Re: [fw-wiz] Disecting the Cisco PIX
From: Paul Robertson (proberts@patriot.net)
Date: 07/30/02
- Next message: Magosányi Árpád: "Re: [fw-wiz] Disecting the Cisco PIX"
- Previous message: Kevin Steves: "Re: [fw-wiz] Disecting the Cisco PIX"
- In reply to: Art Mason: "[fw-wiz] Disecting the Cisco PIX"
- Next in thread: Magosányi Árpád: "Re: [fw-wiz] Disecting the Cisco PIX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Paul Robertson <proberts@patriot.net> To: Art Mason <a.c.mason@sbcglobal.net> Date: Tue Jul 30 16:00:01 2002
On 30 Jul 2002, Art Mason wrote:
> this? If so, why couldn't one just throw OpenBSD onto some flash media,
> drop a couple of Intel Pro100+ dual-port NICs in a 2U rackmount case,
> maybe offload some of the VPN stuff onto an ASIC-based encryption
> acceleration card, and save some big bucks, granted they know how to set
> up PF from the CLI? This is just something I've been wondering about
> for a while, and was curious as to what others in the know had to say
> about it. Thanks in advance.
The value in an off-the-shelf product is more in the support, reliability
and consistency than anything. Certainly there are vendors who have done
something close to, if not exactly that. For a one-off installation it
might even make sense in some companies, but other organizations are
concerned with being able to get support if their primary firewaller goes
away, if they have a hardware failure, or if their primary person can't
figure out what's wrong. Reliability can be an issue, espcially if you
have to deploy multiple units over time- it's difficult enough getting a
consistant motherboard/chipset combination for most companies these days
for things which aren't security critical. Consistancy of administration
is an issue if you expect to deploy things to different locations, or hire
staff who can easily make changes. Documenting one-off firewalls is
difficult, if ever done. Reporting can sometimes be an issue too.
By the time you get done with documentation, training, and support,
there's generally not a big cost savings. Throw in interoperability
dependencies and it can (not will, but can) go south pretty darned
quickly. Spend a couple weeks debugging packet traces to figure out why a
new browser version can't get through your firewall and it gets to be no
fun pretty fast.
I've deployed a fair ammount of Open Source firewalls over time, and I've
supported my deployments too- I've never wanted to support someone else's
deployments of them though- especially two years after installation.
With an appliance vendor, a replacement is often a phone call away, with a
software vendor a replacement may take 3 or 4 calls. Home-grown solutions
are the same as software vendors for that more often than not (hot spares
are of course a way to fix that problem.)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
- Next message: Magosányi Árpád: "Re: [fw-wiz] Disecting the Cisco PIX"
- Previous message: Kevin Steves: "Re: [fw-wiz] Disecting the Cisco PIX"
- In reply to: Art Mason: "[fw-wiz] Disecting the Cisco PIX"
- Next in thread: Magosányi Árpád: "Re: [fw-wiz] Disecting the Cisco PIX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
