RE: [fw-wiz] insecurity in internet connection thro cable modems

From: Noonan, Wesley (Wesley_Noonan@bmc.com)
Date: 02/15/03

  • Next message: Rob Payne: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500" 
    From: "Noonan, Wesley" <Wesley_Noonan@bmc.com>
To: "'Brian Ford'" <brford@cisco.com>, firewall-wizards@honor.icsalabs.com
Date: Sat, 15 Feb 2003 13:27:51 -0600

    Having used both, I strongly prefer a PIX. It is much easier to maintain a
    bunch of PIXen than it is to maintain a bunch of netscreens. It's not that
    the netscreens are bad, it is just that the TCO is too high to try to
    maintain a "fleet" of them. In addition, I find their (netscreen) VPN
    support to be... well... lacking. It is a very convoluted process, much like
    the PIX was 2 years ago.

    HTH

    Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
    Senior QA Rep.
    BMC Software, Inc.
    (713) 918-2412
    wnoonan@bmc.com
    http://www.bmc.com

    > -----Original Message-----
    > From: Brian Ford [mailto:brford@cisco.com]
    > Sent: Saturday, February 15, 2003 12:56
    > To: firewall-wizards@honor.icsalabs.com
    > Cc: Dave Mitchell
    > Subject: Re: [fw-wiz] insecurity in internet connection thro cable modems
    >
    > Dave,
    >
    > >More than
    > >likely, natting a home network behind a linksys soho router would be
    > >sufficient.
    >
    > Yet another security policy that begins with "more than likely". What
    > happens in the "likely" case when someone figures out where you are and
    > wants to get at your stuff?
    >
    > >Putting in PIX 501's at someones home would be insane. If you have to
    > >administer
    > >it, a small Netscreen is much easier than dealing with PIX.
    >
    > Gee Dave. Why would it be insane to use a PIX?
    >
    > To set up a PIX at home all you need is the PIX. You don't need a PC and
    > the setup disk that NetScreen ships.
    >
    > The 501 ships with a default "plug and play" configuration that for many
    > installs (including folks sitting behind a cable modem) requires no
    > modification to get up and running.
    >
    > The PIX also supports Cisco AUS (Auto Update Server) so that security
    > policy, operating system image, and configuration updates can be securely
    > downloaded to the PIX from a central site without end user intervention.
    >
    > You said "a small Netscreen is much easier than dealing with PIX". Have
    > you really tried both products? Could it be that you just don't like
    > PIX? Or that you just don't know about the PIX?
    >
    > Liberty for All,
    >
    > Brian
    >
    > At 12:00 PM 2/15/2003 -0500, firewall-wizards-request@honor.icsalabs.com
    > wrote:
    > >Message: 5
    > >Date: Fri, 14 Feb 2003 14:03:11 -0700
    > >From: Dave Mitchell <dmitchell@viawest.net>
    > >To: "Perrymon, Josh L." <PerrymonJ@bek.com>
    > >Cc: "'Chapman, Justin T'" <JtChapma@bhi-erc.com>,
    > > "'firewall-wizards@honor.icsalabs.com '"
    > > <firewall-wizards@honor.icsalabs.com>
    > >Subject: Re: [fw-wiz] insecurity in internet connection thro cable modems
    > >
    > >For normal users I'd recommend some sort of appliance filter or firewall.
    > >More than
    > >likely, natting a home network behind a linksys soho router would be
    > >sufficient. If you
    > >want to do VPNing and what not, I think a Netscreen 5 would be the best
    > >for the home
    > >firewall. Putting in PIX 501's at someones home would be insane. If you
    > >have to administer
    > >it, a small Netscreen is much easier than dealing with PIX.
    > >
    > >-dave
    > >
    > >On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon, Josh L. wrote:
    > > > Yeah... I ( Security Professional ) would implement IPChains or a PIX
    > @
    > > > home...
    > > > But don't you think Linux is completely out of the question for a
    > regular
    > > > end user?????
    > > >
    > > > I'm looking for an application based firewall for my VPN users..
    > > > So far ZONE ALARM is my choice.. I just wished I could integrate it
    > with
    > > > the PIX VPN client like the concentrator can.
    > > >
    > > >
    > > >
    > > > Any Ideas??
    > > > -JP
    > > >
    > > > -----Original Message-----
    > > > From: Chapman, Justin T [mailto:JtChapma@bhi-erc.com]
    > > > Sent: Friday, February 07, 2003 11:29 AM
    > > > To: 'firewall-wizards@honor.icsalabs.com '
    > > > Subject: RE: [fw-wiz] insecurity in internet connection thro cable
    > > > modems
    > > >
    > > >
    > > > >
    > > > >ipchains is old ( for the previous Linux Kernel 2.2 ), iptables
    > > > >http://www.iptables.org would be a better choice.
    > > >
    > > > Agreed. If it's an option at all, choose iptables over ipchains.
    > It's
    > > more
    > > > flexable and it's a stateful packet filter, which makes for a
    > "smarter"
    > > > firewall. IPtables (and ipchains for that matter) can be a bit
    > > intimidating
    > > > to work with, especially if you're new to the syntax. If you're going
    > to
    > > > "rolll your own" firewall, I would suggest searching
    > Google/Freshmeat.net
    > > > for "iptables generator". There are plenty of scripts/web
    > frontends/guis
    > > > that make creating simple "consumer-grade" firewalls a snap. One that
    > I
    > > > particularly like is a cgi-based one at:
    > > >
    > > > http://morizot.net/firewall/gen/
    > > >
    > > > Good luck!
    > > >
    > > > --justin
    > > >
    >
    >
    > Brian Ford
    > Consulting Engineer
    > Corporate Consulting Engineering, Office of the Chief Technology Officer
    > Cisco Systems, Inc.
    > http://www.cisco.com
    > e-mail: brford@cisco.com
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    Relevant Pages

    • Re: [fw-wiz] insecurity in internet connection thro cable modems
      ... GlobalPro makes it easier to maintain a fleet of Netscreens. ... Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, Cisco VPN3k, FreeSWAN; ... Support for preshared keys, x509 certs, ldap auth, and securid ...
      (Firewall-Wizards)
    • RE: [fw-wiz] insecurity in internet connection thro cable modems
      ... missed something in the config or docs), I found that I was unable to get it ... I just kind of feel like netscreen is about where the PIX was 2 ... > Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, Cisco VPN3k, ... >> bunch of PIXen than it is to maintain a bunch of netscreens. ...
      (Firewall-Wizards)
    • RE: [fw-wiz] insecurity in internet connection thro cable modems
      ... On the PIX it is a single command ... BTW, you can also get it to work with MS Certificate Server, but the process ... > by using the laod button on the CA tab. ... >>> bunch of PIXen than it is to maintain a bunch of netscreens. ...
      (Firewall-Wizards)
    • RE: [fw-wiz] insecurity in internet connection thro cable modems
      ... It's not hard to generate a free SSL cert for a Netscreen if you have access ... - Create a local certificate request on the netscreen you want to manage. ... I just kind of feel like netscreen is about where the PIX was 2 ... >> bunch of PIXen than it is to maintain a bunch of netscreens. ...
      (Firewall-Wizards)
    • Re: PIX 506E vs NetScreen 5XP/5XT
      ... I work for reseller that sells both Cisco and NetScreen. ... although PIX OS 6.3 is suppose to fix a lot of these ... Both the OS, VPN Client, and ICMP support. ... > because its a Cisco and seems solid, but I like the Netscreens because ...
      (comp.security.firewalls)