Firewall Wizards mailing list archives

RE: insecurity in internet connection thro cable modems

From: Scot Hartman <shartman () inflow com>
Date: Mon, 17 Feb 2003 13:37:06 -0700


I would suppose it would be a matter of what you are more comfortable with.

They are both similar firewall types, but if you're partial to the PIX CLI
then, well, you have your preference.  If you like NS, can't blame you there
either.  We use both, each have their own strengths.

If I was going to manage a single firewall or maybe a single point-to-point
tunnel, I personally prefer the PIX because of my own comfort zone.  Hit
it via ssh, https, or use a console connection.  I'm not as knowledgable
with the NS CLI, so you tend to stay with what you know until changing
really makes sense.  The improvements in the recent firmware versions 
really augment the troubleshooting capability (tcpdump spelled 'capture') 
and I agree it is easier to generate keys.

If I'm building a larger VPN infrastructure though, I'm going with the
Netscreen and managing the whole mess with Global Pro.  Adding and removing
endpoints for a full-mesh or even a hub and spoke once you get beyond a few
devices is made manageable.  Some added niceties for polling to see if the
tunnel is active is nice.  I've also seen much better VPN throughput for 
the dollar on the NS-5 vs the PIX 501.


Scot

  -----Original Message-----
  From: Dave Mitchell [mailto:dmitchell () viawest net]
  Sent: Sunday, February 16, 2003 10:39 AM
  To: Noonan, Wesley
  Cc: 'Brian Ford'; firewall-wizards () honor icsalabs com
  Subject: Re: [fw-wiz] insecurity in internet connection thro cable
  modems
  
  
  Wes,
    GlobalPro makes it easier to maintain a fleet of 
  Netscreens. I'm confused
  as to why you feel their VPN support is lacking? I've been 
  able to interoperate
  Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, 
  Cisco VPN3k, FreeSWAN;
  just to name some. Support for preshared keys, x509 certs, 
  ldap auth, and securid
  auth make me feel that Netscreen's IPSec has quite a few 
  features, not to mention
  higher throughput due to their ASIC's.
  
  -dave
  
  
  On Sat, Feb 15, 2003 at 01:27:51PM -0600, Noonan, Wesley wrote:
  > Having used both, I strongly prefer a PIX. It is much 
  easier to maintain a
  > bunch of PIXen than it is to maintain a bunch of 
  netscreens. It's not that
  > the netscreens are bad, it is just that the TCO is too 
  high to try to
  > maintain a "fleet" of them. In addition, I find their 
  (netscreen) VPN
  > support to be... well... lacking. It is a very convoluted 
  process, much like
  > the PIX was 2 years ago. 
  > 
  > HTH
  > 
  > Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
  > Senior QA Rep.
  > BMC Software, Inc.
  > (713) 918-2412
  > wnoonan () bmc com
  > http://www.bmc.com
  > 
  > 
  > > -----Original Message-----
  > > From: Brian Ford [mailto:brford () cisco com]
  > > Sent: Saturday, February 15, 2003 12:56
  > > To: firewall-wizards () honor icsalabs com
  > > Cc: Dave Mitchell
  > > Subject: Re: [fw-wiz] insecurity in internet connection 
  thro cable modems
  > > 
  > > Dave,
  > > 
  > > >More than
  > > >likely, natting a home network behind a linksys soho 
  router would be
  > > >sufficient.
  > > 
  > > Yet another security policy that begins with "more than 
  likely".  What
  > > happens in the "likely" case when someone figures out 
  where you are and
  > > wants to get at your stuff?
  > > 
  > > >Putting in PIX 501's at someones home would be insane. 
  If you have to
  > > >administer
  > > >it, a small Netscreen is much easier than dealing with PIX.
  > > 
  > > Gee Dave.  Why would it be insane to use a PIX?
  > > 
  > > To set up a PIX at home all you need is the PIX.  You 
  don't need a PC and
  > > the setup disk that NetScreen ships.
  > > 
  > > The 501 ships with a default "plug and play" 
  configuration that for many
  > > installs (including folks sitting behind a cable modem) 
  requires no
  > > modification to get up and running.
  > > 
  > > The PIX also supports Cisco AUS (Auto Update Server) so 
  that security
  > > policy, operating system image, and configuration 
  updates can be securely
  > > downloaded to the PIX from a central site without end 
  user intervention.
  > > 
  > > You said "a small Netscreen is much easier than dealing 
  with PIX".  Have
  > > you really tried both products?  Could it be that you 
  just don't like
  > > PIX?  Or that you just don't know about the PIX?
  > > 
  > > Liberty for All,
  > > 
  > > Brian
  > > 
  > > At 12:00 PM 2/15/2003 -0500, 
  firewall-wizards-request () honor icsalabs com
  > > wrote:
  > > >Message: 5
  > > >Date: Fri, 14 Feb 2003 14:03:11 -0700
  > > >From: Dave Mitchell <dmitchell () viawest net>
  > > >To: "Perrymon, Josh L." <PerrymonJ () bek com>
  > > >Cc: "'Chapman, Justin T'" <JtChapma () bhi-erc com>,
  > > >         "'firewall-wizards () honor icsalabs com '"
  > > > <firewall-wizards () honor icsalabs com>
  > > >Subject: Re: [fw-wiz] insecurity in internet 
  connection thro cable modems
  > > >
  > > >For normal users I'd recommend some sort of appliance 
  filter or firewall.
  > > >More than
  > > >likely, natting a home network behind a linksys soho 
  router would be
  > > >sufficient. If you
  > > >want to do VPNing and what not, I think a Netscreen 5 
  would be the best
  > > >for the home
  > > >firewall. Putting in PIX 501's at someones home would 
  be insane. If you
  > > >have to administer
  > > >it, a small Netscreen is much easier than dealing with PIX.
  > > >
  > > >-dave
  > > >
  > > >On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon, 
  Josh L. wrote:
  > > > > Yeah...  I ( Security Professional ) would 
  implement IPChains or a PIX
  > > @
  > > > > home...
  > > > > But don't you think Linux is completely out of the 
  question for a
  > > regular
  > > > > end user?????
  > > > >
  > > > > I'm looking for an application based firewall for 
  my VPN users..
  > > > > So far ZONE ALARM is my choice..  I just wished I 
  could integrate it
  > > with
  > > > > the PIX VPN client like the concentrator can.
  > > > >
  > > > >
  > > > >
  > > > > Any Ideas??
  > > > > -JP
  > > > >
  > > > > -----Original Message-----
  > > > > From: Chapman, Justin T [mailto:JtChapma () bhi-erc com]
  > > > > Sent: Friday, February 07, 2003 11:29 AM
  > > > > To: 'firewall-wizards () honor icsalabs com '
  > > > > Subject: RE: [fw-wiz] insecurity in internet 
  connection thro cable
  > > > > modems
  > > > >
  > > > >
  > > > > >
  > > > > >ipchains is old ( for the previous Linux Kernel 
  2.2 ), iptables
  > > > > >http://www.iptables.org would be a better choice.
  > > > >
  > > > > Agreed.  If it's an option at all, choose iptables 
  over ipchains.
  > > It's
  > > > more
  > > > > flexable and it's a stateful packet filter, which 
  makes for a
  > > "smarter"
  > > > > firewall.  IPtables (and ipchains for that matter) 
  can be a bit
  > > > intimidating
  > > > > to work with, especially if you're new to the 
  syntax.  If you're going
  > > to
  > > > > "rolll your own" firewall, I would suggest searching
  > > Google/Freshmeat.net
  > > > > for "iptables generator".  There are plenty of scripts/web
  > > frontends/guis
  > > > > that make creating simple "consumer-grade" 
  firewalls a snap.  One that
  > > I
  > > > > particularly like is a cgi-based one at:
  > > > >
  > > > > http://morizot.net/firewall/gen/
  > > > >
  > > > > Good luck!
  > > > >
  > > > > --justin
  > > > >
  > > 
  > > 
  > > Brian Ford
  > > Consulting Engineer
  > > Corporate Consulting Engineering, Office of the Chief 
  Technology Officer
  > > Cisco Systems, Inc.
  > > http://www.cisco.com
  > > e-mail: brford () cisco com
  > > 
  > > _______________________________________________
  > > firewall-wizards mailing list
  > > firewall-wizards () honor icsalabs com
  > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  > _______________________________________________
  > firewall-wizards mailing list
  > firewall-wizards () honor icsalabs com
  > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  _______________________________________________
  firewall-wizards mailing list
  firewall-wizards () honor icsalabs com
  http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: insecurity in internet connection thro cable modems, (continued)
- RE: insecurity in internet connection thro cable modems Perrymon, Josh L. (Feb 14)
  - Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 14)
- RE: insecurity in internet connection thro cable modems Noonan, Wesley (Feb 15)
  - Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 16)
    - Re: insecurity in internet connection thro cable modems stefmit (Feb 18)
- RE: insecurity in internet connection thro cable modems Noonan, Wesley (Feb 16)
  - Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 17)
- RE: insecurity in internet connection thro cable modems Bruce Platt (Feb 16)
- RE: insecurity in internet connection thro cable modems Noonan, Wesley (Feb 16)
- RE: insecurity in internet connection thro cable modems Bruce Platt (Feb 17)
- RE: insecurity in internet connection thro cable modems Scot Hartman (Feb 17)