On Wed, 23 May 2001, Paul Gracy wrote:
> Contrary to popular opinion, the PIX OS is not "firewall stuff on top of
> IOS". It is an independent OS written specifically for the PIX and
> security. It is not based on BSD, IOS, NT or any other OS. (Obviously, it
> is based on some common OS principles and uses similar routines, etc., there
Never said it was- wasn't NTI's original OS called Phoenix? I chose the
term "proprietary system" carefully .
> are only so many ways to write an OS.) Anyone who doubts this hasn't used
> one. IOS commands don't work. PIX commands and IOS commands are often
> similar (often similar enough to cause grief and confusion ;-) ), but PIX OS
> and IOS with Firewall Feature set are NOT the same thing.
I understand that, however- Cisco would be stupid if they didn't listen to
customer demand and morph IOS commands into PIX (and they've never been
accused of being stupid)- that's why IOS-ish command syntax is
currently creeping into the PIX. It's not difficult to see it going
further and further.
Depending on what it's written in, it's certainly possible that the
underlying routines could be written by either group and shared, just like
it's possible to take BSD code and port it over to Solaris rather than
writing it from scratch.
Let's face it, at some point it probably will not make sense for Cisco
to staff two seperate groups to write essentially the same code- and FFS
seems to me to be a subset of the PIX's capabilities. How far down that
path they are, and how far down that path they're going is interesting
from a product evaluation perspective. Especially for enterprise
environments where long-term architectural choices tend to stick for
better than six years.
Six years ago, PIX was a NAT device made by a small company with an
installed customer base of approximately 30 units. Obviously it's evolved
significantly since then, and just as obviously it'll evolve moving
forward.
To contrast and go back down the original path, FW-1 seems to be at the
end of an architectural evolution from a Win* perspective, and moving
perhaps further down into the kernel in the Linux/BSD space (Nokia
especially seems to have done well with that route.)
PIX seems to be morphing into IOS, and routers with and without FFS seem
to be morphing into a subset of PIX features. If there's not convergence,
it'll be a weird thing, because Cisco has a long history of moving
products from proprietary command interfaces into IOS. Command-by-command
the PIX team is going to have to bite that bullet unless there's a very
special reason not to. Look at the switch companies that Cisco acquired
for an idea of that process.
It's possible that the defense in depth argument could sway Cisco to not
put all its developers in one basket, but they'd have to explicitly try
not to do that over top of the bean counters' wishes to not staff
duplicate sets of people working on the same features. How many IOS
commands does it take to make porting the engine more cost-effective than
maintaining two seperate implementations?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
