ok good answers on some, but you tap around a few things.. 1) why no comments? do competent administrators not need any comments to tell you what the rules are doing and where they are going (or not going?) 2) I don't get that part...change the name of the access-list....no not an instant change, there is a second step of applying it to the interface. Let me see...4 step process to change a rule. 3) I understand the IOS access-lists (which 5.1? PIX just recently introduced). Still the administration is a pain. All im doing is making access-lists....big deal. What does PIX get you there "ASA" and "state full" inspection. 4) I ment command completion..just a little thing. Like when im typing: > object-group network. I want to be able to type obje. TAB and ten the IOS complete the command. This is not being "competent" this is being efficient. 5) What basis to you say that the 535 will blow Checkpoint out of the water? Because of speed? Dude little secret if you take Windows...and strip it to DOS...its going to smoke. And please don't harp about doing things "property". Because when you say "properly" you mean the Cisco way. Hate to tell you, but they take "standards" all the time and fit them to there devices.
To sum it up on your last comment let me say this. A FIREWALL is only as good as its configuration. That being said, if I can mitigate the risk of making a configuration mistake by having a "user friendly" way of doing it, I don't see why that is so wrong. While I agree that I firewall should not be a ONE ALL BE ALL on the network, having SMTP proxy's and such on your firewall sometimes makes sense for: outside address conservation (all MX records for example are routed back to one IP on the outside then relayed to internal hosts). Oh and PIX does do a chezzbal implementation of this (mailguard). Which has a tendency to suck as far as I have seen (cant do ESMTP?! whats with that?) I have worked on CyberGuards for a long time...they are SCO unix. You want to learn a little somehting about the backend of a firewall, get on the command line on one of those and go....powerful but tricky. I dont mean to come off crase becouse im not trying to..just some agrugments to throw back.. >>> "Roberts, Larry" 06/25 12:51 PM >>> 1) not that I am aware of 2) Change the access-list name and paste it to the firewall. Then just change the access-group statement to the new one. Its an instant change. 3) I think your on crack. If your using access-lists on all interfaces ( you are aren't you ??? )then there is an implicit deny any any at the end. I find many people who put an permit ip any any for the inside access-list. While it makes administration much easier, it also is a BAD practice. Remember we want to explicitly approve ports, no explicitly deny. You would be surprised the small number of ports that really need to be open! 4) This is a security device. You should always type the full command. I don't want to take any chances of typing one thing and the PIX taking it as another. I realize that you should know exactly what command your entering, but hey, not everyone is competent on the PIX so no chances. 5) Where did you get that info? The PIX 535 will absolutely blow any checkpoint device out of the water. Not to mention that checkpoint still hasn't figured out how to do IPSec tunnels *PROPERLY*. The PIX was only recently made to be a small lightweight FW with the 501. I don't know about you, but I want a firewall to do one thing and one thing only. I don't want a FW that is also a mail gateway, dns server and whatnot that so many devices try to be now. Many FW's are made to be user friendly, and cover the backend stuff that really happens. The PIX didn't take that approach. They want someone to understand what they are doing, and putting a pretty GUI on it will only lead to people who shouldn't be administering it, administrating it. That is why I completely disagree with the PDM. Im not directly these comment at you in particular so please don't take them that way. Im only saying that we need to realize exactly what a FW should do, and what it should not. We also need to realize exactly how a FW works, not how the GUI works! I agree it is a completely different interface, but if you are used to the IOS interface, it will come quickly and you will never look back. But, this is just my opinion! Thanks Larry -----Original Message----- From: Richard Tufaro [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 11:51 AM To: [EMAIL PROTECTED] Subject: PIX Firewall (6.2) General Questions RANT [7:47393] Hey all, just recently got my hands on 4 new PIX firewalls and I am having some issues with them that perhaps may be shortcoming of the PIX or me, but I wanted to throw them out there and see if anyone has any comments: 1. Is there a way in the PIX to !Comment your access-list or conduit lines to tell what the rule is doing. Now don't get me wrong you can look at the rule and its pretty straight forward, but I would like to comment them much like you can do in IOS. The only way that I have found to do this is by taking every external or internal IP address that we have and are denying or allowing and giving it a name. But this also has its shortcomings because of the 16 character limit. 2. What is with the access-list rules and importing? I don't get it. Why do they need to append instead of replace? I am going to assume that the access-list is reading from the top down (just like in IOS) so if I export my config, change around the order then try to paste *does not take*. The workaround I found for this nifty problem is exporting the access-list to Ultraedit, putting a "no" statement infront of all of the statements, clearing them, then making the change and importing them. How do people in a large PIX environment with a multitude of rules, and a dynamic environment manage this? Or the PIX's for that matter as a side. 3. Tell me if im smoken crack here, but the default stance of the PIX is bas acwards, when it comes to internal hosts to the outside. I mean look when I put out the firewall and config my INBOUND lists, why do I want everyone in the company to be able to NETBIOS across the firewall (outbound)?! I have worked with one other firewall (CyberGuard) and there stance IMHO is the best, DENY ALL, permit what I say to permit. Its a firewall, not a router (in the security sense people, I now what it is REALLY, but relating to Cisco). 4. Little things too...like why no command completion? I know that this is a Cisco acquired device, but you would think that they would make it easy to configure from the command line, especially with the influx of making it more IOS'e. Is this going to be available in later versions? Anyone know? 5. I know the PIX was conceived as a small lightweight, "streamline" device that is going to protect your network with but you should not do any WIZ bang stuff with it....but then again Cisco markets to everyone and are competing with the WIZ Bang firewall vendors like checkpoint. I mean come on GROUPING was just added in 6.2! If anyone can shed some light on these issues for me it would be much appreciated. What im really looking for here is some guidance as to people with large PIX deployments and how they manage day to day, and deploy newaer the backend stuff that reall ones. I know this is a long post but coming from Cyberguard, and going to PIX there seems to be some major deficiencies as far as functionality and manageability. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47405&t=47393 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
