Brian Ford wrote:
> Thanks for the humor Kriss.
>
> I think the point that Kriss has missed is the integrity of the operating system
>that is running on the "standard ole' Intel machine". Purpose built firewall
>appliances, like the Cisco PIX run a proprietary operating system. That means that
>it is a couple of degrees harder for all those script kiddies out there to find and
>exploit a vulnerability in these firewall appliances.
This is what I was trying to get at. Everyone who's been around PCs for
a while and has opened a PIX-520 knows that it's an ATX motherboard, a
card with some flash on it, a floppy drive, and some number of Intel
PRO-100B+ Management Adapters. That's the whole story. Total parts cost:
Approximately $300, assuming that cisco is getting gouged -- And that's
with both of the NICs it comes with.
But what do you pay for when you buy a PIX? The light, fast OS that runs
on it (Well, as of 5.x anyway. PIX in 4.x and below was something of a
dog, and dramatically buggy, INCLUDING the very highest revision of 4.x)
and support, although you do have to pay more for the support. Also,
cisco patches and works around various security issues, the PIX supports
TACACS+ so if you have a bunch of other cisco gear, it makes
authentication even easier, ssh for encrypted logins (though this is
another example of lameness, you can't do 3DES without the 128 bit key,
only DES with the free 56 bit key.) So there are some definite
shortcomings to the PIXen, but they do buy you something like peace of
mind. You don't have to personally be continually probing them and
reading bugtraq (or similar) to ensure that your firewall appliance is
reliable.
OTOH, the OpenBSD folks (and many others) fix security holes MUCH faster
than cisco. So if you're willing to spend the time and do the homework,
then perhaps you would actually be better-protected if you used OpenBSD
and ipfilter than if you used a PIX. It would just be a whole lot more
work and probably involve more downtime.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
