Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: sushil menon <sebastan_bach () yahoo com>
Date: Sat, 27 May 2006 05:26:59 -0700 (PDT)

hi chris i am not saying that cisco is bad. basically due to their bugs i know that every vendor has a lot of bugs in 
them with trying to get new features into it. basically what i meant was if u see granularity and minute control over 
the traffic which is passing through the firewall. in this consideration i feel netscreen and checkpoint are far better 
than pix. i have worked a lot on pix and i see it's a davanced natting box and nothing else. whereas in netscreen there 
are pre-defined attacks and screen options to filter traffic looking at the bits set in tcp header. similarly 
applicatioon intelligence for protocls like mcirosoft rpc and all netscreen and checkpoint have suport to filter such 
or permit such traffic. which pix is not even aware of. i mean this level of minute control . see ya good to discuss 
with u . 



Chris Blask <chris () blask org> wrote: At 05:08 AM 26/05/2006, you wrote:

hi chris. u are right there are many vendors whoa re claiming to give a integrated security solution in one box. but 
at the same time they are having a lot of bugs in them . say for cisco. every new feature they introduce they will 
have  a train of bugs in them. similarly with netscreen 5.3 ios it has a lot of bugs. the quality assurance of these 
products are not going through a rigorous testing and compliance. but to frank enough checkpoint and netscreen are far 
better off then what cisco security solutions can provide. what are ur views abt it. would surely like to know. see ya 

Hey Sushil!

Generally, I'm not the guy to ask about the merits of product A version B.C versus product D vE.F -  Many of our 
colleagues on the list know most of that better than I.  That said, my thoughts:

o  Bugs are bugs, and everyone has them.  What's more important is the number of them, severity and time to fix.  Cisco 
IOS has a particular problem in that it is a huge codebase, which a zillion different engineering groups write code for 
and with multiple functional trains designed for diverse uses all feeding into the same product.  A lot of the problems 
apparent with that system could be fixed but are challenged by the fact that you have a gargantuan company still rife 
with "Wet Paint" signs.

 - I don't see Juniper et al inherently better in this area - they just haven't gotten large enough to have the same 
set of problems.  They are all trying as hard as possible to get there and suffer from those problems as soon as 
possible and will be happy to share them with you when they do.

 - PIX was a counter-example, where we had a relatively small and independent code base and one dedicated (ass-kicking) 
team of engineers.  We kept up a pace of improvements for a while there that was appropriately dynamic to fit the need 
of the market and evolve it to where it got boring (or at least where the Cisco machine made it so), and now you have 
ASA (aka: "how to kill viable branding for $100M or more").  Is that at net a bad thing?  Hard to say as far as ASA 
goes outside of quarter-to-quarter detailed product comparisons, but as I mention in other posts, the market is 
maturing and overall I think that is good.

o  My strong belief is that currently the nature of the individual components of an infosec solution are much less 
important than how you use them.  Good firewalls managed badly suck, "weak" firewalls mananged diligently and used with 
the right collateral don't.

 - Despite my plethora of reasons to criticize Cisco (you have no idea...), I think they have a couple of particularly 
good bits and are emerging parts of a good management strategy (largely despite their own strenuous efforts to the 
contrary).  While security management matures (many years), vendors who can ship an entire network will tend to have an 
edge over those who can't.

 - NetScreen and CP are fine product lines in general terms (lots of savvy customers harassing experienced product eng 
teams over a long period of time).  A viable management structure should allow you to use whatever type of gadget you 
choose and coordinate it with every other one despite which vendor makes which part (which is generally true today 
across the infosec management space, though often still requiring a lot of effort).

Hope that adds some value for you somewhere, though it kinda feels like a rant... ;~)



A ship in port is safe, but that is not what ships are for. Sail out to sea and do new things.

 - Admiral Grace Hopper, Computer Pioneer 

Chris Blask
chris () blask org

+1 416 358 9885  

No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

Do you Yahoo!?
 Everyone is raving about the  all-new Yahoo! Mail Beta.
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]