Actually, I hope you don't take it offline. I enjoy reading both sides of the argument and there is merit to both viewpoints. In my personal opinion, each firewall has its place, depending on the target customer. There are also some customers for which I'd recommend Netscreen or Sonicwall over either PIX or CP-NG.
Larry: Out of curiosity, why don't you like in-band management? It seems that with proper configuration (SSH, etc.) that it can be quite secure. Craig At 05:16 PM 6/25/2002 -0400, you wrote: >1) Personal Opinion. The last breakdown I saw ( 5-6 months ago in network >world I believe ) shows Cisco with 70% market share in mid-top level space. > Type no logg cons or no logg mon. It will break out of the debug. No your >letters aren't typed next to each other, but the PIX doesn't care. >I will give you that the DEBUG could use some work in that it is more >difficult to filter out what you want and what you don't when you logg to >console or monitor > >2) I completely agree. I don't believe in GUI's for Network devices. > >3) I user the pager command all the time. I set it to 5000 to dump the whole >config and then capture the output. I will delete half my config to get to >your scenario and try. I set it to 15 when I am looking at debug > >4) I user CiscoWorks 2K and can read the messages quite nicely. You could >also use Private-I. > >5) I will search for the article. I didn't bookmark it. I also said the PIX >hadn't been hacked, not IP hasn't been hacked. No one has hacked Finesse. I >am sorry for the confusion. > >6) Will either of those Active Active box's push 1.7Gbps cleartext or 95Mbps >3Des traffic and 1/2Mil connections.. I didn't say combined, I said >individually. I can run 2 PIX's and double my numbers as well. Can you >terminate a tunnel on both box's and load balance traffic over both of them >from the same source ? >This is the latest performance briefs that I could fine. I have included >them to show you what I did review. I can send you the PDF of Cisco's >performance to back up my statistics for them if you would like. Perhaps you >should do some research before you question mine. >http://www.rainfinity.com/products/wp_performance_brief.pdf >Remember we are talking hardware vs. software FW's so CP's results are bound >to be lower. >Also to note for CP is that it is a MUCH cheaper solution. That's a plus for >it. > >7) I only manage PIX's OOB so that point is mute for me. > >8) I do it manually,every time I make a change. It helps limit the number of >copies of my config that are floating around. > >9) Really, I don't believe in In-band management, so I assume that CP-1 will >dial-up and manage devices that way ?I also don't have many universal >changes that I can push out to 30+ devices, so that ability to manage that >many from one place is mute for me as well. > >10) first see number 7, secondly its interfaces are all 127.0.0.1 so you >couldn't access it on a PC by default anyways. You also must specify WHAT >hosts can access it prior to it being accessed. Its turned on, but no one is >permitted. > >11) Yes it is. But so is the learning curve for HP-UX over Windows 2k, but >which would you rather have running your daily operations on ? > >This is becoming a pi$$ing match for Cisco vs. the world. I prefer PIX's, >you prefer CP's. We can take this off-line as it doesn't belong on this list >anymore if you wish. > > >Thanks > >Larry > > >-----Original Message----- >From: david smith [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, June 25, 2002 2:42 PM >To: [EMAIL PROTECTED]; [EMAIL PROTECTED] >Subject: RE: PIX Firewall (6.2) General Questions RANT [7:47393] > > >I do not want to get into this discussion; however, having worked with both >Pix and Checkpoint (Next Generation) for the past 12 months, here is my .02c >worth: > >1) If you are a Managed Service Providers, CP running Nokia Platform > (aka ipso) is a much better solution. There are lot of built-in > utilities that can help troubleshooting (i.e. tcpdump) when you need > to verify that traffic is passing through the firewall. Pix has > something similar to tcpdump (in version 6.2(1)) but it is nowhere > near tcpdump utility. Another thing, try to run "debug" command > on a "production" Pix when it is busy, there is no command to break > out of the debug mode, except that you have to telnet or ssh to the > pix and kill the other session. That is really stupid. At least > with CP, you can "CONTROL^C" to break out of tcpdump. >2) Pix Device Manager (PDM) is a piece of sh_t. I don't know if anyone > has noticed but everytime you try to open an ssl connection via PDM, > the cpu on the pix just spike. Doing so might slow down other > processes on the Pix. Do you really want to do this on a production > box? >3) If your pix configuration is about 2000 lines long and you try to > "write term", you can not do a "CONTROL^C" to break out of the > write term mode. Again, this is really stupid. Who wants to play > around with the "pager" command anyway? >4) CP logging is excellent. You can see how traffic come and leave > the firewall. Pix, on the other, everything is done via syslog. > Have anyone actually looked at that syslog? The messages in the > syslog are not "human" readable. >5) How did you come up with a statement that the Pix has never been > "hacked"? Where are your evidences? I remembered not too long > ago that Pix also suffers from SNMP and SSH vulnerabilities just > like any Cisco devices. >6) The pix is faster than CP because you are off-loading the logging > (syslog)and authentication (TACACS or RADIUS) to external devices. > I can make CP NG just as fast, if not faster, if I also off-load > logging and authentication to external devices like Pix. > Furthermore, please don't make comments like that without > research. Did you know that CP Next Generation can run on SMP > (multi-processors) machines and also can run as Active/Active > configuration? I know for a fact that Pix can only do Active/ > Standby. In that case, CP can beat Pix handily. >7) Pix only supports SSH version 1. There are lot of vulnerabilities > in SSH version 1. CP supports both Version 1 and 2. However, > version 1 is OFF by default. >8) It is very difficult to automatically backup Pix configuration using > script because since SSH in pix does NOT support key authentication, > if one write a script to backup hundreds of pix firewalls, username > and password have to be embedded into the script. Not a good thing. > On the other, CP supports key authentication (RSA and DSA). Because > of this, no password needed. Very simple and secure. >9) At the moment, there is NO solution for managing multiple Pix > firewalls for Managed Service Providers. Managing a few pix > firewalls via CLI might work for a small shop; however, that is > NOT a solution for MSP. With CP, you have Provider-1, which can > manage hundreds, if not thousands of firewalls. >10)If Pix is a secure platform, how come telnet is ON by default? It > doesn't matter if it only open for connection on the inside? 11)The >learning curve is much steeper for Pix than for CP, > >Again, my .02c > > > >From: "Roberts, Larry" > >Reply-To: "Roberts, Larry" > >To: [EMAIL PROTECTED] > >Subject: RE: PIX Firewall (6.2) General Questions RANT [7:47393] > >Date: Tue, 25 Jun 2002 14:42:33 -0400 > > > >1)I can look at every single ACL entry and tell you what its doing. I > >don't use comments in a router either, but that my preference... I > >understand your point, but I want my ACL's to be as short as possible. > >2)How I do it and I have a 200-300 line ACL. If I want to change it, I > >copy the existing ACL into notepad. I then change the case ACL->acl or > >visa-versa. I make the changes to the new ACL that I created and copy > >that back to the firewall. There are then 2 ACL's on the firewall. The > >running ACL, and the one that I want to apply. I change the > >access-group command ( their can only be 1 per interface so no need to > >remove the old one,just type in the new one ) And its done. The PIX > >goes directly from 1 list to the other. It doesn't kill any existing > >sessions or even cause a hiccup. 3)access-lists gets you a more "IOS > >like" interface. You can still use conduits if you wish, but ACL's are > >the way of the future. 4)Understood. I guess they want you to type out > >the full command, but Im just guessing. 5)Raw throughput. Dude, If you > >want raw speed, you wouldn't use a DOS based system at all. When you > >talk about small lightweight, what did you mean then? I want a FW to do > >encryption/decryption and raw packet throughput as fast as possible. > >What does the GUI give you other than a pretty UI? Does it > >make the FW more secure? Does it give it more features ? It adds nothing > >and > >slows it down. If you don't care about performance, then grab that old 486 > >and run linux on it. It would be secure, and with the newest Xwindows, > >would > >give you a pretty interface to administer it. Performance would suck,but > >you > >don't care about that. > > > >5)Up until the latest version of Checkpoint, it would not allow you to > >do > >IP > >nat prior to tunnelling for the entire routable space(class A - C ) > > > >I would advise that you read up on the mail guard feature. It does NOT > >act as a SMTP relay/proxy. It acts as a SMTP filter.It prevents none > >RFC commands (READ ESMTP), from passing through the FW. By blocking > >ESMTP commands its doing exactly what it should. That's not a tendency > >to suck, that's a tendency to protect you networks from ESMTP attacks. > >I would complain bitterly if I didn't have the ability to block ESMTP > >commands. Does any others give you that ability? ( I don't know anymore > >) > > > >A FW should be a FW, and that's it. Why add a feature ( SMTP ) that may > >have > >a bug in it? The reason that a PIX has never been hacked is because they > >have avoided the do all/be all approach that throws to many variables into > >the mix. > > > > > >Thanks > > > >Larry > > > > > >-----Original Message----- > >From: Richard Tufaro [mailto:[EMAIL PROTECTED]] > >Sent: Tuesday, June 25, 2002 12:32 PM > >To: [EMAIL PROTECTED] > >Subject: Re: RE: PIX Firewall (6.2) General Questions RANT [7:47393] > > > > > >ok good answers on some, but you tap around a few things.. > > > >1) why no comments? do competent administrators not need any comments > >to tell you what the rules are doing and where they are going (or not > >going?) > >2) I don't get that part...change the name of the access-list....no not an > >instant change, there is a second step of applying it to the interface. Let > >me see...4 step process to change a rule. > >3) I understand the IOS access-lists (which 5.1? PIX just recently > >introduced). Still the administration is a pain. All im doing is making > >access-lists....big deal. What does PIX get you there "ASA" and "state > >full" > >inspection. > >4) I ment command completion..just a little thing. Like when im typing: > > >object-group network. I want to be able to type obje. TAB and ten the IOS > >complete the command. This is not being "competent" this is being > >efficient. > >5) What basis to you say that the 535 will blow Checkpoint out of the > >water? > >Because of speed? Dude little secret if you take Windows...and strip it to > >DOS...its going to smoke. And please don't harp about doing things > >"property". Because when you say "properly" you mean the Cisco way. Hate to > >tell you, but they take "standards" all the time and fit them to there > >devices. > > > >To sum it up on your last comment let me say this. A FIREWALL is only > >as good as its configuration. That being said, if I can mitigate the > >risk of making a configuration mistake by having a "user friendly" way > >of doing it, I don't see why that is so wrong. While I agree that I > >firewall should not be a ONE ALL BE ALL on the network, having SMTP > >proxy's and such on your firewall sometimes makes sense for: > > > >outside address conservation (all MX records for example are routed > >back to one IP on the outside then relayed to internal hosts). Oh and > >PIX does do a chezzbal implementation of this (mailguard). Which has a > >tendency to suck as far as I have seen (cant do ESMTP?! whats with > >that?) > > > >I have worked on CyberGuards for a long time...they are SCO unix. You > >want to learn a little somehting about the backend of a firewall, get > >on the command line on one of those and go....powerful but tricky. I > >dont mean to come off crase becouse im not trying to..just some > >agrugments to throw back.. > > > > >>> "Roberts, Larry" 06/25 12:51 PM >>> > >1) not that I am aware of > >2) Change the access-list name and paste it to the firewall. Then just > >change the access-group statement to the new one. Its an instant > >change. > >3) I think your on crack. If your using access-lists on all interfaces ( > >you > >are aren't you ??? )then there is an implicit deny any any at the end. I > >find many people who put an permit ip any any for the inside access-list. > >While it makes administration much easier, it also is a BAD practice. > >Remember we want to explicitly approve ports, no explicitly deny. You would > >be surprised the small number of ports that really need to be open! > >4) This is a security device. You should always type the full command. I > >don't want to take any chances of typing one thing and the PIX taking it as > >another. I realize that you should know exactly what command your entering, > >but hey, not everyone is competent on the PIX so no chances. > >5) Where did you get that info? The PIX 535 will absolutely blow any > >checkpoint device out of the water. Not to mention that checkpoint still > >hasn't figured out how to do IPSec tunnels *PROPERLY*. The PIX was only > >recently made to be a small lightweight FW with the 501. I don't know about > >you, but I want a firewall to do one thing and one thing only. I don't want > >a FW that is also a mail gateway, dns server and whatnot that so many > >devices try to be now. > > > >Many FW's are made to be user friendly, and cover the backend stuff > >that really happens. The PIX didn't take that approach. They want > >someone to understand what they are doing, and putting a pretty GUI on > >it will only lead to people who shouldn't be administering it, > >administrating it. That is why I completely disagree with the PDM. > > > >Im not directly these comment at you in particular so please don't > >take them that way. Im only saying that we need to realize exactly what > >a FW should do, and what it should not. We also need to realize exactly > >how a FW works, not how the GUI works! > > > >I agree it is a completely different interface, but if you are used to > >the IOS interface, it will come quickly and you will never look back. > > > >But, this is just my opinion! > > > >Thanks > > > >Larry > > > > > >-----Original Message----- > >From: Richard Tufaro [mailto:[EMAIL PROTECTED]] > >Sent: Tuesday, June 25, 2002 11:51 AM > >To: [EMAIL PROTECTED] > >Subject: PIX Firewall (6.2) General Questions RANT [7:47393] > > > > > >Hey all, just recently got my hands on 4 new PIX firewalls and I am > >having some issues with them that perhaps may be shortcoming of the PIX > >or me, but I wanted to throw them out there and see if anyone has any > >comments: > > > >1. Is there a way in the PIX to !Comment your access-list or conduit > >lines to tell what the rule is doing. Now don't get me wrong you can > >look at the rule and its pretty straight forward, but I would like to > >comment them much like you can do in IOS. The only way that I have > >found to do this is by taking every external or internal IP address > >that we have and are denying or allowing and giving it a name. But this > >also has its shortcomings because of > >the 16 character limit. > > > >2. What is with the access-list rules and importing? I don't get it. > >Why do they need to append instead of replace? I am going to assume > >that the access-list is reading from the top down (just like in IOS) so > >if I export my config, change around the order then try to paste *does > >not take*. The workaround I found for this nifty problem is exporting > >the access-list to Ultraedit, putting a "no" statement infront of all > >of the statements, clearing them, then making the change and importing > >them. How do people in a large PIX environment with a multitude of > >rules, and a dynamic environment manage this? Or the PIX's for that > >matter as a side. > > > >3. Tell me if im smoken crack here, but the default stance of the PIX > >is > >bas > >acwards, when it comes to internal hosts to the outside. I mean look when I > >put out the firewall and config my INBOUND lists, why do I want everyone in > >the company to be able to NETBIOS across the firewall (outbound)?! I have > >worked with one other firewall (CyberGuard) and there stance IMHO is the > >best, DENY ALL, permit what I say to permit. Its a firewall, not a router > >(in the security sense people, I now what it is REALLY, but relating to > >Cisco). > > > >4. Little things too...like why no command completion? I know that this > >is > >a > >Cisco acquired device, but you would think that they would make it easy to > >configure from the command line, especially with the influx of making it > >more IOS'e. Is this going to be available in later versions? Anyone know? > > > >5. I know the PIX was conceived as a small lightweight, "streamline" > >device that is going to protect your network with but you should not do > >any WIZ bang stuff with it....but then again Cisco markets to everyone > >and are competing with the WIZ Bang firewall vendors like checkpoint. I > >mean come on GROUPING was just added in 6.2! > > > >If anyone can shed some light on these issues for me it would be much > >appreciated. What im really looking for here is some guidance as to > >people with large PIX deployments and how they manage day to day, and > >deploy newaer the backend stuff that reall ones. I know this is a long > >post but coming from Cyberguard, and going to PIX there seems to be > >some major deficiencies as far as functionality and manageability. > >Thanks. >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47434&t=47393 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
