Firewall Wizards mailing list archives
RE: insecurity in internet connection thro cable modems
From: Scot Hartman <shartman () inflow com>
Date: Mon, 17 Feb 2003 13:37:06 -0700
I would suppose it would be a matter of what you are more comfortable with. They are both similar firewall types, but if you're partial to the PIX CLI then, well, you have your preference. If you like NS, can't blame you there either. We use both, each have their own strengths. If I was going to manage a single firewall or maybe a single point-to-point tunnel, I personally prefer the PIX because of my own comfort zone. Hit it via ssh, https, or use a console connection. I'm not as knowledgable with the NS CLI, so you tend to stay with what you know until changing really makes sense. The improvements in the recent firmware versions really augment the troubleshooting capability (tcpdump spelled 'capture') and I agree it is easier to generate keys. If I'm building a larger VPN infrastructure though, I'm going with the Netscreen and managing the whole mess with Global Pro. Adding and removing endpoints for a full-mesh or even a hub and spoke once you get beyond a few devices is made manageable. Some added niceties for polling to see if the tunnel is active is nice. I've also seen much better VPN throughput for the dollar on the NS-5 vs the PIX 501. Scot
-----Original Message----- From: Dave Mitchell [mailto:dmitchell () viawest net] Sent: Sunday, February 16, 2003 10:39 AM To: Noonan, Wesley Cc: 'Brian Ford'; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] insecurity in internet connection thro cable modems Wes, GlobalPro makes it easier to maintain a fleet of Netscreens. I'm confused as to why you feel their VPN support is lacking? I've been able to interoperate Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, Cisco VPN3k, FreeSWAN; just to name some. Support for preshared keys, x509 certs, ldap auth, and securid auth make me feel that Netscreen's IPSec has quite a few features, not to mention higher throughput due to their ASIC's. -dave On Sat, Feb 15, 2003 at 01:27:51PM -0600, Noonan, Wesley wrote: > Having used both, I strongly prefer a PIX. It is much easier to maintain a > bunch of PIXen than it is to maintain a bunch of netscreens. It's not that > the netscreens are bad, it is just that the TCO is too high to try to > maintain a "fleet" of them. In addition, I find their (netscreen) VPN > support to be... well... lacking. It is a very convoluted process, much like > the PIX was 2 years ago. > > HTH > > Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+ > Senior QA Rep. > BMC Software, Inc. > (713) 918-2412 > wnoonan () bmc com > http://www.bmc.com > > > > -----Original Message----- > > From: Brian Ford [mailto:brford () cisco com] > > Sent: Saturday, February 15, 2003 12:56 > > To: firewall-wizards () honor icsalabs com > > Cc: Dave Mitchell > > Subject: Re: [fw-wiz] insecurity in internet connection thro cable modems > > > > Dave, > > > > >More than > > >likely, natting a home network behind a linksys soho router would be > > >sufficient. > > > > Yet another security policy that begins with "more than likely". What > > happens in the "likely" case when someone figures out where you are and > > wants to get at your stuff? > > > > >Putting in PIX 501's at someones home would be insane. If you have to > > >administer > > >it, a small Netscreen is much easier than dealing with PIX. > > > > Gee Dave. Why would it be insane to use a PIX? > > > > To set up a PIX at home all you need is the PIX. You don't need a PC and > > the setup disk that NetScreen ships. > > > > The 501 ships with a default "plug and play" configuration that for many > > installs (including folks sitting behind a cable modem) requires no > > modification to get up and running. > > > > The PIX also supports Cisco AUS (Auto Update Server) so that security > > policy, operating system image, and configuration updates can be securely > > downloaded to the PIX from a central site without end user intervention. > > > > You said "a small Netscreen is much easier than dealing with PIX". Have > > you really tried both products? Could it be that you just don't like > > PIX? Or that you just don't know about the PIX? > > > > Liberty for All, > > > > Brian > > > > At 12:00 PM 2/15/2003 -0500, firewall-wizards-request () honor icsalabs com > > wrote: > > >Message: 5 > > >Date: Fri, 14 Feb 2003 14:03:11 -0700 > > >From: Dave Mitchell <dmitchell () viawest net> > > >To: "Perrymon, Josh L." <PerrymonJ () bek com> > > >Cc: "'Chapman, Justin T'" <JtChapma () bhi-erc com>, > > > "'firewall-wizards () honor icsalabs com '" > > > <firewall-wizards () honor icsalabs com> > > >Subject: Re: [fw-wiz] insecurity in internet connection thro cable modems > > > > > >For normal users I'd recommend some sort of appliance filter or firewall. > > >More than > > >likely, natting a home network behind a linksys soho router would be > > >sufficient. If you > > >want to do VPNing and what not, I think a Netscreen 5 would be the best > > >for the home > > >firewall. Putting in PIX 501's at someones home would be insane. If you > > >have to administer > > >it, a small Netscreen is much easier than dealing with PIX. > > > > > >-dave > > > > > >On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon, Josh L. wrote: > > > > Yeah... I ( Security Professional ) would implement IPChains or a PIX > > @ > > > > home... > > > > But don't you think Linux is completely out of the question for a > > regular > > > > end user????? > > > > > > > > I'm looking for an application based firewall for my VPN users.. > > > > So far ZONE ALARM is my choice.. I just wished I could integrate it > > with > > > > the PIX VPN client like the concentrator can. > > > > > > > > > > > > > > > > Any Ideas?? > > > > -JP > > > > > > > > -----Original Message----- > > > > From: Chapman, Justin T [mailto:JtChapma () bhi-erc com] > > > > Sent: Friday, February 07, 2003 11:29 AM > > > > To: 'firewall-wizards () honor icsalabs com ' > > > > Subject: RE: [fw-wiz] insecurity in internet connection thro cable > > > > modems > > > > > > > > > > > > > > > > > >ipchains is old ( for the previous Linux Kernel 2.2 ), iptables > > > > >http://www.iptables.org would be a better choice. > > > > > > > > Agreed. If it's an option at all, choose iptables over ipchains. > > It's > > > more > > > > flexable and it's a stateful packet filter, which makes for a > > "smarter" > > > > firewall. IPtables (and ipchains for that matter) can be a bit > > > intimidating > > > > to work with, especially if you're new to the syntax. If you're going > > to > > > > "rolll your own" firewall, I would suggest searching > > Google/Freshmeat.net > > > > for "iptables generator". There are plenty of scripts/web > > frontends/guis > > > > that make creating simple "consumer-grade" firewalls a snap. One that > > I > > > > particularly like is a cgi-based one at: > > > > > > > > http://morizot.net/firewall/gen/ > > > > > > > > Good luck! > > > > > > > > --justin > > > > > > > > > > Brian Ford > > Consulting Engineer > > Corporate Consulting Engineering, Office of the Chief Technology Officer > > Cisco Systems, Inc. > > http://www.cisco.com > > e-mail: brford () cisco com > > > > _______________________________________________ > > firewall-wizards mailing list > > firewall-wizards () honor icsalabs com > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards > _______________________________________________ > firewall-wizards mailing list > firewall-wizards () honor icsalabs com > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: insecurity in internet connection thro cable modems, (continued)
- RE: insecurity in internet connection thro cable modems Perrymon, Josh L. (Feb 14)
- Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 14)
- RE: insecurity in internet connection thro cable modems Noonan, Wesley (Feb 15)
- Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 16)
- Re: insecurity in internet connection thro cable modems stefmit (Feb 18)
- Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 16)
- RE: insecurity in internet connection thro cable modems Noonan, Wesley (Feb 16)
- Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 17)
- RE: insecurity in internet connection thro cable modems Bruce Platt (Feb 16)
- RE: insecurity in internet connection thro cable modems Noonan, Wesley (Feb 16)
- RE: insecurity in internet connection thro cable modems Bruce Platt (Feb 17)
- RE: insecurity in internet connection thro cable modems Scot Hartman (Feb 17)
- RE: insecurity in internet connection thro cable modems Perrymon, Josh L. (Feb 14)