Firewall Wizards mailing list archives
RE: insecurity in internet connection thro cable modems
From: "Noonan, Wesley" <Wesley_Noonan () bmc com>
Date: Sat, 15 Feb 2003 13:27:51 -0600
Having used both, I strongly prefer a PIX. It is much easier to maintain a bunch of PIXen than it is to maintain a bunch of netscreens. It's not that the netscreens are bad, it is just that the TCO is too high to try to maintain a "fleet" of them. In addition, I find their (netscreen) VPN support to be... well... lacking. It is a very convoluted process, much like the PIX was 2 years ago. HTH Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+ Senior QA Rep. BMC Software, Inc. (713) 918-2412 wnoonan () bmc com http://www.bmc.com
-----Original Message----- From: Brian Ford [mailto:brford () cisco com] Sent: Saturday, February 15, 2003 12:56 To: firewall-wizards () honor icsalabs com Cc: Dave Mitchell Subject: Re: [fw-wiz] insecurity in internet connection thro cable modems Dave,More than likely, natting a home network behind a linksys soho router would be sufficient.Yet another security policy that begins with "more than likely". What happens in the "likely" case when someone figures out where you are and wants to get at your stuff?Putting in PIX 501's at someones home would be insane. If you have to administer it, a small Netscreen is much easier than dealing with PIX.Gee Dave. Why would it be insane to use a PIX? To set up a PIX at home all you need is the PIX. You don't need a PC and the setup disk that NetScreen ships. The 501 ships with a default "plug and play" configuration that for many installs (including folks sitting behind a cable modem) requires no modification to get up and running. The PIX also supports Cisco AUS (Auto Update Server) so that security policy, operating system image, and configuration updates can be securely downloaded to the PIX from a central site without end user intervention. You said "a small Netscreen is much easier than dealing with PIX". Have you really tried both products? Could it be that you just don't like PIX? Or that you just don't know about the PIX? Liberty for All, Brian At 12:00 PM 2/15/2003 -0500, firewall-wizards-request () honor icsalabs com wrote:Message: 5 Date: Fri, 14 Feb 2003 14:03:11 -0700 From: Dave Mitchell <dmitchell () viawest net> To: "Perrymon, Josh L." <PerrymonJ () bek com> Cc: "'Chapman, Justin T'" <JtChapma () bhi-erc com>, "'firewall-wizards () honor icsalabs com '" <firewall-wizards () honor icsalabs com> Subject: Re: [fw-wiz] insecurity in internet connection thro cable modems For normal users I'd recommend some sort of appliance filter or firewall. More than likely, natting a home network behind a linksys soho router would be sufficient. If you want to do VPNing and what not, I think a Netscreen 5 would be the best for the home firewall. Putting in PIX 501's at someones home would be insane. If you have to administer it, a small Netscreen is much easier than dealing with PIX. -dave On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon, Josh L. wrote:Yeah... I ( Security Professional ) would implement IPChains or a PIX@home... But don't you think Linux is completely out of the question for aregularend user????? I'm looking for an application based firewall for my VPN users.. So far ZONE ALARM is my choice.. I just wished I could integrate itwiththe PIX VPN client like the concentrator can. Any Ideas?? -JP -----Original Message----- From: Chapman, Justin T [mailto:JtChapma () bhi-erc com] Sent: Friday, February 07, 2003 11:29 AM To: 'firewall-wizards () honor icsalabs com ' Subject: RE: [fw-wiz] insecurity in internet connection thro cable modemsipchains is old ( for the previous Linux Kernel 2.2 ), iptables http://www.iptables.org would be a better choice.Agreed. If it's an option at all, choose iptables over ipchains.It'smoreflexable and it's a stateful packet filter, which makes for a"smarter"firewall. IPtables (and ipchains for that matter) can be a bitintimidatingto work with, especially if you're new to the syntax. If you're goingto"rolll your own" firewall, I would suggest searchingGoogle/Freshmeat.netfor "iptables generator". There are plenty of scripts/webfrontends/guisthat make creating simple "consumer-grade" firewalls a snap. One thatIparticularly like is a cgi-based one at: http://morizot.net/firewall/gen/ Good luck! --justinBrian Ford Consulting Engineer Corporate Consulting Engineering, Office of the Chief Technology Officer Cisco Systems, Inc. http://www.cisco.com e-mail: brford () cisco com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- insecurity in internet connection thro cable modems ravi (Feb 07)
- Re: insecurity in internet connection thro cable modems Yvette Agostini (Feb 07)
- Re: insecurity in internet connection thro cable modems staf wagemakers (Feb 07)
- <Possible follow-ups>
- Re: insecurity in internet connection thro cable modems rob . roberson (Feb 07)
- RE: insecurity in internet connection thro cable modems Symon Thurlow (Feb 07)
- RE: insecurity in internet connection thro cable modems Chapman, Justin T (Feb 07)
- RE: insecurity in internet connection thro cable modems Perrymon, Josh L. (Feb 14)
- Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 14)
- RE: insecurity in internet connection thro cable modems Noonan, Wesley (Feb 15)
- Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 16)
- Re: insecurity in internet connection thro cable modems stefmit (Feb 18)
- Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 16)
- RE: insecurity in internet connection thro cable modems Noonan, Wesley (Feb 16)
- Re: insecurity in internet connection thro cable modems Dave Mitchell (Feb 17)
- RE: insecurity in internet connection thro cable modems Bruce Platt (Feb 16)
- RE: insecurity in internet connection thro cable modems Noonan, Wesley (Feb 16)
- RE: insecurity in internet connection thro cable modems Bruce Platt (Feb 17)
- RE: insecurity in internet connection thro cable modems Scot Hartman (Feb 17)