Re: [fw-wiz] Disecting the Cisco PIX

From: Magosányi Árpád (mag@bunuel.tii.matav.hu)
Date: 07/30/02 

To: Art Mason <a.c.mason@sbcglobal.net>
From: mag@bunuel.tii.matav.hu (Magosányi Árpád)
Date: Tue Jul 30 16:07:01 2002

Hi!

What we are facing here is the result of a firm having very strong
marketing muscle.
Cisco PIX is technically at the low end of packet filtering routers
(even cisco's own "firewall feature set" for routers is more useable).
BUT:
 -It is called Cisco.
 -It is called firewall (which it isn't).
 -It is heavily advertised.
 -It have several papers with stamps which basically say that
 this stuff cannot do anything serious, and do this nothing with
 a below-moderate level of assurance. If you read them you will see,
 but not much people reads them, and even an average middle level manager
 would not understand a word of it. They are happy having
 these papers, and that's all.

Well, lotsa people does what you said. You can find tens of
products on the market of this type. There are also a lot of boxen which
built this way.
The majority of these boxen are actually running linux, and a lot
of them runs real firewall software like fwtk, t.rex or Zorp.
According to a market analysis, there are more such boxes running
as firewalls, especially in the small business area than "big commercial"
firewalls (at least in this part of the world).
It is true that a lot of them has been designed with no real security
policy in mind, and built by people who are not very good at network
perimeter security. But also there are some which was built by the top
gurus of this craft along solid ideas, and with magnitudes stronger
tools than you can find among the market leader "firewalls" (most of which
are not even firewalls.)

A levelezőm azt hiszi, hogy Art Mason a következőeket írta:
[]
> this? If so, why couldn't one just throw OpenBSD onto some flash media,
> drop a couple of Intel Pro100+ dual-port NICs in a 2U rackmount case,
[]
> up PF from the CLI? This is just something I've been wondering about
> for a while, and was curious as to what others in the know had to say
> about it. Thanks in advance. 

-- 
GNU GPL: csak tiszta forrásból

Relevant Pages

  • Re: [fw-wiz] Disecting the Cisco PIX
    ... PIX is differentiated from IOS FFS quite well by ... It blocks all the attacks that all firewalls of that class are ... Versus a solution which has zero assurance, ... > products on the market of this type. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] GIDS, Intrusion Prevention: A Firewall by Any Other Name
    ... marketed as "inline-IDS" or "intrusion prevention", ... Creating new categories (or market segments) can help new ... >that confusion you can get your foot in the door and make your product ... This applies both ways between signature firewalls and classical firewalls. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Corporate H/N IPS
    ... > currently being sold as application proxy firewalls are slightly harder to ... application proxy firewalls cannot proxy as many sessions as a simple SPF ... market share (after all if all the other companies are running SPF ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Firewall Primitives
    ... Certainly there are examples of firewalls that are little more than a ... trying to market something like that today probably ... alerting, and hooks for web content filters, spam filters, virus ...
    (Firewall-Wizards)
  • Re: Identity P/W and Security question
    ... in that XP has it's built in firewalls and ... XP's built in "firewall" is about close to as bad as none at all, ... Zone Alarm Pro is an excellent choice ... and there is a free version, though the PRO is worth the $$ in ad stopping ...
    (alt.computer.security)