mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: Chris Blask <chris () blask org>
Date: Fri, 26 May 2006 11:04:20 -0400
At 05:08 AM 26/05/2006, you wrote:
hi chris. u are right there are many vendors whoa re claiming to give a integrated security solution in one box. but
at the same time they are having a lot of bugs in them . say for cisco. every new feature they introduce they will
have a train of bugs in them. similarly with netscreen 5.3 ios it has a lot of bugs. the quality assurance of these
products are not going through a rigorous testing and compliance. but to frank enough checkpoint and netscreen are far
better off then what cisco security solutions can provide. what are ur views abt it. would surely like to know. see ya
Generally, I'm not the guy to ask about the merits of product A version B.C versus product D vE.F - Many of our
colleagues on the list know most of that better than I. That said, my thoughts:
o Bugs are bugs, and everyone has them. What's more important is the number of them, severity and time to fix. Cisco
IOS has a particular problem in that it is a huge codebase, which a zillion different engineering groups write code for
and with multiple functional trains designed for diverse uses all feeding into the same product. A lot of the problems
apparent with that system could be fixed but are challenged by the fact that you have a gargantuan company still rife
with "Wet Paint" signs.
- I don't see Juniper et al inherently better in this area - they just haven't gotten large enough to have the same
set of problems. They are all trying as hard as possible to get there and suffer from those problems as soon as
possible and will be happy to share them with you when they do.
- PIX was a counter-example, where we had a relatively small and independent code base and one dedicated (ass-kicking)
team of engineers. We kept up a pace of improvements for a while there that was appropriately dynamic to fit the need
of the market and evolve it to where it got boring (or at least where the Cisco machine made it so), and now you have
ASA (aka: "how to kill viable branding for $100M or more"). Is that at net a bad thing? Hard to say as far as ASA
goes outside of quarter-to-quarter detailed product comparisons, but as I mention in other posts, the market is
maturing and overall I think that is good.
o My strong belief is that currently the nature of the individual components of an infosec solution are much less
important than how you use them. Good firewalls managed badly suck, "weak" firewalls mananged diligently and used with
the right collateral don't.
- Despite my plethora of reasons to criticize Cisco (you have no idea...), I think they have a couple of particularly
good bits and are emerging parts of a good management strategy (largely despite their own strenuous efforts to the
contrary). While security management matures (many years), vendors who can ship an entire network will tend to have an
edge over those who can't.
- NetScreen and CP are fine product lines in general terms (lots of savvy customers harassing experienced product eng
teams over a long period of time). A viable management structure should allow you to use whatever type of gadget you
choose and coordinate it with every other one despite which vendor makes which part (which is generally true today
across the infosec management space, though often still requiring a lot of effort).
Hope that adds some value for you somewhere, though it kinda feels like a rant... ;~)
A ship in port is safe, but that is not what ships are for. Sail out to sea and do new things.
- Admiral Grace Hopper, Computer Pioneer
chris () blask org
+1 416 358 9885
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com