Martin
Please see comments in line.
At 01:31 PM 12/4/2000 -0800, Martin wrote:
>Brian Ford wrote:
>
>>Thanks for the humor Kriss.
>>I think the point that Kriss has missed is the integrity of the operating system
>that is running on the "standard ole' Intel machine". Purpose built firewall
>appliances, like the Cisco PIX run a proprietary operating system. That means that
>it is a couple of degrees harder for all those script kiddies out there to find and
>exploit a vulnerability in these firewall appliances.
>
>This is what I was trying to get at. Everyone who's been around PCs for a while and
>has opened a PIX-520 knows that it's an ATX motherboard, a card with some flash on
>it, a floppy drive, and some number of Intel PRO-100B+ Management Adapters. That's
>the whole story. Total parts cost: Approximately $300, assuming that cisco is getting
>gouged -- And that's with both of the NICs it comes with.
What about all the engineering (development and test) hours that go into development?
Cost Of Goods Sold (or COGS) is only a portion of what goes into determining price.
There are no open source components in there. It's all developed by a team of
engineers at Cisco. The same holds true for other commercial products.
>But what do you pay for when you buy a PIX? The light, fast OS that runs on it (Well,
>as of 5.x anyway. PIX in 4.x and below was something of a dog, and dramatically
>buggy, INCLUDING the very highest revision of 4.x) and support, although you do have
>to pay more for the support. Also, cisco patches and works around various security
>issues, the PIX supports TACACS+ so if you have a bunch of other cisco gear, it makes
>authentication even easier, ssh for encrypted logins (though this is another example
>of lameness, you can't do 3DES without the 128 bit key, only DES with the free 56 bit
>key.) So there are some definite shortcomings to the PIXen, but they do buy you
>something like peace of mind. You don't have to personally be continually probing
>them and reading bugtraq (or similar) to ensure that your firewall appliance is
>reliable.
>
>OTOH, the OpenBSD folks (and many others) fix security holes MUCH faster than cisco.
Don't get me wrong. I think open source tools are great. I think OpenBSD is great.
I totally disagree that holes in OpenBSD environment get fixed faster. In the open
source environment you have many more developers, each with their own interpretation
and capabilities for executing test requirements. I would wager that a few can expend
the level of effort that goes into testing a commercial product (ours or any of the
other large commercial players). Commercial developers do much more to mitigate risk,
as we are able to better enforce development and test standards.
>So if you're willing to spend the time and do the homework, then perhaps you would
>actually be better-protected if you used OpenBSD and ipfilter than if you used a PIX.
>It would just be a whole lot more work and probably involve more downtime.
Not to mention the cost of finding and retaining the people needed to support such an
environment. We have the luxury of communicating with many smart people in this
forum. But you have to agree taht there are not enough people available in the market
with the skills needed to implement and maintain the types of solutions you are
talking about.
Brian Ford
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
