Security Basics mailing list archives
RE: Firewall Hardware Recommendations
From: jamesworld () intelligencia com
Date: Mon, 29 Dec 2003 19:26:50 -0600
Don't worry about the docs on the PDM. It's very intuitive. I've had 12,000+ hum through a PIX 515 without any issue.As far as the routers, you can use SDM also now. Do a search on SDM @ cisco.com
WG crashes.....update a config with interface PAT and 2 of the same proxies for different subnets (HTTP or SMTP).
Change a VPN key. Change/rename a PPTP users namechanged the outside IP and subnet while traffic from the inside was still trying to get out. (ISP change)
There have been a few others, but the details escape me at this hour.I know some will say CP FW-1 and WG, but I seriously dislike the need to HAVE an entire separate management client install. Nothing like needing to lock down the firewall b/c a worm got into your network, only to have had the management station infected and be rendered useless. Having to get a clean machine, software and SP installed and IP address reallocated tot he new machine since the FW only accepts managements from a few IP's. Wasted time and a hassle. And it's just great when a hotfix v1(alpha) causes the management application to hang. :-) Love the MS tech support calls for that one...... Oh that's not our problem, it the vendor of the applications problem...Oh no that's not our problem....it was working before the hotfix was applied.... Catch 22 v2.1 :-)
Nothing is a true wire speed firewall. To expect that is crazy (not saying your comment or written intonation was). There is always going to be some latency for inspecting packets and nat-ing.
At 15:33 12/29/2003, Shawn Jackson wrote:
Doc's *murmur* *spit* *bubble*, must read more material *shudder*. Personally I like Microsoft documentation to cure my insomnia but Cisco makes for good medicine also. I've never used the manager, so next time I setup a PIX I'll have to load it on up and give it a shot. I work with the Cisco routers CLI more then the PIX CLI, so when working in the S-IOS CLI I'm a bit slow, like a moron reading a FAQ. You're absolutely right, the PIX isn't a wire speed firewall, if there even is a thing. But personally using a PIX 525 in a high traffic 1000+ node environment it didn't become a bottleneck. I've never had a problem with the 'few' WatchGuard boxes I've worked with, what are the circumstances of their 'crash and burn'? Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com] Sent: Monday, December 29, 2003 1:11 PM To: Shawn Jackson Cc: jamesworld () intelligencia com; Keith Duemling; security-basics () securityfocus com Subject: RE: Firewall Hardware Recommendations Shawn, WatchGuard has you pay for VPN lic's. If you want to configure a VPN straight CLI and you are not proficient with it, yes it can be challenging (but that's what the doc's are for :-) Have you tried working with the PDM? You can have a VPN connection (remote access or point-to-point end) set up in minutes QUITE easily. The netscreen box is not mature enough yet in my analysis. (an yes I have talked with some ppl who were rather high up in the netscreen chain and it's echoed). Is it fast, yes of course it's asic based. Is the PIX fast? of course. Unless you are pushing Gigabit traffic with a tremendous load 80%+ 100% of the time, the PIX is great. And like you said, it's secure. Heck, the NSA gave version 4.4 thumbs up! and we are at 6.3 currently and the boxes are plenty fast. BTW....WatchGuards have a NASTY habit of crashing and having to be reconfigured from scratch ( yes I am certified and have heard it even from their tech support) FWIW, -J At 12:03 12/29/2003, Shawn Jackson wrote: > WatchGuard more secure then PIX? Probably a sales person from >another vendor gotta love them. I've protected banks with the PIX 515 >and 525 series and their rock solid. Update your Secure-IOS and maintain >your ACL's and your golden. Unlike SonicWall (maybe even WatchGuard now >too) you don't have to pay for the VPN component. A SonicWall PRO 230 + >VPN Licensees + Client Licensees = More then a PIX 515. I've heard, but >never seen, that WatchGuard in the same licensing frenzy. Can't speak >for NetScreen, I've personally tried to stay away from them, they give >me the willies, but it's been a while since I looked at them last. > > Same Q's as J. What Model? What S-IOS version? How Old, etc. I >admit, with head held in shame, that configuring the PIX can be a pain >in the arse, especially when you're working with the IPSEC end of a VPN >configuration and I've never setup PPTP on a PIX, but have done so on >many Cisco routers with little problems. > > Honestly, whoever sold you that load a bull needs help, no >disrespect intended but in security facts rule the digital road and >misinformation is the hazard just around the next corner. > >I hope EVERYONE had a safe and uneventful Christmas + Boxing Day. Set >aside some time today to review your logs (that built up) in full before >saving them and clearing from the active log files. > >Shawn Jackson >Systems Administrator >Horizon USA >1190 Trademark Dr #107 >Reno NV 89521 >www.horizonusa.com > >Email: sjackson () horizonusa com >Phone: (775) 858-2338 > (800) 325-1199 x338 > >-----Original Message----- >From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com] > >Sent: Sunday, December 28, 2003 10:34 PM >To: Keith Duemling >Cc: security-basics () securityfocus com >Subject: Re: Firewall Hardware Recommendations > >Keith, > >Curious, What cisco firewall do you currently have and what version OS >is >on it? > >Who told you that a WatchGuard firewall is more secure than a Cisco >firewall? > >The PIX does what you are asking for. If you have information to the >counter, please post. > >Cheers! >-J > >At 19:32 12/23/2003, Keith Duemling wrote: > >Just wanted to get some feedback from the list regarding some research >I'm > >currently working on. We're replacing our existing Cisco firewall with >a > >dedicated firewall hardware/software solution to provider greater >security > >and VPN access. > > > >I've been looking at the Netscreen and various Watchguard products at >this > >time. The current environment is as follows; > > > >- NAT environment > >- DMZ to host web accessible servers > >- 100 internal users > >- Extensive intranet site & visitation to several high profile B2B >sites. > >- Constant 10 user VPN community. > >- Redundant T1 connection managed by RADware Linkproof hardware >solution. > > > >Any recommendations would be greatly appreciated. Thanks in advance. > > > >Keith Duemling > >MCP > > > > > > > >----------------------------------------------------------------------- >---- > >----------------------------------------------------------------------- >----- > > >----------------------------------------------------------------------- - >--- >----------------------------------------------------------------------- - >---- > > >----------------------------------------------------------------------- ---- >----------------------------------------------------------------------- -----
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Firewall Hardware Recommendations Keith Duemling (Dec 23)
- Re: Firewall Hardware Recommendations Ramsy (Dec 24)
- Re: Firewall Hardware Recommendations jamesworld (Dec 29)
- <Possible follow-ups>
- RE: Firewall Hardware Recommendations Ehab Abu Al -Khair (Dec 24)
- RE: Firewall Hardware Recommendations Shawn Jackson (Dec 29)
- RE: Firewall Hardware Recommendations jamesworld (Dec 30)
- Re: Firewall Hardware Recommendations Lard van den Berg (Dec 30)
- RE: Firewall Hardware Recommendations Naren - Pactech (Dec 30)
- RE: Firewall Hardware Recommendations Shawn Jackson (Dec 30)
- RE: Firewall Hardware Recommendations jamesworld (Dec 30)
- Re: Firewall Hardware Recommendations Naren (Dec 31)
- Re: Firewall Hardware Recommendations Scott M. Algatt (Dec 31)
- RE: Firewall Hardware Recommendations jamesworld (Dec 30)
- RE: Firewall Hardware Recommendations Shawn Jackson (Dec 30)