RE: Firewall Hardware Recommendations

[jamesworld () intelligencia com]

Don't worry about the docs on the PDM.  It's very intuitive.

I've had 12,000+ hum through a PIX 515 without any issue.

As far as the routers, you can use SDM also now.  Do a search on SDM @ 
cisco.com

WG crashes.....

update a config with interface PAT and 2 of the same proxies for different 
subnets (HTTP or SMTP).
Change a VPN key.
Change/rename a PPTP users name
changed the outside IP and subnet while traffic from the inside was still 
trying to get out. (ISP change)

There have been a few others, but the details escape me at this hour.

I know some will say CP FW-1 and WG, but I seriously dislike the need to 
HAVE an entire separate management client install.  Nothing like needing to 
lock down the firewall b/c  a worm got into your network, only to have had 
the management station infected and be rendered useless.  Having to get a 
clean machine, software and SP installed and IP address reallocated tot he 
new machine since the FW only accepts managements from a few IP's.  Wasted 
time and a hassle.  And it's just great when a hotfix v1(alpha)  causes the 
management application to hang. :-)  Love the MS tech support calls for 
that one......  Oh that's not our problem, it the vendor of the 
applications problem...Oh no that's not our problem....it was working 
before the hotfix was applied.... Catch 22 v2.1  :-)

Nothing is a true wire speed firewall.  To expect that is crazy (not saying 
your comment or written intonation was).  There is always going to be some 
latency for inspecting packets and nat-ing.

At 15:33 12/29/2003, Shawn Jackson wrote:

>         Doc's *murmur* *spit* *bubble*, must read more material
> *shudder*. Personally I like Microsoft documentation to cure my insomnia
> but Cisco makes for good medicine also. I've never used the manager, so
> next time I setup a PIX I'll have to load it on up and give it a shot. I
> work with the Cisco routers CLI more then the PIX CLI, so when working
> in the S-IOS CLI I'm a bit slow, like a moron reading a FAQ.
>
>         You're absolutely right, the PIX isn't a wire speed firewall, if
> there even is a thing. But personally using a PIX 525 in a high traffic
> 1000+ node environment it didn't become a bottleneck.
>
>         I've never had a problem with the 'few' WatchGuard boxes I've
> worked with, what are the circumstances of their 'crash and burn'?
>
> Shawn Jackson
> Systems Administrator
> Horizon USA
> 1190 Trademark Dr #107
> Reno NV 89521
> www.horizonusa.com
>
> Email: sjackson () horizonusa com
> Phone: (775) 858-2338
>        (800) 325-1199 x338
>
> -----Original Message-----
> From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com]
>
> Sent: Monday, December 29, 2003 1:11 PM
> To: Shawn Jackson
> Cc: jamesworld () intelligencia com; Keith Duemling;
> security-basics () securityfocus com
> Subject: RE: Firewall Hardware Recommendations
>
> Shawn,
>
> WatchGuard has you pay for VPN lic's.
>
> If you want to configure a VPN straight CLI and you are not proficient
> with
> it, yes it can be challenging (but that's what the doc's are for :-)
>
> Have you tried working with the PDM?  You can have a VPN connection
> (remote
> access or point-to-point end) set up in minutes QUITE easily.
>
> The netscreen box is not mature enough yet in my analysis.  (an yes I
> have
> talked with some ppl who were rather high up in the netscreen chain and
> it's echoed).
>
> Is it fast, yes of course it's asic based.  Is the PIX fast? of
> course.  Unless you are pushing Gigabit traffic with a tremendous load
> 80%+
> 100% of the time, the PIX is great.  And like you said, it's secure.
> Heck,
> the NSA gave version 4.4 thumbs up!  and we are at 6.3 currently and the
>
> boxes are plenty fast.
>
> BTW....WatchGuards have a NASTY habit of crashing and having to be
> reconfigured from scratch ( yes I am certified and have heard it even
> from
> their tech support)
>
> FWIW,
> -J
>
> At 12:03 12/29/2003, Shawn Jackson wrote:
>
> >         WatchGuard more secure then PIX? Probably a sales person from
> >another vendor gotta love them. I've protected banks with the PIX 515
> >and 525 series and their rock solid. Update your Secure-IOS and
> maintain
> >your ACL's and your golden. Unlike SonicWall (maybe even WatchGuard now
> >too) you don't have to pay for the VPN component. A SonicWall PRO 230 +
> >VPN Licensees + Client Licensees = More then a PIX 515. I've heard, but
> >never seen, that WatchGuard in the same licensing frenzy. Can't speak
> >for NetScreen, I've personally tried to stay away from them, they give
> >me the willies, but it's been a while since I looked at them last.
> >
> >         Same Q's as J. What Model? What S-IOS version? How Old, etc. I
> >admit, with head held in shame, that configuring the PIX can be a pain
> >in the arse, especially when you're working with the IPSEC end of a VPN
> >configuration and I've never setup PPTP on a PIX, but have done so on
> >many Cisco routers with little problems.
> >
> >         Honestly, whoever sold you that load a bull needs help, no
> >disrespect intended but in security facts rule the digital road and
> >misinformation is the hazard just around the next corner.
> >
> >I hope EVERYONE had a safe and uneventful Christmas + Boxing Day. Set
> >aside some time today to review your logs (that built up) in full
> before
> >saving them and clearing from the active log files.
> >
> >Shawn Jackson
> >Systems Administrator
> >Horizon USA
> >1190 Trademark Dr #107
> >Reno NV 89521
> >www.horizonusa.com
> >
> >Email: sjackson () horizonusa com
> >Phone: (775) 858-2338
> >        (800) 325-1199 x338
> >
> >-----Original Message-----
> >From: jamesworld () intelligencia com
> [mailto:jamesworld () intelligencia com]
> >
> >Sent: Sunday, December 28, 2003 10:34 PM
> >To: Keith Duemling
> >Cc: security-basics () securityfocus com
> >Subject: Re: Firewall Hardware Recommendations
> >
> >Keith,
> >
> >Curious,  What cisco firewall do you currently have and what version OS
> >is
> >on it?
> >
> >Who told you that a WatchGuard firewall is more secure than a Cisco
> >firewall?
> >
> >The PIX does what you are asking for.  If you have information to the
> >counter, please post.
> >
> >Cheers!
> >-J
> >
> >At 19:32 12/23/2003, Keith Duemling wrote:
> > >Just wanted to get some feedback from the list regarding some
> research
> >I'm
> > >currently working on.  We're replacing our existing Cisco firewall
> with
> >a
> > >dedicated firewall hardware/software solution to provider greater
> >security
> > >and VPN access.
> > >
> > >I've been looking at the Netscreen and various Watchguard products at
> >this
> > >time.  The current environment is as follows;
> > >
> > >- NAT environment
> > >- DMZ to host web accessible servers
> > >- 100 internal users
> > >- Extensive intranet site & visitation to several high profile B2B
> >sites.
> > >- Constant 10 user VPN community.
> > >- Redundant T1 connection managed by RADware Linkproof hardware
> >solution.
> > >
> > >Any recommendations would be greatly appreciated.  Thanks in advance.
> > >
> > >Keith Duemling
> > >MCP
> > >
> > >
> > >
> >
> >-----------------------------------------------------------------------
> >----
> >
> >-----------------------------------------------------------------------
> >-----
> >
> >
> >-----------------------------------------------------------------------
> -
> >---
> >-----------------------------------------------------------------------
> -
> >----
> >
> >
> >-----------------------------------------------------------------------
> ----
> >-----------------------------------------------------------------------
> -----


---------------------------------------------------------------------------
----------------------------------------------------------------------------