On Thu, 24 May 2001, Brian Ford wrote:
> >You mean, the PIX's OS was designed from the scratch?
>
> Many, many moons ago the PIX OS was developed from the source of an
> embedded computer OS. For all intents and purposes it was pretty much from
> scratch as the embedded OS no longer exists except in the PIX OS.
"Phoenix" wasn't it?
[snip]
> >So why do you think there's a move towards IOS style access-lists in newer
> >versions of the PIX?
>
> Amazingly, because folks who regularly buy Cisco equipment including PIXen
> asked us to do this.
Because they probably don't want their people to have to learn two
different syntaxes.
>
> >Cisco would not act economically reasonable if they didn't harmonize
> >'classic IOS' and PIX OS.[any comments on this from somebody @ cisco ?]
>
> I don't know about harmonizing. I know I ask the developers to do it cause
> customers ask me for it all the time.
>
> Why do people on the list care what OS (or if an OS) is under the PIX? If
> you used the PIX, you'd know that if there were something underneath you
> don't have access to it?
Well, I can answer this one from my perspective:
1. If it's handling access-lists with a port of the same code that's in
IOS or IOS-FFS, then for defense-in-depth purposes, putting PIXen and
screening routers in a row wouldn't buy me as much protection as putting
Something-Else and screening routers in a row.
2. The box supports remote management, and that means it has a stack. If
it's a "known quantity" stack, then I can expect certain behaviour and
probably guess at where the bugs are going to live. If it's an unknown
quantity then I'd have to apply more dilligence.
3. It's mildly interesting from a "compromised host, how much damage can
be done?" perspective.
4. It's intensely more interesting than answering "What's the best
firewall." ;)
Please note that these are'nt necessarily PIX-specific questions- both
defense-in-depth and stack issues are pretty high on my list of things to
look at in *any* vendor's product. I don't run the same OS on my servers
as on even my packet filtering firewalls if I can help it, let alone my
application layer gateways. My last almost maximal implementation at one
point had 5 different architectures in the chain, and ended up with 4,
including screening routers, packet filters, and application layer
gateways. Nobody's bug, strange packet, or stack issue got end-to-end
through that system. Plus it was fun watching people try to remember how
to do the "I'm an administrator, and I need to get onto that edge device"
dance ;)
> > > My two cents.
> >
> >And mine...
>
> With mine we are up to $0.06.
I'll take it!
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
