RE: insecurity in internet connection thro cable modems

["Noonan, Wesley" <Wesley_Noonan () bmc com>]

Having used both, I strongly prefer a PIX. It is much easier to maintain a
bunch of PIXen than it is to maintain a bunch of netscreens. It's not that
the netscreens are bad, it is just that the TCO is too high to try to
maintain a "fleet" of them. In addition, I find their (netscreen) VPN
support to be... well... lacking. It is a very convoluted process, much like
the PIX was 2 years ago. 

HTH

Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan () bmc com
http://www.bmc.com


> -----Original Message-----
> From: Brian Ford [mailto:brford () cisco com]
> Sent: Saturday, February 15, 2003 12:56
> To: firewall-wizards () honor icsalabs com
> Cc: Dave Mitchell
> Subject: Re: [fw-wiz] insecurity in internet connection thro cable modems
>
> Dave,
>
> > More than
> > likely, natting a home network behind a linksys soho router would be
> > sufficient.
>
> Yet another security policy that begins with "more than likely".  What
> happens in the "likely" case when someone figures out where you are and
> wants to get at your stuff?
>
> > Putting in PIX 501's at someones home would be insane. If you have to
> > administer
> > it, a small Netscreen is much easier than dealing with PIX.
>
> Gee Dave.  Why would it be insane to use a PIX?
>
> To set up a PIX at home all you need is the PIX.  You don't need a PC and
> the setup disk that NetScreen ships.
>
> The 501 ships with a default "plug and play" configuration that for many
> installs (including folks sitting behind a cable modem) requires no
> modification to get up and running.
>
> The PIX also supports Cisco AUS (Auto Update Server) so that security
> policy, operating system image, and configuration updates can be securely
> downloaded to the PIX from a central site without end user intervention.
>
> You said "a small Netscreen is much easier than dealing with PIX".  Have
> you really tried both products?  Could it be that you just don't like
> PIX?  Or that you just don't know about the PIX?
>
> Liberty for All,
>
> Brian
>
> At 12:00 PM 2/15/2003 -0500, firewall-wizards-request () honor icsalabs com
> wrote:
> > Message: 5
> > Date: Fri, 14 Feb 2003 14:03:11 -0700
> > From: Dave Mitchell <dmitchell () viawest net>
> > To: "Perrymon, Josh L." <PerrymonJ () bek com>
> > Cc: "'Chapman, Justin T'" <JtChapma () bhi-erc com>,
> >         "'firewall-wizards () honor icsalabs com '"
> > <firewall-wizards () honor icsalabs com>
> > Subject: Re: [fw-wiz] insecurity in internet connection thro cable modems
> >
> > For normal users I'd recommend some sort of appliance filter or firewall.
> > More than
> > likely, natting a home network behind a linksys soho router would be
> > sufficient. If you
> > want to do VPNing and what not, I think a Netscreen 5 would be the best
> > for the home
> > firewall. Putting in PIX 501's at someones home would be insane. If you
> > have to administer
> > it, a small Netscreen is much easier than dealing with PIX.
> >
> > -dave
> >
> > On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon, Josh L. wrote:
> > > Yeah...  I ( Security Professional ) would implement IPChains or a PIX
> @
> > > home...
> > > But don't you think Linux is completely out of the question for a
> regular
> > > end user?????
> > >
> > > I'm looking for an application based firewall for my VPN users..
> > > So far ZONE ALARM is my choice..  I just wished I could integrate it
> with
> > > the PIX VPN client like the concentrator can.
> > >
> > >
> > >
> > > Any Ideas??
> > > -JP
> > >
> > > -----Original Message-----
> > > From: Chapman, Justin T [mailto:JtChapma () bhi-erc com]
> > > Sent: Friday, February 07, 2003 11:29 AM
> > > To: 'firewall-wizards () honor icsalabs com '
> > > Subject: RE: [fw-wiz] insecurity in internet connection thro cable
> > > modems
> > >
> > >
> > > > ipchains is old ( for the previous Linux Kernel 2.2 ), iptables
> > > > http://www.iptables.org would be a better choice.
> > >
> > > Agreed.  If it's an option at all, choose iptables over ipchains.
> It's
> > more
> > > flexable and it's a stateful packet filter, which makes for a
> "smarter"
> > > firewall.  IPtables (and ipchains for that matter) can be a bit
> > intimidating
> > > to work with, especially if you're new to the syntax.  If you're going
> to
> > > "rolll your own" firewall, I would suggest searching
> Google/Freshmeat.net
> > > for "iptables generator".  There are plenty of scripts/web
> frontends/guis
> > > that make creating simple "consumer-grade" firewalls a snap.  One that
> I
> > > particularly like is a cgi-based one at:
> > >
> > > http://morizot.net/firewall/gen/
> > >
> > > Good luck!
> > >
> > > --justin
>
>
> Brian Ford
> Consulting Engineer
> Corporate Consulting Engineering, Office of the Chief Technology Officer
> Cisco Systems, Inc.
> http://www.cisco.com
> e-mail: brford () cisco com
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards