Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)

[Chris Blask <chris () blask org>]

--- sushil menon <sebastan_bach () yahoo com> wrote:
> hi chris 

Hey Sushil!

> i am not saying that cisco is bad. basically due
> to their bugs i know that every vendor has a lot of bugs
> in them with trying to get new features into it.
> basically what i meant was if u see granularity and
> minute control over the traffic which is passing through
> the firewall. in this consideration i feel netscreen and
> checkpoint are far better than pix. 

Box to box I think you are right - CP and NS do lots of
useful stuff that a PIX doesn't.  I believe the Cisco
argument is that the ASA and ISR box-to-box do as much or
more, you'd have to ask them or do the research yourself to
see if that is true.

Where Cisco shines (other than selling more security gear
than most everyone else put together) is putting a whole
network together, and that's where I can't avoid seeing a
great argument from an infosec perspective.  Bill McGee
(bam@ - he's lurking out there somewhere) can fill your ear
with where they are going (and in some cases are) with
Application Security.  The direction resonates with my own
feelings about this kind of thing: (to paraphrase) "one
spot of application awareness on a network edge is not
enough".

All this "this box will save your network" stuff drives me
batty.  Solutions need to approach being holistic or I
don't see how average overall security is increased by them
(and I love you all, but it does nothing for me if you
secure your network and no-one else does).  If the solution
is a box on the network it better be providing insight into
what is going on in many spots (like MARS or Tenable, or
for that matter flat historicals like Loglogic) to get much
attention from me these days.

> i have worked a lot
> on pix and i see it's a davanced natting box and nothing
> else. whereas in netscreen there are pre-defined attacks
> and screen options to filter traffic looking at the bits
> set in tcp header. similarly applicatioon intelligence
> for protocls like mcirosoft rpc and all netscreen and
> checkpoint have suport to filter such or permit such
> traffic. which pix is not even aware of. i mean this
> level of minute control . 

I'm all in favor of minute control from inline devices -
that's the primary source of rich telemetry.  Where I am
uncertain is as to whether at this moment the features of
Netscreens boxes are better than Ciscos boxes (or
network-based solutions), and more importantly whether a
given random network benefits from using one or another
(which is always so much more about the situation in the
company, resources, logistics etc...).

What I'd like to say is that you will benefit from choosing
all the best-of-breed (or best for your situation) boxes
and uniting them under a common management structure.  But
since that's kinda what I do for a living these days, I
know that it's not always realistically that simple at this
moment in the market in any given situation.  I believe it
will get there and with a bit of effort can be done now,
but as recent comments in this thread indicate we're in a
particular phase in market maturity that still leaves a lot
of questions unanswered.

> see ya good to discuss with u .

Thanks for the parry, I needed my quarterly fw-wiz
rantspace... ;~)

-cheers!

-chris
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards