Re: [fw-wiz] Disecting the Cisco PIX

From: Paul Robertson (proberts@patriot.net)
Date: 07/30/02


From: Paul Robertson <proberts@patriot.net>
To: Magosányi Árpád <mag@bunuel.tii.matav.hu>
Date: Tue Jul 30 16:35:02 2002

On Tue, 30 Jul 2002, Magosányi Árpád wrote:

> Hi!

Hi,

[I'm going to argue the other side of the coin for once.]

>
> What we are facing here is the result of a firm having very strong
> marketing muscle.

No, what we're facing here is an industry segment which has commercial
off-the-shelf(COTS) offerings. All appliances are simply computers of
some sort- the delta between a common PC and a particular appliance isn't
all that interesting for anything other than potential performance issues
not faced generally at the low end.
 
> Cisco PIX is technically at the low end of packet filtering routers
> (even cisco's own "firewall feature set" for routers is more useable).

I think you're mistaken, PIX is differentiated from IOS FFS quite well by
Cisco. It's not my job to restate it though.

> BUT:
> -It is called Cisco.

Which to some people says something about supportability.

> -It is called firewall (which it isn't).

Yes it is. It blocks all the attacks that all firewalls of that class are
capable of blocking, and it certainly passes our firewall evaluation criteria.

> -It is heavily advertised.

Vendors who don't advertise don't stay in business, not sure why this is a
detriment in a commercial product?

> -It have several papers with stamps which basically say that
> this stuff cannot do anything serious, and do this nothing with
> a below-moderate level of assurance. If you read them you will see,
> but not much people reads them, and even an average middle level manager
> would not understand a word of it. They are happy having
> these papers, and that's all.

Versus a solution which has zero assurance, this can be a perceived
advantage. However, if you don't like a particular evaluation criteria,
you're welcome to write your own and test to it- it's significantly more
difficult/expensive than most people realize.

> Well, lotsa people does what you said. You can find tens of
> products on the market of this type. There are also a lot of boxen which
> built this way.
> The majority of these boxen are actually running linux, and a lot
> of them runs real firewall software like fwtk, t.rex or Zorp.

Other than the obvious ALG vs. filter stuff, what exactly do you see as
the value of say something running fwtk vs. say a PIX (for anyone other
than Rick?) Out of those values, how many of them equate to actual
attacks in the real world? How many of those attacks are common? How
many aren't easily blocked at the client?

> According to a market analysis, there are more such boxes running
> as firewalls, especially in the small business area than "big commercial"
> firewalls (at least in this part of the world).

Can you provide sources for such market analysis? It's been my experience
that there are far more companies with no firewall than there are with
firewalls, and on the small business end, if they have one these days,
it's either thier router[2], or a low-end appliance.

> It is true that a lot of them has been designed with no real security
> policy in mind, and built by people who are not very good at network

That's most of the point isn't it? Heck, a lot of *vendors* mess up when
it comes to implementation- if assurance is a sore point (and it seems
like it is)- how do you gain any level of assurance with one-off
solutions?

> perimeter security. But also there are some which was built by the top
> gurus of this craft along solid ideas, and with magnitudes stronger
> tools than you can find among the market leader "firewalls" (most of which
> are not even firewalls.)

There's an ALG vs. filter argument, however even most ALG vendors don't
take significant advantage of their advantages, and I've yet to see one
that does anything sane with say SSL[1]. So, let's say I let my users do
HTTP and HTTPS, E-mail through a gateway and that's it- how much
significant exposure is going to be lost with a PIX versus FWTK in a
common company?

Paul
[1] I've heard of two, but never seen either one.
[2] For values of "firewall" that equate to the common perception, or what
the ISP sold them on.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation