem is the inherent
> > >nature of the beast. A PIX is totally secure right
> > out of the box. The
> > >last Linux hack I speak of was hacked based on an
> > exploit within BIND and
> > >had nothing to do with the FW policy.
> > >
> > >I also find the PIX to be MUCH easier to configure
> > and setup. I can do in
> > >only a few lines of code what could possibly take
> > pages and pages of code in
> > >Linux. When talking about firewalls, simplicity is
> > a critically important
> > >concern. One compromise could easily remove any
> > upfront cost advantage
> > >Linux has over Cisco. Also, you don't have to be
> > concerned with shutting
> > >down unused services on a PIX as you would on
> > Linux.
> > >
> > >Go with the PIX. It was designed from the ground
> > up to do just what it
> > >does: protect your network. Cisco claims that a
> > properly configured PIX has
> > >never been compromised. I believe them.
> > >
> > >Rik
> > >
> > >
> > >""Sean Young"" <[EMAIL PROTECTED]> wrote in
> > message
> > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > Hi Everyone,
> > > >
> > > > My company is putting me in charge in
> > implementing a Firewall for our
> > > > company. One guy in my networking group is
> > recommending PIX Firewall.
> > > > Furthermore, he also recommends a Cisco
> > Web-caching engine. His reason
> > > > is that not only Cisco is good Firewall but it
> > also provides VPN
> > > > connectivity to our remote sites. Myself, on
> > the other hand, would
> > > > like to implement Linux-based OS firewall along
> > with FreeS/WAN VPN
> > > > features set. My reason is that a linux
> > firewall can provide everything
> > > > a Cisco PIX does and even more. In term of
> > hardware, the linux Firewall/
> > > > VPN/IPSec box will be running a dual-processor
> > (800MHz) with 1GB of RAM.
> > > > I just feel that I can get a lot more for the
> > amount that we are going
> > > > to spend with linux than with Cisco PIX. I also
> > feel that I tweak the
> > > > source code on the LINUX kernel to increase the
> > performance and security.
> > > > Also, instead of purchasing the Cisco
> > web-caching engine, I am thinking
> > > > of building another linux box that will be
> > running squid (web-caching)
> > > > server. Don't get me wrong, I think Cisco has a
> > lot of good products
> > > > in the area of routing; however, I just don't
> > think it is necessary to
> > > > throw away money at Cisco when I know that Linux
> > or BSD can do the same
> > > > job that PIX and Cisco web-caching engine do but
> > for much less and also
> > > > I can control the source code. Has anyone has
> > experiences with both
> > > > the Linux/BSD, Squid and Cisco PIX, Cisco
> > web-caching engine so that
> > > > you can give advice on what I should do. I am
> > open to your suggestions.
> > > >
> > > > Many thanks.
> > > > Sean
> > > >
> >
> _________________________________________________________________
> > > > Get your FREE download of MSN Explorer at
> > http://explorer.msn.com
> > > >
> > > > _________________________________
> > > > FAQ, list archives, and subscription info:
> > >http://www.groupstudy.com/list/cisco.html
> > > > Report misconduct and Nondisclosure violations
> > to [EMAIL PROTECTED]
> > > >
> > >
> > >
> > >_________________________________
> > >FAQ, list archives, and subscription info:
> > >http://www.groupstudy.com/list/cisco.html
> > >Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
> >
> >
> > ________________________
> >
> > Priscilla Oppenheimer
> > http://www.priscilla.com
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
>
>
> =====
> _____________________________________________
> Moe Tavakoli
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
>
> _________________________________
> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
