/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
I would say that for a sales guy he was probably very honest. If you believe
what he said, then he would be right, and if you knew he was wrong - well
let me try to explain it....
The Linux system comes in a "standard" distribution and if you just set up
the masquerade (which forms the firewall) then the system is vulnerable. The
CISCO unit has the advantage that it was already trimmed for this use. So if
you are not painfully aware of what you are doing, then the CISCO at least
offers a known level of security.
But on the other side I am not aware of that the CISCO unit offers any
better protection than can be achieved using a Linux solution.
I myself is running a such, and my networks are attacked just about twice a
day as an avarage. To this day only one penetration took place, which was
before I upped security to the level we have now.
To get to that level of security, you must read the HOWTOs on security. It
goes without saying that you need to only run the services absolutely
necessary and constantly monitor activities on the services you do offer.
You will have to routinely run password crackers to ensure that any users
allowed on the firewall (there should be none but just in case) are using
safe passwords. No anonymous FTP. Arguably no HTTP. You MUST use anti port
scanning software. This kind of software will greatly inhibit (no 100%)
hackers. Logs must be monitored.
Does that give you something to work on?
Sincerely,
Dr. Karsten Jeppesen
VP of Engineering
Total Impact
<[EMAIL PROTECTED]>
> From: Shawn Campbell <[EMAIL PROTECTED]>
> Date: Tue, 16 Jan 2001 05:31:16 -0800 (PST)
> To: [EMAIL PROTECTED]
> Subject: [Masq] cisco pix vs. linux firewall.
>
> /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
> /* ALSO: Don't quote this header. It makes you look lame :-) */
>
>
> I am a computer technician on staff at a small college in Ohio. We recently
> purchased some Cisco equipment 35xx & 400x switches and a support contract
> from a local company. The company's cisco/network guru was talking to us
> about the cisco pix firewalls and all of the benefits. He knew we were using
> linux and WinNT at the moment and told us the Cisco pix was superior and that
> Operating System based firewalls (WinNT and Linux) are actually vulnerable to
> certain types of attacks. Let me be more specific. He said that under
> certain conditions within the operating system (other tasks it is performing)
> that the firewall rules will be "ignored" in favor of the other tasks and will
> let harmful packets get in. He said that certain checks get "skipped" under
> certain circumstances. He also said that the Cisco PIX was nearly
> undetectable and only surpassed by Firewall1 (another firewall product). He
> rattled off something about a testing service that cost $13000 and how it was
> verified by cisco and everything.
>
>
>
>
>
> Qmail/LDAP interoperability website notice:
> "Note: This is NOT point-and-click-and-then-it-works ware!
> You should have fairly good prior knowledge of qmail and LDAP."
> It means that "Bob the Janitor" cannot be your system administrator.
> Only someone who understands the technology can do so.
> Avoid the use of expensive, buggy, unreliable, no-brainer technology that will
> cost your employer $$$.
> Be a computer science major, not a janitor.
> Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail.
>
> _______________________________________________
> Masq maillist - [EMAIL PROTECTED]
> Admin requests can be handled at http://www.indyramp.com/masq-list/ --
> THIS INCLUDES UNSUBSCRIBING!
> or email to [EMAIL PROTECTED]
>
> PLEASE read the HOWTO and search the archives before posting.
> You can start your search at http://www.indyramp.com/masq/
> Please keep general linux/unix/pc/internet questions off the list.
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
