RE: Firewall Throughput

[Ben Nagy <bnagy () sa volante com au>]

> -----Original Message-----
> From: Darren Reed [mailto:darrenr () reed wattle id au]
> Sent: Monday, 11 September 2000 7:04 PM
> To: darren.mackay () uq net au
> Cc: firewall-wizards () nfr net
> Subject: Re: [fw-wiz] Firewall Throughput
[snip]
> > Are you saying PIX is not secure? [snip]

> My problem with PIX is as follows.  Cisco push it along the lines of
> "you don't want unix/windows on your firewall because they're 
> crashable"
> but at the same time try to sell it as a "router firewall".  

How "Cisco push" things is almost certainly a product of your local sales
force. I've never heard any Cisco people assert that the PIX is anything
more than a decent firewall that runs on a "secure, non-UNIX, OS" (which is
pure marketing drivel).

Any attempt to sell the PIX as a "router firewall" would be doomed to
failure, anyway, since the PIX makes a very, very poor router.

> You damn
> well don't want a router as a firewall either!  You can make 
> a "firewall"
> out of any Cisco thing which will support the CBAC feature set so why
> does it need to be a PIX in particular ? 

I don't trust IOS CBAC that much either. Do you have any evidence to suggest
that the IOS CBAC stuff is as extensive as that on the PIX though? Ditto
frag protection, etc etc... I alway thought that the PIX was _quite_
different under the hood to the IOS.

> Where I'm now 
> working, we use
> the CBAC feature set on the "outside" and IP Filter on the 
> inside.  There
> have been packets which CBAC has let through that IP Filter 
> won't (NOTE:
> I didn't build this firewall :).  That rings alarm bells, to 
> me.

Be fair - CBAC on a router doesn't have much RAM to play with - nor a big
processor. They probably had to make compromises that you can safely skip
with ipfilter.

>  IMHO,
> they're putting too much into the IOS. 

Yes. I'd like to see a "stripped" train of IOS releases, too. Any Cisco
people listening?

> I also don't fancy the idea of
> the "firewall" booting up and one day wanting to tftp a boot 
> image from
> whoever will answer...

This is specious mud-slinging. Neither PIXes nor IOS routers will tftp boot
images without being configured to do so. C'mon, Darren. Let's keep it real.
;)

> For me, if you have the time & money (that's a BIG if) as well as the
> backing and expertise, there's nothing better than a 
> roll-your-own made
> from xBSD (I *refuse* to believe that Linux is a 
> reliable/secure platform
> until they learn what the term "release engineering" means - and that
> goes all the way to the top of the linux tree).  You can 
> strip them back,
> build completely static distributions, etc, and you can get 
> 1U PC hardware
> now too.

I agree. A lot. Especially about the Linux bit. There are some things I'd
like to see in the free gear though - enterprise management according to a
security policy being one...

One problem though - how does a random security guy know for sure that they
have "enough expertise"? Or, to put it another way, how does a company
accurately assess the risk that they are taking by allowing a single
individual to roll-their-own border protection?
 
> Darren

--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520  

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards