Re: Any reason not to use PIX ?

["Bill Pennington" <bpennington () lucidnetworks com>]

I love the Pix firewall. It is very easy to setup and maintain especially if
you already know IOS. They have some new GUI software for config and
monitoring that runs on NT. It is supposed to be pretty good although I have
not used it. It takes about 10 minutes to setup then you can just forget
about it. Just monitor the logs (get Webtrends for Firewalls and VPNs) and
you are done. One thing to note the Pix works best if you use NAT, non-NATed
configs can be a pain in the rear from my experience but it could be that I
have only run into one of them and was kinda freaked :-)

On the other hand NT can be made pretty secure if you know what you are
doing so I would not dismiss it completely, just almost completely :-)

Hope that helps, let me know if you have any more questions.

Bill Pennington
Consultant
Lucid NetworX


----- Original Message -----
From: Gledson Pompeu Correa Da Costa <GledsonPC () TCU gov br>
To: <firewall-wizards () nfr net>
Sent: Tuesday, December 07, 1999 10:23 AM
Subject: Any reason not to use PIX ?


> Hi there,
>
> I'm a long time reader of the list, and finally have a question to
> submit to all gurus out there. The explanation is a bit long, but I hope
it
> serves well the purpose of presenting the case.
>
> The situation:
>
> We have a strictly NT based network running intranet, internet and
> extranet (public services) out of IIS servers, and our Internet connection
> is currently protected by two Free-BSD machines - one for proxying general
> connections in and out of our internal net, and one for serving web pages
> out of our IIS servers through reverse proxy.
>
> The problem:
>
> Our general knowledge of Unix is low: in a support team of 10, 2
> have a small experience and only 1 is somewhat knowledgeable in the
platform
> (somewhat knowledgeable meaning installs the system and does the
recommended
> tweaking mostly following scripts and how-to's). As you know, if you have
> only 1 person who knows a critical job, you're in trouble... Besides that,
> our training budget is low, so we must focus on technologies that support
> our core business (like NT and Oracle).
> So, we wish to establish a new firewall system that is not based on
> any variant of Unix. On the other hand, we are not confortable to place a
> firewall running on NT due to the frequency it gets bashed by hacker
groups
> to find new exploits.
>
> The question (finally):
>
> Since Unix and NT are out, we are considering placing a Cisco
> PIX-515 at the core of our firewall, together with two Cisco choke routers
> to manage the inside and outside connections. The reasons for the choice
> are:
>
> 1 - It runs on a distinct platform from NT and Unix (IOS)
> 2 - In our team of 10, 9 are already trained in IOS (at various
> levels)
> 3 - We consider it to be a secure platform
>
> SO, is there any reason not to use PIX (like major holes or other
> problems with the product) ? Are there better alternatives in the "black
> box" division ?
>
> Thanks in advance for all your answers.
>
> Sincerely yours,
> Gledson Pompeu
> TCU / SEINF / SENET
> Internet Service Manager
>
> "Smart people talk about ideas;
>  Common people talk about facts;
>  Mediocre people talk about people"