Re: Any reason not to use PIX ?

["S. Jonah Pressman" <jonah () istar ca>]

S. Da Costa:

PIX is my weapon of choice but never let your firewall take the full
brunt of the traffic.  A security-in-depth model (especially in an NT
shop) is the order of the day.  Know your environment, know your
developers, know their applications, and build a policy that halts most
of the undesireable traffic at your border routers.  Don't rest yet! 
Harden your bastion NT boxes (see Stefan Norberg's documentation @
http://people.hp.se/stnor).  The PIX, properly configured, should pick
guard you from the rest of the undesireable traffic.

Don't make the mistake that PIX is an IOS box; it isn't.  Although with
each release of the software, it looks more and more like IOS, it is not
IOS.  They are simple to configure once you have laid out your
architecture and understand the traffic flow.  To make your experience a
pleasant one, brush up on GLOBAL, STATIC, CONDUIT, and NAT in the PIX
command set (docs and simple examples can be found on the Cisco site).

And finally, the key........ too often, people put up a firewall and
don't follow the logs.  Your logs are your friends.  If you can
consolidate your logging from your routers and firewall and review them
regularly, you will get a better appreciation of potential
vulnerabilities and necessary rule changes (at the routers, hosts,
firewall, etc.)

Bottom line.... there is no reason why I wouldn't choose a PIX  :-)

Securely Yours,
Jonah

Gledson Pompeu Correa Da Costa wrote:
> Hi there,
>
>         I'm a long time reader of the list, and finally have a question to
> submit to all gurus out there. The explanation is a bit long, but I hope it
> serves well the purpose of presenting the case.
>
> The situation:
>
>         We have a strictly NT based network running intranet, internet and
> extranet (public services) out of IIS servers, and our Internet connection
> is currently protected by two Free-BSD machines - one for proxying general
> connections in and out of our internal net, and one for serving web pages
> out of our IIS servers through reverse proxy.
>
> The problem:
>
>         Our general knowledge of Unix is low: in a support team of 10, 2
> have a small experience and only 1 is somewhat knowledgeable in the platform
> (somewhat knowledgeable meaning installs the system and does the recommended
> tweaking mostly following scripts and how-to's). As you know, if you have
> only 1 person who knows a critical job, you're in trouble... Besides that,
> our training budget is low, so we must focus on technologies that support
> our core business (like NT and Oracle).
>         So, we wish to establish a new firewall system that is not based on
> any variant of Unix. On the other hand, we are not confortable to place a
> firewall running on NT due to the frequency it gets bashed by hacker groups
> to find new exploits.
>
> The question (finally):
>
>         Since Unix and NT are out, we are considering placing a Cisco
> PIX-515 at the core of our firewall, together with two Cisco choke routers
> to manage the inside and outside connections. The reasons for the choice
> are:
>
>         1 - It runs on a distinct platform from NT and Unix (IOS)
>         2 - In our team of 10, 9 are already trained in IOS (at various
> levels)
>         3 - We consider it to be a secure platform
>
>         SO, is there any reason not to use PIX (like major holes or other
> problems with the product) ? Are there better alternatives in the "black
> box" division ?
>
> Thanks in advance for all your answers.
>
> Sincerely yours,
> Gledson Pompeu
> TCU / SEINF / SENET
> Internet Service Manager
>
> "Smart people talk about ideas;
>  Common people talk about facts;
>  Mediocre people talk about people"