Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: Disecting the Cisco PIX
From: Paul Robertson <proberts () patriot net>
Date: Tue, 30 Jul 2002 16:37:58 -0400 (EDT)
On Tue, 30 Jul 2002, Magos?nyi ?rp?d wrote:


Hi!


Hi,

[I'm going to argue the other side of the coin for once.]



What we are facing here is the result of a firm having very strong
marketing muscle.


No, what we're facing here is an industry segment which has commercial 
off-the-shelf(COTS) offerings.  All appliances are simply computers of 
some sort- the delta between a common PC and a particular appliance isn't 
all that interesting for anything other than potential performance issues 
not faced generally at the low end.
 

Cisco PIX is technically at the low end of packet filtering routers
(even cisco's own "firewall feature set" for routers is more useable).


I think you're mistaken, PIX is differentiated from IOS FFS quite well by 
Cisco.  It's not my job to restate it though.


BUT: 
 -It is called Cisco. 


Which to some people says something about supportability.


 -It is called firewall (which it isn't).


Yes it is.  It blocks all the attacks that all firewalls of that class are 
capable of blocking, and it certainly passes our firewall evaluation criteria.


 -It is heavily advertised.


Vendors who don't advertise don't stay in business, not sure why this is a 
detriment in a commercial product?


 -It have several papers with stamps which basically say that
 this stuff cannot do anything serious, and do this nothing with
 a below-moderate level of assurance. If you read them you will see,
 but not much people reads them, and even an average middle level manager
 would not understand a word of it. They are happy having
 these papers, and that's all.


Versus a solution which has zero assurance, this can be a perceived 
advantage.  However, if you don't like a particular evaluation criteria, 
you're welcome to write your own and test to it- it's significantly more 
difficult/expensive than most people realize.


Well, lotsa people does what you said. You can find tens of 
products on the market of this type. There are also a lot of boxen which
built this way.
The majority of these boxen are actually running linux, and a lot 
of them runs real firewall software like fwtk, t.rex or Zorp.


Other than the obvious ALG vs. filter stuff, what exactly do you see as 
the value of say something running fwtk vs. say a PIX (for anyone other 
than Rick?)  Out of those values, how many of them equate to actual 
attacks in the real world?  How many of those attacks are common?  How 
many aren't easily blocked at the client?


According to a market analysis, there are more such boxes running
as firewalls, especially in the small business area than "big commercial"
firewalls (at least in this part of the world).


Can you provide sources for such market analysis?  It's been my experience 
that there are far more companies with no firewall than there are with 
firewalls, and on the small business end, if they have one these days, 
it's either thier router[2], or a low-end appliance.


It is true that a lot of them has been designed with no real security
policy in mind, and built by people who are not very good at network 


That's most of the point isn't it?  Heck, a lot of *vendors* mess up when 
it comes to implementation- if assurance is a sore point (and it seems 
like it is)- how do you gain any level of assurance with one-off 
solutions?


perimeter security. But also there are some which was built by the top
gurus of this craft along solid ideas, and with magnitudes stronger
tools than you can find among the market leader "firewalls" (most of which
are not even firewalls.)


There's an ALG vs. filter argument, however even most ALG vendors don't 
take significant advantage of their advantages, and I've yet to see one 
that does anything sane with say SSL[1].  So, let's say I let my users do 
HTTP and HTTPS, E-mail through a gateway and that's it- how much 
significant exposure is going to be lost with a PIX versus FWTK in a 
common company?

Paul
[1] I've heard of two, but never seen either one.
[2] For values of "firewall" that equate to the common perception, or what 
the ISP sold them on.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]