Firewall Wizards mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: Chris Blask <chris () blask org>
Date: Sat, 27 May 2006 22:36:12 -0700 (PDT)
--- sushil menon <sebastan_bach () yahoo com> wrote:
hi chris
Hey Sushil!
i am not saying that cisco is bad. basically due to their bugs i know that every vendor has a lot of bugs in them with trying to get new features into it. basically what i meant was if u see granularity and minute control over the traffic which is passing through the firewall. in this consideration i feel netscreen and checkpoint are far better than pix.
Box to box I think you are right - CP and NS do lots of useful stuff that a PIX doesn't. I believe the Cisco argument is that the ASA and ISR box-to-box do as much or more, you'd have to ask them or do the research yourself to see if that is true. Where Cisco shines (other than selling more security gear than most everyone else put together) is putting a whole network together, and that's where I can't avoid seeing a great argument from an infosec perspective. Bill McGee (bam@ - he's lurking out there somewhere) can fill your ear with where they are going (and in some cases are) with Application Security. The direction resonates with my own feelings about this kind of thing: (to paraphrase) "one spot of application awareness on a network edge is not enough". All this "this box will save your network" stuff drives me batty. Solutions need to approach being holistic or I don't see how average overall security is increased by them (and I love you all, but it does nothing for me if you secure your network and no-one else does). If the solution is a box on the network it better be providing insight into what is going on in many spots (like MARS or Tenable, or for that matter flat historicals like Loglogic) to get much attention from me these days.
i have worked a lot on pix and i see it's a davanced natting box and nothing else. whereas in netscreen there are pre-defined attacks and screen options to filter traffic looking at the bits set in tcp header. similarly applicatioon intelligence for protocls like mcirosoft rpc and all netscreen and checkpoint have suport to filter such or permit such traffic. which pix is not even aware of. i mean this level of minute control .
I'm all in favor of minute control from inline devices - that's the primary source of rich telemetry. Where I am uncertain is as to whether at this moment the features of Netscreens boxes are better than Ciscos boxes (or network-based solutions), and more importantly whether a given random network benefits from using one or another (which is always so much more about the situation in the company, resources, logistics etc...). What I'd like to say is that you will benefit from choosing all the best-of-breed (or best for your situation) boxes and uniting them under a common management structure. But since that's kinda what I do for a living these days, I know that it's not always realistically that simple at this moment in the market in any given situation. I believe it will get there and with a bit of effort can be done now, but as recent comments in this thread indicate we're in a particular phase in market maturity that still leaves a lot of questions unanswered.
see ya good to discuss with u .
Thanks for the parry, I needed my quarterly fw-wiz rantspace... ;~) -cheers! -chris _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG), (continued)
- Message not available
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Frank Pawlak (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Jim Seymour (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Frank Pawlak (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Carson Gaspar (May 26)
- Message not available
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 27)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 30)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Oliver Humpage (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Tina Bird (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 27)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 28)