Re: Disecting the Cisco PIX

[Paul Robertson <proberts () patriot net>]

On 30 Jul 2002, Art Mason wrote:

> this?  If so, why couldn't one just throw OpenBSD onto some flash media,
> drop a couple of Intel Pro100+ dual-port NICs in a 2U rackmount case,
> maybe offload some of the VPN stuff onto an ASIC-based encryption
> acceleration card, and save some big bucks, granted they know how to set
> up PF from the CLI?  This is just something I've been wondering about
> for a while, and was curious as to what others in the know had to say
> about it.  Thanks in advance.

The value in an off-the-shelf product is more in the support, reliability 
and consistency than anything.  Certainly there are vendors who have done 
something close to, if not exactly that.  For a one-off installation it 
might even make sense in some companies, but other organizations are 
concerned with being able to get support if their primary firewaller goes 
away, if they have a hardware failure, or if their primary person can't 
figure out what's wrong.  Reliability can be an issue, espcially if you 
have to deploy multiple units over time- it's difficult enough getting a 
consistant motherboard/chipset combination for most companies these days 
for things which aren't security critical.  Consistancy of administration 
is an issue if you expect to deploy things to different locations, or hire 
staff who can easily make changes.  Documenting one-off firewalls is 
difficult, if ever done.  Reporting can sometimes be an issue too.

By the time you get done with documentation, training, and support, 
there's generally not a big cost savings.  Throw in interoperability 
dependencies and it can (not will, but can) go south pretty darned 
quickly.  Spend a couple weeks debugging packet traces to figure out why a 
new browser version can't get through your firewall and it gets to be no 
fun pretty fast.

I've deployed a fair ammount of Open Source firewalls over time, and I've 
supported my deployments too- I've never wanted to support someone else's 
deployments of them though- especially two years after installation.

With an appliance vendor, a replacement is often a phone call away, with a 
software vendor a replacement may take 3 or 4 calls.  Home-grown solutions 
are the same as software vendors for that more often than not (hot spares 
are of course a way to fix that problem.)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards