Not making accusations, but it's ironic that this story came out just after
we had a debate about this ;)
Just giving you a hard time..hehe. No flames...just kidding. Seriously. ;)
You're a kewl guy but I'm kewler..haha.
Hey why didn't he just block their IP? Seems like a lot of work to build a
new firewall rather than just lock them out. If he had IDS it could have
blocked them automatically.
There is the new 'stick' DoS attack that simulates hundreds of simultaneous
DoS attacks that is designed to bring IDS down. Did he look in syslog to
see what kind of attack it was? I'd be very interested in knowing what the
bug is in the PIX so I can follow up on this to keep our firewalls secure.
Also is he showing the DoS attacks were continuing with the new firewall or
did they assume the site was down during the time he was switching over?
I'm not taking sides...just curious & getting as much info as I can. I'm
setting up a customer FreeBSD firewall with IPSec very soon & they will be
upgrading to a PIX soon after. If I can verify this bug & what version
they're running I can recommend they wait until it's been resolved by TAC.
Allen
----- Original Message -----
From: "Sean Young" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 28, 2001 5:18 PM
Subject: Cisco PIX has been brought to its knee
> Hi everyone,
> I have a story that wish to share with everyone. One of my friends
> works for a company that uses Cisco PIX as the firewall. This afternoon,
> he called and told me that the company firewall is experiencing a Denial
> of Service (DOS) attack. The attack is so heavy that the PIX is just
> simply gives up. The company contacts Cisco and the TAC told my friend
> that there is a bug in the Cisco PIX code and he will have to wait a
> few days for the new code to arrive. Frustrated, he decides to use his
> workstation which is running NetBSD, put in an extra NIC, shutoff all
> essential services but SSH and netfilter. Amazingly, the new BSD
> firewall withstand the DOS and connectivity is restored.
>
> The point of the story. Not everything from Cisco is good. Their code
> is just buggy as everyone else. Just because it carries the name Cisco
> doesn't mean it is safe.
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
