RE: PIX Firewall (6.2) General Questions RANT [7:47393]
I don't mind in-band for internal router configuration, but since the FW is the only line of defense between me and the rest of you guys :) I am very very careful about how anyone can access it. Telnet is insecure, and I don't like SSH ( personal preference ) so I am left with no options. I also am concerned that I could loose in-band access to the devices ( a switch fails, or looses power, or better yet the server guys uplug the wrong cables) so I don't even bother accessing them that way anymore. These are MY personal preferences and how I deal with some of the limitations of the PIX ( did I say that ? ) as well as other security concerns. I'm afraid that this might become more of a personal preference attack thread, of which I was finding myself getting involved admittedly. I don't want to make enemies or have people loose respect for my opinion just because I prefer brand A over brand B and I didn't think anyone was all that interested in where it was going. I did however find some additional information that may balance the scales performance wise between the PIX and CP. I'm still researching so some of my concerns might become mute... Thanks Larry -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 4:06 PM To: Roberts, Larry Cc: [EMAIL PROTECTED] Subject: RE: PIX Firewall (6.2) General Questions RANT [7:47393] Actually, I hope you don't take it offline. I enjoy reading both sides of the argument and there is merit to both viewpoints. In my personal opinion, each firewall has its place, depending on the target customer. There are also some customers for which I'd recommend Netscreen or Sonicwall over either PIX or CP-NG. Larry: Out of curiosity, why don't you like in-band management? It seems that with proper configuration (SSH, etc.) that it can be quite secure. Craig At 05:16 PM 6/25/2002 -0400, you wrote: >1) Personal Opinion. The last breakdown I saw ( 5-6 months ago in >network world I believe ) shows Cisco with 70% market share in mid-top >level space. > Type no logg cons or no logg mon. It will break out of the debug. No your >letters aren't typed next to each other, but the PIX doesn't care. >I will give you that the DEBUG could use some work in that it is more >difficult to filter out what you want and what you don't when you logg to >console or monitor > >2) I completely agree. I don't believe in GUI's for Network devices. > >3) I user the pager command all the time. I set it to 5000 to dump the >whole config and then capture the output. I will delete half my config >to get to your scenario and try. I set it to 15 when I am looking at >debug > >4) I user CiscoWorks 2K and can read the messages quite nicely. You >could also use Private-I. > >5) I will search for the article. I didn't bookmark it. I also said the >PIX hadn't been hacked, not IP hasn't been hacked. No one has hacked >Finesse. I am sorry for the confusion. > >6) Will either of those Active Active box's push 1.7Gbps cleartext or >95Mbps 3Des traffic and 1/2Mil connections.. I didn't say combined, I >said individually. I can run 2 PIX's and double my numbers as well. Can >you terminate a tunnel on both box's and load balance traffic over both >of them from the same source ? This is the latest performance briefs >that I could fine. I have included them to show you what I did review. >I can send you the PDF of Cisco's performance to back up my statistics >for them if you would like. Perhaps you should do some research before >you question mine. >http://www.rainfinity.com/products/wp_performance_brief.pdf >Remember we are talking hardware vs. software FW's so CP's results are >bound to be lower. Also to note for CP is that it is a MUCH cheaper >solution. That's a plus for it. > >7) I only manage PIX's OOB so that point is mute for me. > >8) I do it manually,every time I make a change. It helps limit the >number of copies of my config that are floating around. > >9) Really, I don't believe in In-band management, so I assume that CP-1 >will dial-up and manage devices that way ?I also don't have many >universal changes that I can push out to 30+ devices, so that ability >to manage that many from one place is mute for me as well. > >10) first see number 7, secondly its interfaces are all 127.0.0.1 so >you couldn't access it on a PC by default anyways. You also must >specify WHAT hosts can access it prior to it being accessed. Its turned >on, but no one is permitted. > >11) Yes it is. But so is the learning curve for HP-UX over Windows 2k, >but which would you rather have running your daily operations on ? > >This i
RE: PIX Firewall (6.2) General Questions RANT [7:47393]
Actually, I hope you don't take it offline. I enjoy reading both sides of the argument and there is merit to both viewpoints. In my personal opinion, each firewall has its place, depending on the target customer. There are also some customers for which I'd recommend Netscreen or Sonicwall over either PIX or CP-NG. Larry: Out of curiosity, why don't you like in-band management? It seems that with proper configuration (SSH, etc.) that it can be quite secure. Craig At 05:16 PM 6/25/2002 -0400, you wrote: >1) Personal Opinion. The last breakdown I saw ( 5-6 months ago in network >world I believe ) shows Cisco with 70% market share in mid-top level space. > Type no logg cons or no logg mon. It will break out of the debug. No your >letters aren't typed next to each other, but the PIX doesn't care. >I will give you that the DEBUG could use some work in that it is more >difficult to filter out what you want and what you don't when you logg to >console or monitor > >2) I completely agree. I don't believe in GUI's for Network devices. > >3) I user the pager command all the time. I set it to 5000 to dump the whole >config and then capture the output. I will delete half my config to get to >your scenario and try. I set it to 15 when I am looking at debug > >4) I user CiscoWorks 2K and can read the messages quite nicely. You could >also use Private-I. > >5) I will search for the article. I didn't bookmark it. I also said the PIX >hadn't been hacked, not IP hasn't been hacked. No one has hacked Finesse. I >am sorry for the confusion. > >6) Will either of those Active Active box's push 1.7Gbps cleartext or 95Mbps >3Des traffic and 1/2Mil connections.. I didn't say combined, I said >individually. I can run 2 PIX's and double my numbers as well. Can you >terminate a tunnel on both box's and load balance traffic over both of them >from the same source ? >This is the latest performance briefs that I could fine. I have included >them to show you what I did review. I can send you the PDF of Cisco's >performance to back up my statistics for them if you would like. Perhaps you >should do some research before you question mine. >http://www.rainfinity.com/products/wp_performance_brief.pdf >Remember we are talking hardware vs. software FW's so CP's results are bound >to be lower. >Also to note for CP is that it is a MUCH cheaper solution. That's a plus for >it. > >7) I only manage PIX's OOB so that point is mute for me. > >8) I do it manually,every time I make a change. It helps limit the number of >copies of my config that are floating around. > >9) Really, I don't believe in In-band management, so I assume that CP-1 will >dial-up and manage devices that way ?I also don't have many universal >changes that I can push out to 30+ devices, so that ability to manage that >many from one place is mute for me as well. > >10) first see number 7, secondly its interfaces are all 127.0.0.1 so you >couldn't access it on a PC by default anyways. You also must specify WHAT >hosts can access it prior to it being accessed. Its turned on, but no one is >permitted. > >11) Yes it is. But so is the learning curve for HP-UX over Windows 2k, but >which would you rather have running your daily operations on ? > >This is becoming a pi$$ing match for Cisco vs. the world. I prefer PIX's, >you prefer CP's. We can take this off-line as it doesn't belong on this list >anymore if you wish. > > >Thanks > >Larry > > >-Original Message- >From: david smith [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, June 25, 2002 2:42 PM >To: [EMAIL PROTECTED]; [EMAIL PROTECTED] >Subject: RE: PIX Firewall (6.2) General Questions RANT [7:47393] > > >I do not want to get into this discussion; however, having worked with both >Pix and Checkpoint (Next Generation) for the past 12 months, here is my .02c >worth: > >1) If you are a Managed Service Providers, CP running Nokia Platform >(aka ipso) is a much better solution. There are lot of built-in >utilities that can help troubleshooting (i.e. tcpdump) when you need >to verify that traffic is passing through the firewall. Pix has >something similar to tcpdump (in version 6.2(1)) but it is nowhere >near tcpdump utility. Another thing, try to run "debug" command >on a "production" Pix when it is busy, there is no command to break >out of the debug mode, except that you have to telnet or ssh to the >pix and kill the other session. That is really stupid. At least >with CP, you can "CONTROL^C" to break out of tcpdump. >2) Pix Device Manager (PDM) is a piece of sh_t
RE: PIX Firewall (6.2) General Questions RANT [7:47393]
1) Personal Opinion. The last breakdown I saw ( 5-6 months ago in network world I believe ) shows Cisco with 70% market share in mid-top level space. Type no logg cons or no logg mon. It will break out of the debug. No your letters aren't typed next to each other, but the PIX doesn't care. I will give you that the DEBUG could use some work in that it is more difficult to filter out what you want and what you don't when you logg to console or monitor 2) I completely agree. I don't believe in GUI's for Network devices. 3) I user the pager command all the time. I set it to 5000 to dump the whole config and then capture the output. I will delete half my config to get to your scenario and try. I set it to 15 when I am looking at debug 4) I user CiscoWorks 2K and can read the messages quite nicely. You could also use Private-I. 5) I will search for the article. I didn't bookmark it. I also said the PIX hadn't been hacked, not IP hasn't been hacked. No one has hacked Finesse. I am sorry for the confusion. 6) Will either of those Active Active box's push 1.7Gbps cleartext or 95Mbps 3Des traffic and 1/2Mil connections.. I didn't say combined, I said individually. I can run 2 PIX's and double my numbers as well. Can you terminate a tunnel on both box's and load balance traffic over both of them from the same source ? This is the latest performance briefs that I could fine. I have included them to show you what I did review. I can send you the PDF of Cisco's performance to back up my statistics for them if you would like. Perhaps you should do some research before you question mine. http://www.rainfinity.com/products/wp_performance_brief.pdf Remember we are talking hardware vs. software FW's so CP's results are bound to be lower. Also to note for CP is that it is a MUCH cheaper solution. That's a plus for it. 7) I only manage PIX's OOB so that point is mute for me. 8) I do it manually,every time I make a change. It helps limit the number of copies of my config that are floating around. 9) Really, I don't believe in In-band management, so I assume that CP-1 will dial-up and manage devices that way ?I also don't have many universal changes that I can push out to 30+ devices, so that ability to manage that many from one place is mute for me as well. 10) first see number 7, secondly its interfaces are all 127.0.0.1 so you couldn't access it on a PC by default anyways. You also must specify WHAT hosts can access it prior to it being accessed. Its turned on, but no one is permitted. 11) Yes it is. But so is the learning curve for HP-UX over Windows 2k, but which would you rather have running your daily operations on ? This is becoming a pi$$ing match for Cisco vs. the world. I prefer PIX's, you prefer CP's. We can take this off-line as it doesn't belong on this list anymore if you wish. Thanks Larry -Original Message- From: david smith [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 2:42 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: PIX Firewall (6.2) General Questions RANT [7:47393] I do not want to get into this discussion; however, having worked with both Pix and Checkpoint (Next Generation) for the past 12 months, here is my .02c worth: 1) If you are a Managed Service Providers, CP running Nokia Platform (aka ipso) is a much better solution. There are lot of built-in utilities that can help troubleshooting (i.e. tcpdump) when you need to verify that traffic is passing through the firewall. Pix has something similar to tcpdump (in version 6.2(1)) but it is nowhere near tcpdump utility. Another thing, try to run "debug" command on a "production" Pix when it is busy, there is no command to break out of the debug mode, except that you have to telnet or ssh to the pix and kill the other session. That is really stupid. At least with CP, you can "CONTROL^C" to break out of tcpdump. 2) Pix Device Manager (PDM) is a piece of sh_t. I don't know if anyone has noticed but everytime you try to open an ssl connection via PDM, the cpu on the pix just spike. Doing so might slow down other processes on the Pix. Do you really want to do this on a production box? 3) If your pix configuration is about 2000 lines long and you try to "write term", you can not do a "CONTROL^C" to break out of the write term mode. Again, this is really stupid. Who wants to play around with the "pager" command anyway? 4) CP logging is excellent. You can see how traffic come and leave the firewall. Pix, on the other, everything is done via syslog. Have anyone actually looked at that syslog? The messages in the syslog are not "human" readable. 5) How did you come up with a statement that the Pix has never been "hacked"? Where are your e
Re: PIX Firewall (6.2) General Questions RANT [7:47393]
""Roberts, Larry"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > A FW should be a FW, and that's it. Why add a feature ( SMTP ) that may have > a bug in it? The reason that a PIX has never been hacked is because they > have avoided the do all/be all approach that throws to many variables into > the mix. > CL: PIX does not allow telnet from the untrusted side, but it can be hacked by anyone on the inside network, unless specifc actions have been taken. anyone know if a Netscreen has ever been hacked? I'm asking because I forgot my admin password, and I don't want to have to do a reset to factory and lose my configured policies ;-> > > Thanks > > Larry > > > -Original Message- > From: Richard Tufaro [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, June 25, 2002 12:32 PM > To: [EMAIL PROTECTED] > Subject: Re: RE: PIX Firewall (6.2) General Questions RANT [7:47393] > > > ok good answers on some, but you tap around a few things.. > > 1) why no comments? do competent administrators not need any comments to > tell you what the rules are doing and where they are going (or not going?) > 2) I don't get that part...change the name of the access-listno not an > instant change, there is a second step of applying it to the interface. Let > me see...4 step process to change a rule. > 3) I understand the IOS access-lists (which 5.1? PIX just recently > introduced). Still the administration is a pain. All im doing is making > access-listsbig deal. What does PIX get you there "ASA" and "state full" > inspection. > 4) I ment command completion..just a little thing. Like when im typing: > > object-group network. I want to be able to type obje. TAB and ten the IOS > complete the command. This is not being "competent" this is being efficient. > 5) What basis to you say that the 535 will blow Checkpoint out of the water? > Because of speed? Dude little secret if you take Windows...and strip it to > DOS...its going to smoke. And please don't harp about doing things > "property". Because when you say "properly" you mean the Cisco way. Hate to > tell you, but they take "standards" all the time and fit them to there > devices. > > To sum it up on your last comment let me say this. A FIREWALL is only as > good as its configuration. That being said, if I can mitigate the risk of > making a configuration mistake by having a "user friendly" way of doing it, > I don't see why that is so wrong. While I agree that I firewall should not > be a ONE ALL BE ALL on the network, having SMTP proxy's and such on your > firewall sometimes makes sense for: > > outside address conservation (all MX records for example are routed back to > one IP on the outside then relayed to internal hosts). Oh and PIX does do a > chezzbal implementation of this (mailguard). Which has a tendency to suck as > far as I have seen (cant do ESMTP?! whats with that?) > > I have worked on CyberGuards for a long time...they are SCO unix. You want > to learn a little somehting about the backend of a firewall, get on the > command line on one of those and gopowerful but tricky. I dont mean to > come off crase becouse im not trying to..just some agrugments to throw > back.. > > >>> "Roberts, Larry" 06/25 12:51 PM >>> > 1) not that I am aware of > 2) Change the access-list name and paste it to the firewall. Then just > change the access-group statement to the new one. Its an instant change. > 3) I think your on crack. If your using access-lists on all interfaces ( you > are aren't you ??? )then there is an implicit deny any any at the end. I > find many people who put an permit ip any any for the inside access-list. > While it makes administration much easier, it also is a BAD practice. > Remember we want to explicitly approve ports, no explicitly deny. You would > be surprised the small number of ports that really need to be open! > 4) This is a security device. You should always type the full command. I > don't want to take any chances of typing one thing and the PIX taking it as > another. I realize that you should know exactly what command your entering, > but hey, not everyone is competent on the PIX so no chances. > 5) Where did you get that info? The PIX 535 will absolutely blow any > checkpoint device out of the water. Not to mention that checkpoint still > hasn't figured out how to do IPSec tunnels *PROPERLY*. The PIX was only > recently made to be a small lightweight FW with the 501. I don't know about > you, but I want a firewall to do one thing and one thing only. I don't want > a FW that is also a mail gatew
RE: PIX Firewall (6.2) General Questions RANT [7:47393]
I do not want to get into this discussion; however, having worked with both Pix and Checkpoint (Next Generation) for the past 12 months, here is my .02c worth: 1) If you are a Managed Service Providers, CP running Nokia Platform (aka ipso) is a much better solution. There are lot of built-in utilities that can help troubleshooting (i.e. tcpdump) when you need to verify that traffic is passing through the firewall. Pix has something similar to tcpdump (in version 6.2(1)) but it is nowhere near tcpdump utility. Another thing, try to run "debug" command on a "production" Pix when it is busy, there is no command to break out of the debug mode, except that you have to telnet or ssh to the pix and kill the other session. That is really stupid. At least with CP, you can "CONTROL^C" to break out of tcpdump. 2) Pix Device Manager (PDM) is a piece of sh_t. I don't know if anyone has noticed but everytime you try to open an ssl connection via PDM, the cpu on the pix just spike. Doing so might slow down other processes on the Pix. Do you really want to do this on a production box? 3) If your pix configuration is about 2000 lines long and you try to "write term", you can not do a "CONTROL^C" to break out of the write term mode. Again, this is really stupid. Who wants to play around with the "pager" command anyway? 4) CP logging is excellent. You can see how traffic come and leave the firewall. Pix, on the other, everything is done via syslog. Have anyone actually looked at that syslog? The messages in the syslog are not "human" readable. 5) How did you come up with a statement that the Pix has never been "hacked"? Where are your evidences? I remembered not too long ago that Pix also suffers from SNMP and SSH vulnerabilities just like any Cisco devices. 6) The pix is faster than CP because you are off-loading the logging (syslog)and authentication (TACACS or RADIUS) to external devices. I can make CP NG just as fast, if not faster, if I also off-load logging and authentication to external devices like Pix. Furthermore, please don't make comments like that without research. Did you know that CP Next Generation can run on SMP (multi-processors) machines and also can run as Active/Active configuration? I know for a fact that Pix can only do Active/ Standby. In that case, CP can beat Pix handily. 7) Pix only supports SSH version 1. There are lot of vulnerabilities in SSH version 1. CP supports both Version 1 and 2. However, version 1 is OFF by default. 8) It is very difficult to automatically backup Pix configuration using script because since SSH in pix does NOT support key authentication, if one write a script to backup hundreds of pix firewalls, username and password have to be embedded into the script. Not a good thing. On the other, CP supports key authentication (RSA and DSA). Because of this, no password needed. Very simple and secure. 9) At the moment, there is NO solution for managing multiple Pix firewalls for Managed Service Providers. Managing a few pix firewalls via CLI might work for a small shop; however, that is NOT a solution for MSP. With CP, you have Provider-1, which can manage hundreds, if not thousands of firewalls. 10)If Pix is a secure platform, how come telnet is ON by default? It doesn't matter if it only open for connection on the inside? 11)The learning curve is much steeper for Pix than for CP, Again, my .02c >From: "Roberts, Larry" >Reply-To: "Roberts, Larry" >To: [EMAIL PROTECTED] >Subject: RE: PIX Firewall (6.2) General Questions RANT [7:47393] >Date: Tue, 25 Jun 2002 14:42:33 -0400 > >1)I can look at every single ACL entry and tell you what its doing. I don't >use comments in a router either, but that my preference... >I understand your point, but I want my ACL's to be as short as possible. >2)How I do it and I have a 200-300 line ACL. If I want to change it, I copy >the existing ACL into notepad. I then change the case ACL->acl or >visa-versa. I make the changes to the new ACL that I created and copy that >back to the firewall. There are then 2 ACL's on the firewall. The running >ACL, and the one that I want to apply. I change the access-group command ( >their can only be 1 per interface so no need to remove the old one,just >type >in the new one ) And its done. The PIX goes directly from 1 list to the >other. It doesn't kill any existing sessions or even cause a hiccup. >3)access-lists gets you a more "IOS like" interface. You can still use >conduits if you wish, but ACL's are the way of the future. 4)Understood. I >guess they want you to type out the full command, but Im just guessing. >5)Raw throughput. Dude,
RE: PIX Firewall (6.2) General Questions RANT [7:47393]
1)I can look at every single ACL entry and tell you what its doing. I don't use comments in a router either, but that my preference... I understand your point, but I want my ACL's to be as short as possible. 2)How I do it and I have a 200-300 line ACL. If I want to change it, I copy the existing ACL into notepad. I then change the case ACL->acl or visa-versa. I make the changes to the new ACL that I created and copy that back to the firewall. There are then 2 ACL's on the firewall. The running ACL, and the one that I want to apply. I change the access-group command ( their can only be 1 per interface so no need to remove the old one,just type in the new one ) And its done. The PIX goes directly from 1 list to the other. It doesn't kill any existing sessions or even cause a hiccup. 3)access-lists gets you a more "IOS like" interface. You can still use conduits if you wish, but ACL's are the way of the future. 4)Understood. I guess they want you to type out the full command, but Im just guessing. 5)Raw throughput. Dude, If you want raw speed, you wouldn't use a DOS based system at all. When you talk about small lightweight, what did you mean then? I want a FW to do encryption/decryption and raw packet throughput as fast as possible. What does the GUI give you other than a pretty UI? Does it make the FW more secure? Does it give it more features ? It adds nothing and slows it down. If you don't care about performance, then grab that old 486 and run linux on it. It would be secure, and with the newest Xwindows, would give you a pretty interface to administer it. Performance would suck,but you don't care about that. 5)Up until the latest version of Checkpoint, it would not allow you to do IP nat prior to tunnelling for the entire routable space(class A - C ) I would advise that you read up on the mail guard feature. It does NOT act as a SMTP relay/proxy. It acts as a SMTP filter.It prevents none RFC commands (READ ESMTP), from passing through the FW. By blocking ESMTP commands its doing exactly what it should. That's not a tendency to suck, that's a tendency to protect you networks from ESMTP attacks. I would complain bitterly if I didn't have the ability to block ESMTP commands. Does any others give you that ability? ( I don't know anymore ) A FW should be a FW, and that's it. Why add a feature ( SMTP ) that may have a bug in it? The reason that a PIX has never been hacked is because they have avoided the do all/be all approach that throws to many variables into the mix. Thanks Larry -Original Message- From: Richard Tufaro [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 12:32 PM To: [EMAIL PROTECTED] Subject: Re: RE: PIX Firewall (6.2) General Questions RANT [7:47393] ok good answers on some, but you tap around a few things.. 1) why no comments? do competent administrators not need any comments to tell you what the rules are doing and where they are going (or not going?) 2) I don't get that part...change the name of the access-listno not an instant change, there is a second step of applying it to the interface. Let me see...4 step process to change a rule. 3) I understand the IOS access-lists (which 5.1? PIX just recently introduced). Still the administration is a pain. All im doing is making access-listsbig deal. What does PIX get you there "ASA" and "state full" inspection. 4) I ment command completion..just a little thing. Like when im typing: > object-group network. I want to be able to type obje. TAB and ten the IOS complete the command. This is not being "competent" this is being efficient. 5) What basis to you say that the 535 will blow Checkpoint out of the water? Because of speed? Dude little secret if you take Windows...and strip it to DOS...its going to smoke. And please don't harp about doing things "property". Because when you say "properly" you mean the Cisco way. Hate to tell you, but they take "standards" all the time and fit them to there devices. To sum it up on your last comment let me say this. A FIREWALL is only as good as its configuration. That being said, if I can mitigate the risk of making a configuration mistake by having a "user friendly" way of doing it, I don't see why that is so wrong. While I agree that I firewall should not be a ONE ALL BE ALL on the network, having SMTP proxy's and such on your firewall sometimes makes sense for: outside address conservation (all MX records for example are routed back to one IP on the outside then relayed to internal hosts). Oh and PIX does do a chezzbal implementation of this (mailguard). Which has a tendency to suck as far as I have seen (cant do ESMTP?! whats with that?) I have worked on CyberGuards for a long time...they are SCO unix. You want to learn a little somehting about the backend of a firewall, get on the command line
Re: RE: PIX Firewall (6.2) General Questions RANT [7:47393]
ok good answers on some, but you tap around a few things.. 1) why no comments? do competent administrators not need any comments to tell you what the rules are doing and where they are going (or not going?) 2) I don't get that part...change the name of the access-listno not an instant change, there is a second step of applying it to the interface. Let me see...4 step process to change a rule. 3) I understand the IOS access-lists (which 5.1? PIX just recently introduced). Still the administration is a pain. All im doing is making access-listsbig deal. What does PIX get you there "ASA" and "state full" inspection. 4) I ment command completion..just a little thing. Like when im typing: > object-group network. I want to be able to type obje. TAB and ten the IOS complete the command. This is not being "competent" this is being efficient. 5) What basis to you say that the 535 will blow Checkpoint out of the water? Because of speed? Dude little secret if you take Windows...and strip it to DOS...its going to smoke. And please don't harp about doing things "property". Because when you say "properly" you mean the Cisco way. Hate to tell you, but they take "standards" all the time and fit them to there devices. To sum it up on your last comment let me say this. A FIREWALL is only as good as its configuration. That being said, if I can mitigate the risk of making a configuration mistake by having a "user friendly" way of doing it, I don't see why that is so wrong. While I agree that I firewall should not be a ONE ALL BE ALL on the network, having SMTP proxy's and such on your firewall sometimes makes sense for: outside address conservation (all MX records for example are routed back to one IP on the outside then relayed to internal hosts). Oh and PIX does do a chezzbal implementation of this (mailguard). Which has a tendency to suck as far as I have seen (cant do ESMTP?! whats with that?) I have worked on CyberGuards for a long time...they are SCO unix. You want to learn a little somehting about the backend of a firewall, get on the command line on one of those and gopowerful but tricky. I dont mean to come off crase becouse im not trying to..just some agrugments to throw back.. >>> "Roberts, Larry" 06/25 12:51 PM >>> 1) not that I am aware of 2) Change the access-list name and paste it to the firewall. Then just change the access-group statement to the new one. Its an instant change. 3) I think your on crack. If your using access-lists on all interfaces ( you are aren't you ??? )then there is an implicit deny any any at the end. I find many people who put an permit ip any any for the inside access-list. While it makes administration much easier, it also is a BAD practice. Remember we want to explicitly approve ports, no explicitly deny. You would be surprised the small number of ports that really need to be open! 4) This is a security device. You should always type the full command. I don't want to take any chances of typing one thing and the PIX taking it as another. I realize that you should know exactly what command your entering, but hey, not everyone is competent on the PIX so no chances. 5) Where did you get that info? The PIX 535 will absolutely blow any checkpoint device out of the water. Not to mention that checkpoint still hasn't figured out how to do IPSec tunnels *PROPERLY*. The PIX was only recently made to be a small lightweight FW with the 501. I don't know about you, but I want a firewall to do one thing and one thing only. I don't want a FW that is also a mail gateway, dns server and whatnot that so many devices try to be now. Many FW's are made to be user friendly, and cover the backend stuff that really happens. The PIX didn't take that approach. They want someone to understand what they are doing, and putting a pretty GUI on it will only lead to people who shouldn't be administering it, administrating it. That is why I completely disagree with the PDM. Im not directly these comment at you in particular so please don't take them that way. Im only saying that we need to realize exactly what a FW should do, and what it should not. We also need to realize exactly how a FW works, not how the GUI works! I agree it is a completely different interface, but if you are used to the IOS interface, it will come quickly and you will never look back. But, this is just my opinion! Thanks Larry -Original Message- From: Richard Tufaro [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 11:51 AM To: [EMAIL PROTECTED] Subject: PIX Firewall (6.2) General Questions RANT [7:47393] Hey all, just recently got my hands on 4 new PIX firewalls and I am having some issues with them that perhaps may be shortcoming of the PIX or me, but I wanted to throw them out there and see if anyone has any comments: 1. Is there a way in the PIX to !Comment your access-list or conduit lines to tell what the rule is doing. Now don't get me wrong you can look at the rule and its pretty straight f
RE: PIX Firewall (6.2) General Questions RANT [7:47393]
Richard, 1) No comments are allowed right now. Yes, its a pain. 2) Try using PDM, its a fairly nic GUI interface. For large enviro's try CSPM. 3) The PIX's default stance is a holdover from the days when not a lot of people were concerned about blocking outbound traffic. Yes, it probably should be changed and yes, a lot of security people don't like the "default permit out" stance. 4) Yes, another pain, probably something that they will eventually include, but I don't know specific details. 5) I don't think anyone would argue that the PIX lacks some of the "wiz bang" features of other commercial firewalls. The big selling points for the PIX in the past have been speed and support. The speed factor has been taken out of the equation by new boxes from Nokia and others. (BSD kernel running Firewall-1 at gigabit speeds) The support factor is still a good point, but it's clear to me that Cisco needs to step up their development efforts on the PIX if they want to stay in the game. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Tufaro Sent: Tuesday, June 25, 2002 9:51 AM To: [EMAIL PROTECTED] Subject: PIX Firewall (6.2) General Questions RANT [7:47393] Hey all, just recently got my hands on 4 new PIX firewalls and I am having some issues with them that perhaps may be shortcoming of the PIX or me, but I wanted to throw them out there and see if anyone has any comments: 1. Is there a way in the PIX to !Comment your access-list or conduit lines to tell what the rule is doing. Now don't get me wrong you can look at the rule and its pretty straight forward, but I would like to comment them much like you can do in IOS. The only way that I have found to do this is by taking every external or internal IP address that we have and are denying or allowing and giving it a name. But this also has its shortcomings because of the 16 character limit. 2. What is with the access-list rules and importing? I don't get it. Why do they need to append instead of replace? I am going to assume that the access-list is reading from the top down (just like in IOS) so if I export my config, change around the order then try to paste *does not take*. The workaround I found for this nifty problem is exporting the access-list to Ultraedit, putting a "no" statement infront of all of the statements, clearing them, then making the change and importing them. How do people in a large PIX environment with a multitude of rules, and a dynamic environment manage this? Or the PIX's for that matter as a side. 3. Tell me if im smoken crack here, but the default stance of the PIX is bas acwards, when it comes to internal hosts to the outside. I mean look when I put out the firewall and config my INBOUND lists, why do I want everyone in the company to be able to NETBIOS across the firewall (outbound)?! I have worked with one other firewall (CyberGuard) and there stance IMHO is the best, DENY ALL, permit what I say to permit. Its a firewall, not a router (in the security sense people, I now what it is REALLY, but relating to Cisco). 4. Little things too...like why no command completion? I know that this is a Cisco acquired device, but you would think that they would make it easy to configure from the command line, especially with the influx of making it more IOS'e. Is this going to be available in later versions? Anyone know? 5. I know the PIX was conceived as a small lightweight, "streamline" device that is going to protect your network with but you should not do any WIZ bang stuff with itbut then again Cisco markets to everyone and are competing with the WIZ Bang firewall vendors like checkpoint. I mean come on GROUPING was just added in 6.2! If anyone can shed some light on these issues for me it would be much appreciated. What im really looking for here is some guidance as to people with large PIX deployments and how they manage day to day, and deploy new ones. I know this is a long post but coming from Cyberguard, and going to PIX there seems to be some major deficiencies as far as functionality and manageability. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47403&t=47393 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall (6.2) General Questions RANT [7:47393]
1) not that I am aware of 2) Change the access-list name and paste it to the firewall. Then just change the access-group statement to the new one. Its an instant change. 3) I think your on crack. If your using access-lists on all interfaces ( you are aren't you ??? )then there is an implicit deny any any at the end. I find many people who put an permit ip any any for the inside access-list. While it makes administration much easier, it also is a BAD practice. Remember we want to explicitly approve ports, no explicitly deny. You would be surprised the small number of ports that really need to be open! 4) This is a security device. You should always type the full command. I don't want to take any chances of typing one thing and the PIX taking it as another. I realize that you should know exactly what command your entering, but hey, not everyone is competent on the PIX so no chances. 5) Where did you get that info? The PIX 535 will absolutely blow any checkpoint device out of the water. Not to mention that checkpoint still hasn't figured out how to do IPSec tunnels *PROPERLY*. The PIX was only recently made to be a small lightweight FW with the 501. I don't know about you, but I want a firewall to do one thing and one thing only. I don't want a FW that is also a mail gateway, dns server and whatnot that so many devices try to be now. Many FW's are made to be user friendly, and cover the backend stuff that really happens. The PIX didn't take that approach. They want someone to understand what they are doing, and putting a pretty GUI on it will only lead to people who shouldn't be administering it, administrating it. That is why I completely disagree with the PDM. Im not directly these comment at you in particular so please don't take them that way. Im only saying that we need to realize exactly what a FW should do, and what it should not. We also need to realize exactly how a FW works, not how the GUI works! I agree it is a completely different interface, but if you are used to the IOS interface, it will come quickly and you will never look back. But, this is just my opinion! Thanks Larry -Original Message- From: Richard Tufaro [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 11:51 AM To: [EMAIL PROTECTED] Subject: PIX Firewall (6.2) General Questions RANT [7:47393] Hey all, just recently got my hands on 4 new PIX firewalls and I am having some issues with them that perhaps may be shortcoming of the PIX or me, but I wanted to throw them out there and see if anyone has any comments: 1. Is there a way in the PIX to !Comment your access-list or conduit lines to tell what the rule is doing. Now don't get me wrong you can look at the rule and its pretty straight forward, but I would like to comment them much like you can do in IOS. The only way that I have found to do this is by taking every external or internal IP address that we have and are denying or allowing and giving it a name. But this also has its shortcomings because of the 16 character limit. 2. What is with the access-list rules and importing? I don't get it. Why do they need to append instead of replace? I am going to assume that the access-list is reading from the top down (just like in IOS) so if I export my config, change around the order then try to paste *does not take*. The workaround I found for this nifty problem is exporting the access-list to Ultraedit, putting a "no" statement infront of all of the statements, clearing them, then making the change and importing them. How do people in a large PIX environment with a multitude of rules, and a dynamic environment manage this? Or the PIX's for that matter as a side. 3. Tell me if im smoken crack here, but the default stance of the PIX is bas acwards, when it comes to internal hosts to the outside. I mean look when I put out the firewall and config my INBOUND lists, why do I want everyone in the company to be able to NETBIOS across the firewall (outbound)?! I have worked with one other firewall (CyberGuard) and there stance IMHO is the best, DENY ALL, permit what I say to permit. Its a firewall, not a router (in the security sense people, I now what it is REALLY, but relating to Cisco). 4. Little things too...like why no command completion? I know that this is a Cisco acquired device, but you would think that they would make it easy to configure from the command line, especially with the influx of making it more IOS'e. Is this going to be available in later versions? Anyone know? 5. I know the PIX was conceived as a small lightweight, "streamline" device that is going to protect your network with but you should not do any WIZ bang stuff with itbut then again Cisco markets to everyone and are competing with the WIZ Bang firewall vendors like checkpoint. I mean come on GROUPING was just added in 6.2! If anyone can shed some light on these issues for me it would be much appreciated. What im really looking for here is some guidance as to people with large PIX de