Re: Firewall Throughput

[Chris Calabrese <christopher_calabrese () merck com>]

> From everything I've heard, the PIX (and the NetRanger) are
based on a stripped down version of Solaris x86.  Therefore,
Cisco has definitely crossed the line in claiming that PIX is
not based on a Unix system.

Darren Reed wrote:

> In some email I received from Patrick Darden, sie wrote:
> > Darren,
> >
> > "Cisco push it along the lines of 'you don't want unix/windows on your
> > firewall because they're crashable'"
> >
> > I would like to know where they state that.  It would be pretty
> > hypocritical as the PIX has a Unix based OS (Plan 9).
>
> http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm
> Look for the words "Non-Unix" (strictly speaking, this *is* true even if
> it is Plan 9).
>
> They're different, they need a marketting angle, they drive it.
>
> > "You damn well don't want a router as a firewall"
> >
> > I don't know of many firewalls that aren't routers as well, that includes
> > the IP Filter you seem to like so much and even the BSD-based NOKIA
> > running Checkpoint FW1.  Application-layer proxy based firewalls usually
> > aren't routers, but otherwise...
>
> Router = thing which tftp's boot images, does BGP4, has no hard disk, etc.
> Or to put it more succinctly in this thread, a Cisco 1234 thing.
>
> You don't use unix boxes to do routing when you're serious about routing
> and likewise you shouldn't use routers to do firewalling when you're
> serious about firewalling.
>
> If I'm really serious about security then I *will* use/recommend a proxy
> firewall, even in addition to anything else which is there.  There are
> some things they offer which just can't be matched, in terms of security,
> by any packet-filtering based firewall.
>
> > "I *refuse* to believe that Linux is a reliable/secure platform"
> >
> > No offense, but I have Solaris, BSD, AIX, and Linux running here--and
> > all of them are stable and reliable.  I had one hard-used Linux server
> > running for almost 2 years before I recently took it down for some
> > upgrades.
>
> Do yourself a favour and stay ignorant of the development methodology
> that goes on "behind the scenes" with Linux.  What are they now,
> 2.4.pre34-test83, and still making major architectural changes inside it.
> That's *insane*.  Sure, Solaris is stable, but you can't strap it down
> as securely as you can BSD, plus you get source code for BSD.
>
> Darren
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards () nfr net
> http://www.nfr.net/mailman/listinfo/firewall-wizards

Attachment: christopher_calabrese.vcf
Description: Card for Chris Calabrese