But that just proves my point - you *can't* setup DNS server on a PIX, so it
becomes a non-issue with a PIX. Besides, I think everybody I know has done
something that they know not to be the best thing but do it because it is a
quick and easy solution.
Don't get me wrong - I like Linux. The real problem I see with network
security is not so much technology, but with human nature. The PIX by
design removes many of the holes that human nature can drag us into. A
simple case of less is more.
Rik
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 24, 2001 11:02 PM
To: [EMAIL PROTECTED]; Rik
Subject: Re: Performance Comparision between Linux OS Firewall and Cisco
PIX 525
While I agree that for an enterprise I would choose PIX over Linux
for firewall purposes, if your friends configured a Linux firewall and
ran other services on it, they may be good Linux admins but they
don't know much about security.
There is _no_ good reason to run unnecessary services on a
firewall. Period. Wintel hardware is too inexpensive to use any
argument that a box serving as a firewall needs to run DNS, FTP,
SMTP, etc.
The only service other than ipchains that a Linux firewall should run
is SSH. This gives you all the remote administration of the box
you need and makes the box very secure.
-Kent
On 23 Mar 2001, at 9:24, Rik wrote:
> I have seen way too many Linux firewalls hacked as a result of
> mis-administration. Now, I'm not assuming anything about your
> abilities as the last confirmed hack that I was notified about was a
> Linux FW setup by 2 guys that I know to be excellent Linux admins.
> The problem is the inherent nature of the beast. A PIX is totally
> secure right out of the box. The last Linux hack I speak of was
> hacked based on an exploit within BIND and had nothing to do with the
> FW policy.
>
> I also find the PIX to be MUCH easier to configure and setup. I can
> do in only a few lines of code what could possibly take pages and
> pages of code in Linux. When talking about firewalls, simplicity is a
> critically important concern. One compromise could easily remove any
> upfront cost advantage Linux has over Cisco. Also, you don't have to
> be concerned with shutting down unused services on a PIX as you would
> on Linux.
>
> Go with the PIX. It was designed from the ground up to do just what
> it does: protect your network. Cisco claims that a properly
> configured PIX has never been compromised. I believe them.
>
> Rik
>
>
> ""Sean Young"" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hi Everyone,
> >
> > My company is putting me in charge in implementing a Firewall for
> > our company. One guy in my networking group is recommending PIX
> > Firewall. Furthermore, he also recommends a Cisco Web-caching
> > engine. His reason is that not only Cisco is good Firewall but it
> > also provides VPN connectivity to our remote sites. Myself, on the
> > other hand, would like to implement Linux-based OS firewall along
> > with FreeS/WAN VPN features set. My reason is that a linux firewall
> > can provide everything a Cisco PIX does and even more. In term of
> > hardware, the linux Firewall/ VPN/IPSec box will be running a
> > dual-processor (800MHz) with 1GB of RAM. I just feel that I can get
> > a lot more for the amount that we are going to spend with linux than
> > with Cisco PIX. I also feel that I tweak the source code on the
> > LINUX kernel to increase the performance and security. Also, instead
> > of purchasing the Cisco web-caching engine, I am thinking of
> > building another linux box that will be running squid (web-caching)
> > server. Don't get me wrong, I think Cisco has a lot of good
> > products in the area of routing; however, I just don't think it is
> > necessary to throw away money at Cisco when I know that Linux or BSD
> > can do the same job that PIX and Cisco web-caching engine do but for
> > much less and also I can control the source code. Has anyone has
> > experiences with both the Linux/BSD, Squid and Cisco PIX, Cisco
> > web-caching engine so that you can give advice on what I should do.
> > I am open to your suggestions.
> >
> > Many thanks.
> > Sean
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at http://explorer.msn.com
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
> >
>
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]
This mail was processed by Mail essentials for Exchange/SMTP,
the email security & management gateway. Mail essentials adds
content checking, email encryption, anti spam, anti virus,
attachment compression, personalised auto responders, archiving
and more to your Microsoft Exchange Server or SMTP mail server.
For more information visit http://www.mailessentials.com
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
