Re: Firewalls that generate new packets..

[Chris Blask <chris () blask org>]

Hi folks!

I'm about to launch into as much clarification of this as
seems possible, though I don't hold out infinite amounts of
hope that it will make anything clearer than it already is.
  I've considered various caveats to place before all of
this but discarded them one by one with the painfully
learned knowledge that they are as likely to confuse things
even further.

o  PIX was an acquired product by Cisco, though it was PIX
(Private Internet Exchange, by Network Translation Inc
[NTI]) not BorderWare.  PIX was created by John Mayes as a
NAT gateway and originally based on Plan 9.

o  BorderWare was dreamt up by myself (with Clyde Stevens
and Paul Hunt at a Chinese restaurant in Toronto), around
the same time.

o  The two products to my knowledge were the first NAT
products on the market.  John Mayes and myself had an
interesting lunch of chili dogs at Internet World '94 where
we eyed each other and concluded that we weren't really
competing since PIX wasn't a firewall (which John summarily
rectified... ;~). 

o  BorderWare was purchased by Secure Computing for its
channel strategy (which I will also claim credit for,
slings and arrows invited), which Secure summarily screwed
up.

o  Cisco bought NTI in '96 as part of a paroxysm of buying
Internet product companies (they also bought the Centri
Windows NT firewall at the same time, leading to CSPM and
indirectly to MARS, which they bought again).

o  I ended up at Cisco in '98 as the Centri PM, killed it
almost immediately and took over PIX - which had its own
issues at the time culminating with word that it would be
killed as well.

o  Bill McGee had been the driving force behind the best
BorderWare VAR around, we had worked together in other
ventures between several of these events and become very
good friends, so I got him hired to help with the growing
PIX juggernaut.

o  After PIX got straightened out I ended up responsible
for IOS FW as well, the main upshot of which that sticks
with me is that I spent a lot of time responding to "how do
we position one *vesus* the other?" with "some people want
dedicated firewalls, others like using routers, they are
usually different groups and ultimately security needs to
embed itself throughout the infrastructure so help them as
they are ready to accept help."

o  PIX and IOS command line similarity has long been a goal
to make things simpler for folks, though complete codebase
assimilation is a challenge both for the reasons stated
(hardware for starters) and other reasons.

o  Now, since it is simply the case that IOS and PIX began
life as different critters it is true what has been said
here about origins.

o  It is also true that many people and organizations have
promoted and/or enshrined in policy that there should be
multiple layers of firewall security wrapping the company
jewels, and that these layers should specifically come from
different code bases.  

o  The fact that Cisco has come about having a set of
firewall products that fortuitously match a set of
desires/needs of the market - whether that was initially
intentional or not - has not been lost on the company and
people like Bill and I who had hands in directing the
technical and marketing aspects of such things.  It is
therefore also quite defensibly true what Bill said: <sic>
"That is on purpose".


So, with all of this said, it is more a matter of semantics
than history that is at issue in this thread.  What was the
morphology of code and intent that has resulted in PIX and
IOS FW and Cisco's messaging/direction today?  If anyone
knows better than I please jump in, but in the end it
doesn't seem any more bizarre to me than any other story
(lets talk NAI, for example...).

Bill may be a marketing geek (which I have previously and
often noted is an art under-rated by engineering geeks),
but his words are not false.  My biases on topic can be
perhaps extrapolated from all the preceeding but I won't
try to clarify those further (the cynical will read those
into my comments in the worst light, anyway).

-cheers!

-chris

PS - Paul R, my posts seem to again not be making the list,
so please forward this up there for me if you can't for
some reason let it go direct. Obviously it would seem
twisted for Bill to repost it since I am effectively
defending him, so Paul M, if you could be so kind, forward
it to the list for me if it doesn't otherwise make it.


--- Paul Melson <pmelson () gmail com> wrote:

> On Nov 25, 2007 11:31 AM, Bill McGee (bam)
> <bam () cisco com> wrote:
> > Yes, PIX/ASA has a different OS tham IOS. That's on
purpose. Lots of folks have policies which require that
their security is different from their infrastructure.
> Are you sure it's not just that PIX was originally
BorderWare and that IOS runs (or ran) on m68k processors
while the PIX codebase is x86? Chris Blask subscribes to
this mailing list, you know.
> > Of course, we also offer the IOS Firewall, which is
> another Enterprise-Class firewall with full
> > routing functionality.  The biggest advantage with
> these solutions, based on thousands of
> > interviews with customers, is how fully they integrate
> with the network.

> Are you sure it's not the difference in hardware
platforms again? Combining IOS and PIX OS is too
complicated to be worth the effort.

> That's OK.  I'm not trying to start a flame war, but I'm
a little offended that you didn't think anybody here would
know the real answers.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards