Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: insecurity in internet connection thro cable modems

From: Dave Mitchell <dmitchell () viawest net>
Date: Sun, 16 Feb 2003 10:32:39 -0700
Brian, 

Comments in-line.


Yet another security policy that begins with "more than likely".  What 
happens in the "likely" case when someone figures out where you are and 
wants to get at your stuff?


It all depends on the type of data you are worried about and what the 
company is willing to spend. Was just another option for the person who
wrote the original thread.


Gee Dave.  Why would it be insane to use a PIX?


I'm just not a fan. I highly dislike the CLI (I love other CLI's), the logging
is lacking, and I highly dislike the licensing for high level encryption algorithms.
I just don't understand why it costs more to get 3des than des. Other vendors
are happy to include des,3des,aes,dh1,2,5,7,rc4 for free...


To set up a PIX at home all you need is the PIX.  You don't need a PC and 
the setup disk that NetScreen ships.


You don't need a PC or the setup disk to setup a netscreen either. Create a
config for home users that is in bridging mode, setup the correct policies,
and slap it on via tftp or paste it in the CLI, and you are set to go. 


The 501 ships with a default "plug and play" configuration that for many 
installs (including folks sitting behind a cable modem) requires no 
modification to get up and running.


Bridging mode works the same way, but doesn't require any routing changes.


The PIX also supports Cisco AUS (Auto Update Server) so that security 
policy, operating system image, and configuration updates can be securely 
downloaded to the PIX from a central site without end user intervention.


Netscreen Global Pro can also do this.


You said "a small Netscreen is much easier than dealing with PIX".  Have 
you really tried both products?  Could it be that you just don't like 
PIX?  Or that you just don't know about the PIX?


You are correct. I am not the fondest of PIX due to issues I've had with higher
end models. The lack of great failover support (VRRP), bulkiness of IPSec configuration,
lack of ASICs, higher cost, etc. I've used pretty much every firewall out there, so I 
think I can feel free to express my own opinions on a mailing list. I wouldn't reply about
a subject if I hadn't used the product.

IMO, the Netscreen is cheaper, can push more unencrypted and encrypted traffic, is 
much easier to interoperate IPSec, and has many more features than PIX in both the low
end and higher end models.

-dave
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: