Firewall Wizards mailing list archives
Re: Any reason not to use PIX ?
From: "S. Jonah Pressman" <jonah () istar ca>
Date: Wed, 08 Dec 1999 21:29:00 -0500
S. Da Costa: PIX is my weapon of choice but never let your firewall take the full brunt of the traffic. A security-in-depth model (especially in an NT shop) is the order of the day. Know your environment, know your developers, know their applications, and build a policy that halts most of the undesireable traffic at your border routers. Don't rest yet! Harden your bastion NT boxes (see Stefan Norberg's documentation @ http://people.hp.se/stnor). The PIX, properly configured, should pick guard you from the rest of the undesireable traffic. Don't make the mistake that PIX is an IOS box; it isn't. Although with each release of the software, it looks more and more like IOS, it is not IOS. They are simple to configure once you have laid out your architecture and understand the traffic flow. To make your experience a pleasant one, brush up on GLOBAL, STATIC, CONDUIT, and NAT in the PIX command set (docs and simple examples can be found on the Cisco site). And finally, the key........ too often, people put up a firewall and don't follow the logs. Your logs are your friends. If you can consolidate your logging from your routers and firewall and review them regularly, you will get a better appreciation of potential vulnerabilities and necessary rule changes (at the routers, hosts, firewall, etc.) Bottom line.... there is no reason why I wouldn't choose a PIX :-) Securely Yours, Jonah Gledson Pompeu Correa Da Costa wrote:
Hi there, I'm a long time reader of the list, and finally have a question to submit to all gurus out there. The explanation is a bit long, but I hope it serves well the purpose of presenting the case. The situation: We have a strictly NT based network running intranet, internet and extranet (public services) out of IIS servers, and our Internet connection is currently protected by two Free-BSD machines - one for proxying general connections in and out of our internal net, and one for serving web pages out of our IIS servers through reverse proxy. The problem: Our general knowledge of Unix is low: in a support team of 10, 2 have a small experience and only 1 is somewhat knowledgeable in the platform (somewhat knowledgeable meaning installs the system and does the recommended tweaking mostly following scripts and how-to's). As you know, if you have only 1 person who knows a critical job, you're in trouble... Besides that, our training budget is low, so we must focus on technologies that support our core business (like NT and Oracle). So, we wish to establish a new firewall system that is not based on any variant of Unix. On the other hand, we are not confortable to place a firewall running on NT due to the frequency it gets bashed by hacker groups to find new exploits. The question (finally): Since Unix and NT are out, we are considering placing a Cisco PIX-515 at the core of our firewall, together with two Cisco choke routers to manage the inside and outside connections. The reasons for the choice are: 1 - It runs on a distinct platform from NT and Unix (IOS) 2 - In our team of 10, 9 are already trained in IOS (at various levels) 3 - We consider it to be a secure platform SO, is there any reason not to use PIX (like major holes or other problems with the product) ? Are there better alternatives in the "black box" division ? Thanks in advance for all your answers. Sincerely yours, Gledson Pompeu TCU / SEINF / SENET Internet Service Manager "Smart people talk about ideas; Common people talk about facts; Mediocre people talk about people"
Current thread:
- Any reason not to use PIX ? Gledson Pompeu Correa Da Costa (Dec 07)
- Re: Any reason not to use PIX ? Bill Pennington (Dec 08)
- Re: Any reason not to use PIX ? Albert Hopkins (Dec 10)
- Re: Any reason not to use PIX ? Lorens Kockum (Dec 08)
- Re: Any reason not to use PIX ? Brad Van Orden (Dec 08)
- Re: Any reason not to use PIX ? S. Jonah Pressman (Dec 08)
- <Possible follow-ups>
- Re: Any reason not to use PIX ? ark (Dec 08)
- Re: Any reason not to use PIX ? Matthew J. Wolf (Dec 10)
- Re: Any reason not to use PIX ? Bill Pennington (Dec 08)