""Roberts, Larry"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > A FW should be a FW, and that's it. Why add a feature ( SMTP ) that may have > a bug in it? The reason that a PIX has never been hacked is because they > have avoided the do all/be all approach that throws to many variables into > the mix. >
CL: PIX does not allow telnet from the untrusted side, but it can be hacked by anyone on the inside network, unless specifc actions have been taken. anyone know if a Netscreen has ever been hacked? I'm asking because I forgot my admin password, and I don't want to have to do a reset to factory and lose my configured policies ;-> > > Thanks > > Larry > > > -----Original Message----- > From: Richard Tufaro [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, June 25, 2002 12:32 PM > To: [EMAIL PROTECTED] > Subject: Re: RE: PIX Firewall (6.2) General Questions RANT [7:47393] > > > ok good answers on some, but you tap around a few things.. > > 1) why no comments? do competent administrators not need any comments to > tell you what the rules are doing and where they are going (or not going?) > 2) I don't get that part...change the name of the access-list....no not an > instant change, there is a second step of applying it to the interface. Let > me see...4 step process to change a rule. > 3) I understand the IOS access-lists (which 5.1? PIX just recently > introduced). Still the administration is a pain. All im doing is making > access-lists....big deal. What does PIX get you there "ASA" and "state full" > inspection. > 4) I ment command completion..just a little thing. Like when im typing: > > object-group network. I want to be able to type obje. TAB and ten the IOS > complete the command. This is not being "competent" this is being efficient. > 5) What basis to you say that the 535 will blow Checkpoint out of the water? > Because of speed? Dude little secret if you take Windows...and strip it to > DOS...its going to smoke. And please don't harp about doing things > "property". Because when you say "properly" you mean the Cisco way. Hate to > tell you, but they take "standards" all the time and fit them to there > devices. > > To sum it up on your last comment let me say this. A FIREWALL is only as > good as its configuration. That being said, if I can mitigate the risk of > making a configuration mistake by having a "user friendly" way of doing it, > I don't see why that is so wrong. While I agree that I firewall should not > be a ONE ALL BE ALL on the network, having SMTP proxy's and such on your > firewall sometimes makes sense for: > > outside address conservation (all MX records for example are routed back to > one IP on the outside then relayed to internal hosts). Oh and PIX does do a > chezzbal implementation of this (mailguard). Which has a tendency to suck as > far as I have seen (cant do ESMTP?! whats with that?) > > I have worked on CyberGuards for a long time...they are SCO unix. You want > to learn a little somehting about the backend of a firewall, get on the > command line on one of those and go....powerful but tricky. I dont mean to > come off crase becouse im not trying to..just some agrugments to throw > back.. > > >>> "Roberts, Larry" 06/25 12:51 PM >>> > 1) not that I am aware of > 2) Change the access-list name and paste it to the firewall. Then just > change the access-group statement to the new one. Its an instant change. > 3) I think your on crack. If your using access-lists on all interfaces ( you > are aren't you ??? )then there is an implicit deny any any at the end. I > find many people who put an permit ip any any for the inside access-list. > While it makes administration much easier, it also is a BAD practice. > Remember we want to explicitly approve ports, no explicitly deny. You would > be surprised the small number of ports that really need to be open! > 4) This is a security device. You should always type the full command. I > don't want to take any chances of typing one thing and the PIX taking it as > another. I realize that you should know exactly what command your entering, > but hey, not everyone is competent on the PIX so no chances. > 5) Where did you get that info? The PIX 535 will absolutely blow any > checkpoint device out of the water. Not to mention that checkpoint still > hasn't figured out how to do IPSec tunnels *PROPERLY*. The PIX was only > recently made to be a small lightweight FW with the 501. I don't know about > you, but I want a firewall to do one thing and one thing only. I don't want > a FW that is also a mail gateway, dns server and whatnot that so many > devices try to be now. > > Many FW's are made to be user friendly, and cover the backend stuff that > really happens. The PIX didn't take that approach. They want someone to > understand what they are doing, and putting a pretty GUI on it will only > lead to people who shouldn't be administering it, administrating it. That is > why I completely disagree with the PDM. > > Im not directly these comment at you in particular so please don't take > them that way. Im only saying that we need to realize exactly what a FW > should do, and what it should not. We also need to realize exactly how a FW > works, not how the GUI works! > > I agree it is a completely different interface, but if you are used to the > IOS interface, it will come quickly and you will never look back. > > But, this is just my opinion! > > Thanks > > Larry > > > -----Original Message----- > From: Richard Tufaro [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, June 25, 2002 11:51 AM > To: [EMAIL PROTECTED] > Subject: PIX Firewall (6.2) General Questions RANT [7:47393] > > > Hey all, just recently got my hands on 4 new PIX firewalls and I am having > some issues with them that perhaps may be shortcoming of the PIX or me, but > I wanted to throw them out there and see if anyone has any comments: > > 1. Is there a way in the PIX to !Comment your access-list or conduit lines > to tell what the rule is doing. Now don't get me wrong you can look at the > rule and its pretty straight forward, but I would like to comment them much > like you can do in IOS. The only way that I have found to do this is by > taking every external or internal IP address that we have and are denying or > allowing and giving it a name. But this also has its shortcomings because of > the 16 character limit. > > 2. What is with the access-list rules and importing? I don't get it. Why do > they need to append instead of replace? I am going to assume that the > access-list is reading from the top down (just like in IOS) so if I export > my config, change around the order then try to paste *does not take*. The > workaround I found for this nifty problem is exporting the access-list to > Ultraedit, putting a "no" statement infront of all of the statements, > clearing them, then making the change and importing them. How do people in a > large PIX environment with a multitude of rules, and a dynamic environment > manage this? Or the PIX's for that matter as a side. > > 3. Tell me if im smoken crack here, but the default stance of the PIX is bas > acwards, when it comes to internal hosts to the outside. I mean look when I > put out the firewall and config my INBOUND lists, why do I want everyone in > the company to be able to NETBIOS across the firewall (outbound)?! I have > worked with one other firewall (CyberGuard) and there stance IMHO is the > best, DENY ALL, permit what I say to permit. Its a firewall, not a router > (in the security sense people, I now what it is REALLY, but relating to > Cisco). > > 4. Little things too...like why no command completion? I know that this is a > Cisco acquired device, but you would think that they would make it easy to > configure from the command line, especially with the influx of making it > more IOS'e. Is this going to be available in later versions? Anyone know? > > 5. I know the PIX was conceived as a small lightweight, "streamline" device > that is going to protect your network with but you should not do any WIZ > bang stuff with it....but then again Cisco markets to everyone and are > competing with the WIZ Bang firewall vendors like checkpoint. I mean come on > GROUPING was just added in 6.2! > > If anyone can shed some light on these issues for me it would be much > appreciated. What im really looking for here is some guidance as to people > with large PIX deployments and how they manage day to day, and deploy newaer > the backend stuff that reall ones. I know this is a long post but coming > from Cyberguard, and going to PIX there seems to be some major deficiencies > as far as functionality and manageability. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47427&t=47393 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
