The configuration problems come from the attempt by CISCO to make the
configuration commands look like IOS. It's not. Thinking of it as if it
was IOS will mislead you (many commands have arguments in exactly the
wrong order for IOS, for example), and the complexity of the syntax went
up when they switched, plus we had to pretty much redesign the configuration
from scratch when they did that, because of all the syntax changes.
In article <[EMAIL PROTECTED]>,
Kent Hundley <[EMAIL PROTECTED]> wrote:
>Again, I don't follow you. When the PIX is configured in a failover
>scenario, the second box is just a backup of the first, the
>configuration of the backup is automatically updated from the primary
>through a special cable, so I don't follow how configuration could be
>any more or less difficult whether you have a single PIX or a redundant
>configuration.
My experience is that when you have two PIXes in a failover configuration,
and something actually fails, it will almost reliably fail over to the PIX
that isn't working. I dearly wish CISCO hadn't sold the failover capability
so hard to the client, because the damn thing is more reliable when it's not
active.
>That's not entirely true if your talking about current versions of the
>PIX IOS. Cisco had included limited functionality that enable the
>stateful inspection on the PIX to understand commands from some of the
>more common applications such as SMTP. For example, it will only allow
>certain SMTP commands through to your mail server, but will also answer
>with "OK" to non-allowed commands to confuse attackers attempting to use
>those commands. This feature is called Mail Guard and has been around
>for at least the last 3 revs of PIX IOS.
I stand by my statement that you will still need a bastion host for your
mail server. The variety and complexity of data-based attacks is beyond the
capabilities of anything less than an application level proxy.
--
In hoc signo hack, Peter da Silva <[EMAIL PROTECTED]>
`-_-' Ar rug t� barr�g ar do mhact�re inniu?
'U` << <KH> you did technical support for Hell ?
<susan> Didn't we all, in our youth? >:) >>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
