Re: [fw-wiz] insecurity in internet connection thro cable modems
From: Dave Mitchell (dmitchell@viawest.net)
Date: 02/16/03
- Previous message: tqbf@sockpuppet.org: "Re: [fw-wiz] DNS vs. Bernstein"
- In reply to: Brian Ford: "Re: [fw-wiz] insecurity in internet connection thro cable modems"
- Next in thread: Noonan, Wesley: "RE: [fw-wiz] insecurity in internet connection thro cable modems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Dave Mitchell <dmitchell@viawest.net> To: Brian Ford <brford@cisco.com> Date: Sun, 16 Feb 2003 10:32:39 -0700
Brian,
Comments in-line.
> Yet another security policy that begins with "more than likely". What
> happens in the "likely" case when someone figures out where you are and
> wants to get at your stuff?
It all depends on the type of data you are worried about and what the
company is willing to spend. Was just another option for the person who
wrote the original thread.
> Gee Dave. Why would it be insane to use a PIX?
I'm just not a fan. I highly dislike the CLI (I love other CLI's), the logging
is lacking, and I highly dislike the licensing for high level encryption algorithms.
I just don't understand why it costs more to get 3des than des. Other vendors
are happy to include des,3des,aes,dh1,2,5,7,rc4 for free...
> To set up a PIX at home all you need is the PIX. You don't need a PC and
> the setup disk that NetScreen ships.
You don't need a PC or the setup disk to setup a netscreen either. Create a
config for home users that is in bridging mode, setup the correct policies,
and slap it on via tftp or paste it in the CLI, and you are set to go.
> The 501 ships with a default "plug and play" configuration that for many
> installs (including folks sitting behind a cable modem) requires no
> modification to get up and running.
Bridging mode works the same way, but doesn't require any routing changes.
> The PIX also supports Cisco AUS (Auto Update Server) so that security
> policy, operating system image, and configuration updates can be securely
> downloaded to the PIX from a central site without end user intervention.
Netscreen Global Pro can also do this.
> You said "a small Netscreen is much easier than dealing with PIX". Have
> you really tried both products? Could it be that you just don't like
> PIX? Or that you just don't know about the PIX?
You are correct. I am not the fondest of PIX due to issues I've had with higher
end models. The lack of great failover support (VRRP), bulkiness of IPSec configuration,
lack of ASICs, higher cost, etc. I've used pretty much every firewall out there, so I
think I can feel free to express my own opinions on a mailing list. I wouldn't reply about
a subject if I hadn't used the product.
IMO, the Netscreen is cheaper, can push more unencrypted and encrypted traffic, is
much easier to interoperate IPSec, and has many more features than PIX in both the low
end and higher end models.
-dave
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Dave Mitchell: "Re: [fw-wiz] insecurity in internet connection thro cable modems"
- Previous message: tqbf@sockpuppet.org: "Re: [fw-wiz] DNS vs. Bernstein"
- In reply to: Brian Ford: "Re: [fw-wiz] insecurity in internet connection thro cable modems"
- Next in thread: Noonan, Wesley: "RE: [fw-wiz] insecurity in internet connection thro cable modems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
