Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)

[Chris Blask <chris () blask org>]

At 05:08 AM 26/05/2006, you wrote:

> hi chris. u are right there are many vendors whoa re claiming to give a integrated security solution in one box. but 
> at the same time they are having a lot of bugs in them . say for cisco. every new feature they introduce they will 
> have  a train of bugs in them. similarly with netscreen 5.3 ios it has a lot of bugs. the quality assurance of these 
> products are not going through a rigorous testing and compliance. but to frank enough checkpoint and netscreen are far 
> better off then what cisco security solutions can provide. what are ur views abt it. would surely like to know. see ya 

Hey Sushil!

Generally, I'm not the guy to ask about the merits of product A version B.C versus product D vE.F -  Many of our 
colleagues on the list know most of that better than I.  That said, my thoughts:

o  Bugs are bugs, and everyone has them.  What's more important is the number of them, severity and time to fix.  Cisco 
IOS has a particular problem in that it is a huge codebase, which a zillion different engineering groups write code for 
and with multiple functional trains designed for diverse uses all feeding into the same product.  A lot of the problems 
apparent with that system could be fixed but are challenged by the fact that you have a gargantuan company still rife 
with "Wet Paint" signs.

 - I don't see Juniper et al inherently better in this area - they just haven't gotten large enough to have the same 
set of problems.  They are all trying as hard as possible to get there and suffer from those problems as soon as 
possible and will be happy to share them with you when they do.

 - PIX was a counter-example, where we had a relatively small and independent code base and one dedicated (ass-kicking) 
team of engineers.  We kept up a pace of improvements for a while there that was appropriately dynamic to fit the need 
of the market and evolve it to where it got boring (or at least where the Cisco machine made it so), and now you have 
ASA (aka: "how to kill viable branding for $100M or more").  Is that at net a bad thing?  Hard to say as far as ASA 
goes outside of quarter-to-quarter detailed product comparisons, but as I mention in other posts, the market is 
maturing and overall I think that is good.

o  My strong belief is that currently the nature of the individual components of an infosec solution are much less 
important than how you use them.  Good firewalls managed badly suck, "weak" firewalls mananged diligently and used with 
the right collateral don't.

 - Despite my plethora of reasons to criticize Cisco (you have no idea...), I think they have a couple of particularly 
good bits and are emerging parts of a good management strategy (largely despite their own strenuous efforts to the 
contrary).  While security management matures (many years), vendors who can ship an entire network will tend to have an 
edge over those who can't.

 - NetScreen and CP are fine product lines in general terms (lots of savvy customers harassing experienced product eng 
teams over a long period of time).  A viable management structure should allow you to use whatever type of gadget you 
choose and coordinate it with every other one despite which vendor makes which part (which is generally true today 
across the infosec management space, though often still requiring a lot of effort).

Hope that adds some value for you somewhere, though it kinda feels like a rant... ;~)

-cheers!

-chris




A ship in port is safe, but that is not what ships are for. Sail out to sea and do new things.

 - Admiral Grace Hopper, Computer Pioneer 

Chris Blask
chris () blask org
http://blaskworks.blogspot.com 

+1 416 358 9885  


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards