Gad's if only I had the time the morning--- So much of this entryis sheer
and utter "crud"... I am not sure where you got your info, but, to
start with PIX acl's are NOT sequential -- unlike the router.. it
works in a whole different way, As for rebooting to get fixes to
work... Uh, I have even changed the ip address and not had to
reboot... Again, incorrect info. As for logging -- hmm, I have
all logging turned on including "connections", which goes to
a machine I have a neat software package on called PrivateI which
does a nice job of real-time monitoring and reporting. As for sending
the messages to PFM -- only if you send it there...
Perhaps later when I get a chance I will update and completely correct
this message, but for now, be forewarned --- it is not totally correct
regarding the pix, except maybe the NIC portion -- that I will agree with.
Beyond that.... Hmm....
Please make sure your facts are accurate before leading others down a wrong
path -- and for what it is worth I do not work for cisco...
more later
r
At 02:43 PM 3/8/99 +1100, User wrote:
>> >
>> > So, what's the big differentiation between a Cisco router with Firewall
>> > Feature Set and a Cisco PIX?
>>
>> I have never worked with PIX, so I really don't know. IOS does have
>> inspection, NAT, VPN, lock-and-key (access-lists activated by user
>> authentication), etc. But it is kind of hard to setup...
>> Maybe PIX is a little easier. I recollect hearing about a "cryptography
>> board" for the PIX platform, which could be one of the differences, as IOS
>> does crypto by software.
>>
>
>A few months back, someone asked for a PIX review (to base against FW-1).
>FWIW, here's what I said (which still holds mostly true):
>
>Hardware wise, it's basically an Intel box - so, you're immediately gonna
>have problems if you require 4+ NIC's; (PIX only supports 4 regardless of
>many you can physically install). You can have 2 PIX's together to provide
>HA; haven't played with this, but the doco is there and they certainly seem
>to support failover.
>
>Configuring PIX is a pain in the backside. The command line interface is
>just as shitty as configuring a Cisco router. Don't believe the marketing
>crap that says, "if you know Cisco IOS, then you can easily pick up PIX".
>Bullshit. There is very little similarity.
>
>As an afterthought, Cisco clobbered together the PIX Firewall Manager (PFM).
>This requires a NT box that runs PFM as a service. You connect to PFM via a
>browser, PFM in turn talks to PIX. The comms b/w PFM and PIX is encrypted.
>Comms b/w your browser and PFM are NOT, so be careful. This gives you a nice
>enough GUI, but there's still other shitty things about the product. There
>have been vulnerabilities with PFM - but they're supposedly fixed in the
>current versions.
>
>The one big thing about PIX that really shits me: making changes. You
>basically have to reload (reboot) PIX for most changes - this is really bad
>if you must have 120% uptime! I'm not talking about major changes, even
>small changes to the packet filtering rules. Packet filtering rules work
>like most other firewalls: first match wins. With PIX, you can only add new
>rules to the end of the list. To add something anywhere else essentially
>requires all rules to be deleted and then re-entered with the new rule in
>the correct place. Wow! That's shit! Sound like Cisco IOS? Yeah, you now
>know what I mean.
>
>Most surveys I see shiw FW1 has the clear market share. PIX is usually
>second - a distant second. I wouldn't be surprised if Cisco is doing deals
>to get the product out - it certainly isn't going to sell on product alone.
>
>Logging. It relies on syslog. syslog is unreliable under heavy loads. The
>PIX sends its syslog entries to PFM, which can then alert/alarm based on
>certain events. No built in paging capability. Usual SNMP and SNMPtrap
>capabilities. It only logs by exception - ie. packets denied, interfaces
>down, etc. Doesnt log anything about stuff that was permitted.
>
>Authentication. Usual Cisco IOS access: user level password and privileged
>password. No disctinction made as to who actually entered the password, so
>very difficult (impossible) to audit exactly who did what, where and when.
>PFM allows you define users (with proper name/passwords under NT). these
>user can also be given read-only or full access. All means shit if someone
>can still get to the console (or telnet) to PIX.
>
>VPN. Still in BETA. Cisco have OEM'ed Redcreeks RAVLIN solution. This uses a
>PCI card to handle the encrytpion. Apparently very fast - but, still in BETA
>and still having trouble getting it to work. We're current'y bashing our
>heads trying to get VPN authentocation with OTP passwords against a Radius
>server to work. Big problems. Local support (Australia) is pretty crap.
>YMMV.
>
>UPDATE!!! Cisco have discontinued their relationship with Redcreek - the
>RAVLIN card is no longer an option.
>
>It's scary reading the release notes. Particularly the list of things fixed
>in each new revision. You should read the Release Notes for some amusement.
>
>Phew, that's my $0.02 worth,
>
>./edy
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
