> Johnston Mark wrote:
>
> Hi all,
>
> Need some help from persons who have knowledge about FW-1 and Cisco
> Pix.
>
> We are looking to replace our FW as its currently limited to 3
> interfaces and we now have a requirement for 4. But before purchasing
> the unit there is just a little bit of information that I need to
> know, more on the alerting and logging capabilities of the 2 suggested
> firewalls.
>
> From most of the whitepapers I have read (the honeypot project etc) I
> noticed that most use FW-1. I know that it can handle logging and
> custom alerts quite well, but can Cisco. I have had mixed vendor
> reports and sometimes I think that those guys will say anything to get
> a sale .... so let me rather ask persons who have 1st hand experience.
The differences between the PIX and FW1 when it comes to logging and
alerting fall along the lines that many other areas do--PIX relies on
external servers to do bells 'n' whistles things, while FW1 gives you
somewhat more self-contained, canned b&w's, as well as the option to
farm stuff out to external servers (anti-virus, active/content scanning,
etc...)
With the PIX logging, you get a syslog stream. If you want alerting, or
some other bell or whistle, you script it on the syslog server. There's
some open source tools like swatch and logsurfer that will munch log
files based on regular expressions and such, and of course you can write
your own perl code or whatever. Syslog is UDP unless you buy Cisco's
syslog server or use Kiwi Enterprises' shareware, or roll your own, then
you can get TCP-based syslog. Securing the logging stream may be an
issue. The only way to encrypt it may be to have a vpn client on the
syslog server. You can't tunnel thru ssh--PIX doesn't grok port
forwarding. Cisco also hasn't gotten some very basic bugs out of their
log stream regarding reporting of port numbers on denied connections.
Until recently, they didn't give that info, and now it's either TCP or
UDP connections that still don't have that info (forget which, too lazy
to check at this hour). Very lame and annoying.
With FW1, you can use the underlying O/S of the platform to run programs
that create alerts, or permits the sending of email (a canned action in
FW1). Since FW1's alerts happen based on a ruleset match/no-match, I'd
say they have a speed advantage over syslogging and parsing via PIX and
a syslog server. Don't know how significant that really is, though.
Logging stream is encrypted if you've got a vpn license, or is not sent
over the n/w if you're logging locally. You can also ssh tunnel it if
you don't have vpn, as it's TCP-based. FW1 provides some basic
hacker-response capabilities (see the CP docs for MAD). I suppose you
could duplicate this w/PIX by parsing the syslog, and using Expect to
log into the PIX and tweak the policy, but that's non-trivial.
Michael
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
