Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: Chris Blask <chris () blask org>
Date: Sun, 25 Nov 2007 22:33:57 -0800 (PST)
Hi folks! I'm about to launch into as much clarification of this as seems possible, though I don't hold out infinite amounts of hope that it will make anything clearer than it already is. I've considered various caveats to place before all of this but discarded them one by one with the painfully learned knowledge that they are as likely to confuse things even further. o PIX was an acquired product by Cisco, though it was PIX (Private Internet Exchange, by Network Translation Inc [NTI]) not BorderWare. PIX was created by John Mayes as a NAT gateway and originally based on Plan 9. o BorderWare was dreamt up by myself (with Clyde Stevens and Paul Hunt at a Chinese restaurant in Toronto), around the same time. o The two products to my knowledge were the first NAT products on the market. John Mayes and myself had an interesting lunch of chili dogs at Internet World '94 where we eyed each other and concluded that we weren't really competing since PIX wasn't a firewall (which John summarily rectified... ;~). o BorderWare was purchased by Secure Computing for its channel strategy (which I will also claim credit for, slings and arrows invited), which Secure summarily screwed up. o Cisco bought NTI in '96 as part of a paroxysm of buying Internet product companies (they also bought the Centri Windows NT firewall at the same time, leading to CSPM and indirectly to MARS, which they bought again). o I ended up at Cisco in '98 as the Centri PM, killed it almost immediately and took over PIX - which had its own issues at the time culminating with word that it would be killed as well. o Bill McGee had been the driving force behind the best BorderWare VAR around, we had worked together in other ventures between several of these events and become very good friends, so I got him hired to help with the growing PIX juggernaut. o After PIX got straightened out I ended up responsible for IOS FW as well, the main upshot of which that sticks with me is that I spent a lot of time responding to "how do we position one *vesus* the other?" with "some people want dedicated firewalls, others like using routers, they are usually different groups and ultimately security needs to embed itself throughout the infrastructure so help them as they are ready to accept help." o PIX and IOS command line similarity has long been a goal to make things simpler for folks, though complete codebase assimilation is a challenge both for the reasons stated (hardware for starters) and other reasons. o Now, since it is simply the case that IOS and PIX began life as different critters it is true what has been said here about origins. o It is also true that many people and organizations have promoted and/or enshrined in policy that there should be multiple layers of firewall security wrapping the company jewels, and that these layers should specifically come from different code bases. o The fact that Cisco has come about having a set of firewall products that fortuitously match a set of desires/needs of the market - whether that was initially intentional or not - has not been lost on the company and people like Bill and I who had hands in directing the technical and marketing aspects of such things. It is therefore also quite defensibly true what Bill said: <sic> "That is on purpose". So, with all of this said, it is more a matter of semantics than history that is at issue in this thread. What was the morphology of code and intent that has resulted in PIX and IOS FW and Cisco's messaging/direction today? If anyone knows better than I please jump in, but in the end it doesn't seem any more bizarre to me than any other story (lets talk NAI, for example...). Bill may be a marketing geek (which I have previously and often noted is an art under-rated by engineering geeks), but his words are not false. My biases on topic can be perhaps extrapolated from all the preceeding but I won't try to clarify those further (the cynical will read those into my comments in the worst light, anyway). -cheers! -chris PS - Paul R, my posts seem to again not be making the list, so please forward this up there for me if you can't for some reason let it go direct. Obviously it would seem twisted for Bill to repost it since I am effectively defending him, so Paul M, if you could be so kind, forward it to the list for me if it doesn't otherwise make it. --- Paul Melson <pmelson () gmail com> wrote:
On Nov 25, 2007 11:31 AM, Bill McGee (bam) <bam () cisco com> wrote:Yes, PIX/ASA has a different OS tham IOS. That's on
purpose. Lots of folks have policies which require that their security is different from their infrastructure.
Are you sure it's not just that PIX was originally
BorderWare and that IOS runs (or ran) on m68k processors while the PIX codebase is x86? Chris Blask subscribes to this mailing list, you know.
Of course, we also offer the IOS Firewall, which isanother Enterprise-Class firewall with fullrouting functionality. The biggest advantage withthese solutions, based on thousands ofinterviews with customers, is how fully they integratewith the network.
Are you sure it's not the difference in hardware
platforms again? Combining IOS and PIX OS is too complicated to be worth the effort.
That's OK. I'm not trying to start a flame war, but I'm
a little offended that you didn't think anybody here would know the real answers. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 28)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 29)
- Re: Firewalls that generate new packets.. lordchariot (Nov 29)
- Re: Firewalls that generate new packets.. Cat Okita (Nov 26)
- Re: Firewalls that generate new packets.. Chris Blask (Nov 26)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 26)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 26)
- Re: Firewalls that generate new packets.. Bill McGee (bam) (Nov 26)
- Message not available
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 26)