I would be curious to know which UNIX if anyone knows. If I remember correctly Xenix was owned by Microsoft at one point in the 80's correct? I think where people get hung up is that anything thats asic-ased or has no hard drive that spins up they believe somehow does not contain an OS.
At 09:12 AM 4/17/2002 -0500, Noonan, Wesley wrote: >A sizable chuck of Cisco (don't know for sure on the PIX, but I know on >their routers) runs an OS behind the scenes that is called Xenix, XNS, ZNS, >or something along those lines (I really don't recall the actual name). IOS >runs on top of that (is my understanding, kind of like how Banyan ran on top >of Unix). My point was simply, if one is going to cast the "a firewall is >only as strong as the underlying OS" stone, they need to be prepared to cast >that stone at virtually every firewall out there. It is hardly a ISA >specific issue (heck, FW1 runs on MS doesn't it?). > >Wes Noonan >[EMAIL PROTECTED] >281-208-8993 > > > > -----Original Message----- > > From: Clifford Thurber [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, April 17, 2002 08:48 > > To: Noonan Wesley; 'Mikael Olsson' > > Cc: '[EMAIL PROTECTED]' > > Subject: RE: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) > > > > What is the conection between Xenix and Cisco here: > > > > ...Xenix (or whatever it is called that runs > > Cisco under the covers), Windows, etc. In > > > > > > At 08:17 PM 4/16/2002 -0500, Noonan, Wesley wrote: > > > > -----Original Message----- > > > > From: Mikael Olsson [mailto:[EMAIL PROTECTED]] > > > > Sent: Tuesday, April 16, 2002 17:56 > > > > To: Noonan, Wesley > > > > Cc: '[EMAIL PROTECTED]' > > > > Subject: Re: Microsoft ISA server (Was: Re: Replacing my old PIX > > Classic) > > > > > > > > > > - It's a pretty decent caching server, reducing bandwidth needs. > > > > > - It integrates tightly with existing windows networks > > > > > - Tiered management that can be delegated at different levels to > > > > > different users/groups > > > > > > > > Yes. In a mail that has yet to reach the list (?!?), I listed these > > > > > >That has happened to me a few time of late... > > > > > > > On the second point: I'm not sure I want my firewall integrating > > > > that tightly with windows boxes driven by ordinary lusers. > > > > > >Let me clarify, by that I meant things like using user security and not > > >needing to maintain a separate database, etc. > > > > > > > > > > > > It scales something fierce, both up and out. I've read reports of > > > > > it scaling out to 32 nodes and over 1Gbps in bandwidth. > > > > > > > > I though you were listing "pro"s here? > > > > I know of several firewalls that give you that performance with > > > > a single box. And don't even get me started on the TCO for those > > > > 32 boxes. > > > > > >What kind of box? The numbers I saw were on PIII 700's with 512MB of RAM. > > >Point taken on the TCO (but then again, Solaris boxes don't always come > > >cheap in a server form either... and we won't even get into what I have > > read > > >about Checkpoint's incredible licensing fees... may be the only thing > > thing > > >worse than ISA's per proc licensing agreement...) > > > > > > > > It is generally easier to manage for shops that already have an > > > > investment > > > > > in MS technologies and skillsets. > > > > > > > > I disagree. Substitute "generally" with "sometimes", and I'll agree. > > > > > >OK, consider it substituted. > > > > > > > Any "OS-less" firewall will be easier to get to point A than a > > > > windows box, even for an experienced windows administrator. And > > > > > >I dunno, I have seen more than one place boot PIX for ISA because of > > >specifically that. Now frankly, that perplexes me because I find the PIX > > to > > >be infinitely easier to deal with than ISA (hell, I went and bought it > > even > > >though I have the license and the hardware for ISA). > > > > > > > if said firewall has a management software running under windows, > > > > the difference there is nil: in both cases, the admin needs to > > > > learn a new management interface. > > > > > >Fair enough. I can see that. > > > > > > > > Built in VPN capabilities. > > > > > Stateful packet inspection and application level proxying > > > > > Native support for multiple interfaces > > > > > > > > While these are good points, I hardly think it is much of a > > > > pro for ISA server, given the number of other firewalls that > > > > also have these features. > > > > > >No, not pro's as much as "these are thing things that 'real' firewalls > > are > > >supposed to do, and it does". When people make the flawed comparison to > > >Proxy, I think the illumination they provide is relevant. > > > > > > > > Going on third party info here (may be wrong), but as of today it > > has > > > > > experienced fewer vulnerabilities from the date it was shipped till > > now > > > > than > > > > > either the PIX or FW1, and no vulnerabilities have caused a security > > > > > compromise (when it fails, it fails closed). > > > > > > > > You forgot to count the OS vulnerabilities. > > > > > >Actually, again to my knowledge ISA's exploits haven't allowed that. If > > you > > >want to bring that point in though, it becomes true for *every* OS that > > is > > >out there, BSD, Linux, Solaris, Xenix (or whatever it is called that runs > > >Cisco under the covers), Windows, etc. In short, that point being > > >"universal", it isn't really fair to attach it strictly to an ISA > > scenario. > > > > > >Besides, a good admin can and will kill a whole lot of those services, > > >processes and bindings that are responsible for many of those > > >vulnerabilities. > > > > > > > > It is highly extensible with a slew of third party add-ons for > > > > > everything from access control to IDS to monitoring to hardening > > > > > to logging and reporting. > > > > > > > > Hrm, I'm very tempted to say something acid-dripping about > > > > the general security quality of even "top notch" windows- > > > > based software. Not to mention a slew of it. > > > > > >I could do the same thing about the wealth of un-usable Unix apps. > > > > > > > I think you would have a somewhat different opinion of this > > > > if you just knew how many windows drivers actually protect > > > > their driver interfaces. (About one TOTAL in a normal install.) > > > > > >You assume somehow that I don't know this? > > > > > > > Not to mention the (IMHO) insane complexity of even setting > > > > an ACL on a shared object. > > > > > > > > Even assuming that Microsoft got ISA server right, I'm not sure > > > > that I'd want to be installing all those gadgets that actually > > > > make it do what a firewall should do (i.e. log stuff the gets > > > > dropped somewhere useful). > > > > > >You lose base here. Install what gadgets that actually make it do what a > > >firewall should do? I feel like we are right back at where we started > > >here... > > > > > >Wes > > >_______________________________________________ > > >Firewalls mailing list > > >[EMAIL PROTECTED] > > >http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
