Firewall Wizards mailing list archives
Re: insecurity in internet connection thro cable modems
From: Dave Mitchell <dmitchell () viawest net>
Date: Sun, 16 Feb 2003 10:32:39 -0700
Brian, Comments in-line.
Yet another security policy that begins with "more than likely". What happens in the "likely" case when someone figures out where you are and wants to get at your stuff?
It all depends on the type of data you are worried about and what the company is willing to spend. Was just another option for the person who wrote the original thread.
Gee Dave. Why would it be insane to use a PIX?
I'm just not a fan. I highly dislike the CLI (I love other CLI's), the logging is lacking, and I highly dislike the licensing for high level encryption algorithms. I just don't understand why it costs more to get 3des than des. Other vendors are happy to include des,3des,aes,dh1,2,5,7,rc4 for free...
To set up a PIX at home all you need is the PIX. You don't need a PC and the setup disk that NetScreen ships.
You don't need a PC or the setup disk to setup a netscreen either. Create a config for home users that is in bridging mode, setup the correct policies, and slap it on via tftp or paste it in the CLI, and you are set to go.
The 501 ships with a default "plug and play" configuration that for many installs (including folks sitting behind a cable modem) requires no modification to get up and running.
Bridging mode works the same way, but doesn't require any routing changes.
The PIX also supports Cisco AUS (Auto Update Server) so that security policy, operating system image, and configuration updates can be securely downloaded to the PIX from a central site without end user intervention.
Netscreen Global Pro can also do this.
You said "a small Netscreen is much easier than dealing with PIX". Have you really tried both products? Could it be that you just don't like PIX? Or that you just don't know about the PIX?
You are correct. I am not the fondest of PIX due to issues I've had with higher end models. The lack of great failover support (VRRP), bulkiness of IPSec configuration, lack of ASICs, higher cost, etc. I've used pretty much every firewall out there, so I think I can feel free to express my own opinions on a mailing list. I wouldn't reply about a subject if I hadn't used the product. IMO, the Netscreen is cheaper, can push more unencrypted and encrypted traffic, is much easier to interoperate IPSec, and has many more features than PIX in both the low end and higher end models. -dave _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: insecurity in internet connection thro cable modems Brian Ford (Feb 15)
- Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 16)