RE: [fw-wiz] insecurity in internet connection thro cable modems
From: Noonan, Wesley (Wesley_Noonan@bmc.com)
Date: 02/17/03
- Previous message: Dave Mitchell: "Re: [fw-wiz] insecurity in internet connection thro cable modems"
- Maybe in reply to: Perrymon, Josh L.: "RE: [fw-wiz] insecurity in internet connection thro cable modems"
- Next in thread: Dave Mitchell: "Re: [fw-wiz] insecurity in internet connection thro cable modems"
- Reply: Dave Mitchell: "Re: [fw-wiz] insecurity in internet connection thro cable modems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Noonan, Wesley" <Wesley_Noonan@bmc.com> To: "'Dave Mitchell'" <dmitchell@viawest.net> Date: Sun, 16 Feb 2003 17:44:29 -0600
Freely admiting that I am not a netscreen expert (and thus, I could have
missed something in the config or docs), I found that I was unable to get it
to function and create keys without needing a certificate, which is a hassle
for small shops that want a VPN and don't want to pay for a certificate that
only has local significance. I also found their documentation to be lacking.
This was true for setting up SSH connections to manage the device as well.
With the PIX I can generate my own keys in 10 seconds with a single command
and I am off and running. 10-11 commands later, the VPN is up.
Like I said, I just kind of feel like netscreen is about where the PIX was 2
years ago. I happen to like the CLI of the PIX as well, but that probably
has more to do with my router background than anything else. Beside, CLI
preference is such a highly subjective situation anyway.
HTH
Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan@bmc.com
http://www.bmc.com
> -----Original Message-----
> From: Dave Mitchell [mailto:dmitchell@viawest.net]
> Sent: Sunday, February 16, 2003 11:39
> To: Noonan, Wesley
> Cc: 'Brian Ford'; firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] insecurity in internet connection thro cable modems
>
> Wes,
> GlobalPro makes it easier to maintain a fleet of Netscreens. I'm
> confused
> as to why you feel their VPN support is lacking? I've been able to
> interoperate
> Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint, Cisco VPN3k,
> FreeSWAN;
> just to name some. Support for preshared keys, x509 certs, ldap auth, and
> securid
> auth make me feel that Netscreen's IPSec has quite a few features, not to
> mention
> higher throughput due to their ASIC's.
>
> -dave
>
>
> On Sat, Feb 15, 2003 at 01:27:51PM -0600, Noonan, Wesley wrote:
> > Having used both, I strongly prefer a PIX. It is much easier to maintain
> a
> > bunch of PIXen than it is to maintain a bunch of netscreens. It's not
> that
> > the netscreens are bad, it is just that the TCO is too high to try to
> > maintain a "fleet" of them. In addition, I find their (netscreen) VPN
> > support to be... well... lacking. It is a very convoluted process, much
> like
> > the PIX was 2 years ago.
> >
> > HTH
> >
> > Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
> > Senior QA Rep.
> > BMC Software, Inc.
> > (713) 918-2412
> > wnoonan@bmc.com
> > http://www.bmc.com
> >
> >
> > > -----Original Message-----
> > > From: Brian Ford [mailto:brford@cisco.com]
> > > Sent: Saturday, February 15, 2003 12:56
> > > To: firewall-wizards@honor.icsalabs.com
> > > Cc: Dave Mitchell
> > > Subject: Re: [fw-wiz] insecurity in internet connection thro cable
> modems
> > >
> > > Dave,
> > >
> > > >More than
> > > >likely, natting a home network behind a linksys soho router would be
> > > >sufficient.
> > >
> > > Yet another security policy that begins with "more than likely". What
> > > happens in the "likely" case when someone figures out where you are
> and
> > > wants to get at your stuff?
> > >
> > > >Putting in PIX 501's at someones home would be insane. If you have to
> > > >administer
> > > >it, a small Netscreen is much easier than dealing with PIX.
> > >
> > > Gee Dave. Why would it be insane to use a PIX?
> > >
> > > To set up a PIX at home all you need is the PIX. You don't need a PC
> and
> > > the setup disk that NetScreen ships.
> > >
> > > The 501 ships with a default "plug and play" configuration that for
> many
> > > installs (including folks sitting behind a cable modem) requires no
> > > modification to get up and running.
> > >
> > > The PIX also supports Cisco AUS (Auto Update Server) so that security
> > > policy, operating system image, and configuration updates can be
> securely
> > > downloaded to the PIX from a central site without end user
> intervention.
> > >
> > > You said "a small Netscreen is much easier than dealing with PIX".
> Have
> > > you really tried both products? Could it be that you just don't like
> > > PIX? Or that you just don't know about the PIX?
> > >
> > > Liberty for All,
> > >
> > > Brian
> > >
> > > At 12:00 PM 2/15/2003 -0500, firewall-wizards-
> request@honor.icsalabs.com
> > > wrote:
> > > >Message: 5
> > > >Date: Fri, 14 Feb 2003 14:03:11 -0700
> > > >From: Dave Mitchell <dmitchell@viawest.net>
> > > >To: "Perrymon, Josh L." <PerrymonJ@bek.com>
> > > >Cc: "'Chapman, Justin T'" <JtChapma@bhi-erc.com>,
> > > > "'firewall-wizards@honor.icsalabs.com '"
> > > > <firewall-wizards@honor.icsalabs.com>
> > > >Subject: Re: [fw-wiz] insecurity in internet connection thro cable
> modems
> > > >
> > > >For normal users I'd recommend some sort of appliance filter or
> firewall.
> > > >More than
> > > >likely, natting a home network behind a linksys soho router would be
> > > >sufficient. If you
> > > >want to do VPNing and what not, I think a Netscreen 5 would be the
> best
> > > >for the home
> > > >firewall. Putting in PIX 501's at someones home would be insane. If
> you
> > > >have to administer
> > > >it, a small Netscreen is much easier than dealing with PIX.
> > > >
> > > >-dave
> > > >
> > > >On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon, Josh L. wrote:
> > > > > Yeah... I ( Security Professional ) would implement IPChains or a
> PIX
> > > @
> > > > > home...
> > > > > But don't you think Linux is completely out of the question for a
> > > regular
> > > > > end user?????
> > > > >
> > > > > I'm looking for an application based firewall for my VPN users..
> > > > > So far ZONE ALARM is my choice.. I just wished I could integrate
> it
> > > with
> > > > > the PIX VPN client like the concentrator can.
> > > > >
> > > > >
> > > > >
> > > > > Any Ideas??
> > > > > -JP
> > > > >
> > > > > -----Original Message-----
> > > > > From: Chapman, Justin T [mailto:JtChapma@bhi-erc.com]
> > > > > Sent: Friday, February 07, 2003 11:29 AM
> > > > > To: 'firewall-wizards@honor.icsalabs.com '
> > > > > Subject: RE: [fw-wiz] insecurity in internet connection thro cable
> > > > > modems
> > > > >
> > > > >
> > > > > >
> > > > > >ipchains is old ( for the previous Linux Kernel 2.2 ), iptables
> > > > > >http://www.iptables.org would be a better choice.
> > > > >
> > > > > Agreed. If it's an option at all, choose iptables over ipchains.
> > > It's
> > > > more
> > > > > flexable and it's a stateful packet filter, which makes for a
> > > "smarter"
> > > > > firewall. IPtables (and ipchains for that matter) can be a bit
> > > > intimidating
> > > > > to work with, especially if you're new to the syntax. If you're
> going
> > > to
> > > > > "rolll your own" firewall, I would suggest searching
> > > Google/Freshmeat.net
> > > > > for "iptables generator". There are plenty of scripts/web
> > > frontends/guis
> > > > > that make creating simple "consumer-grade" firewalls a snap. One
> that
> > > I
> > > > > particularly like is a cgi-based one at:
> > > > >
> > > > > http://morizot.net/firewall/gen/
> > > > >
> > > > > Good luck!
> > > > >
> > > > > --justin
> > > > >
> > >
> > >
> > > Brian Ford
> > > Consulting Engineer
> > > Corporate Consulting Engineering, Office of the Chief Technology
> Officer
> > > Cisco Systems, Inc.
> > > http://www.cisco.com
> > > e-mail: brford@cisco.com
> > >
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards@honor.icsalabs.com
> > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@honor.icsalabs.com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Bruce Platt: "RE: [fw-wiz] insecurity in internet connection thro cable modems"
- Previous message: Dave Mitchell: "Re: [fw-wiz] insecurity in internet connection thro cable modems"
- Maybe in reply to: Perrymon, Josh L.: "RE: [fw-wiz] insecurity in internet connection thro cable modems"
- Next in thread: Dave Mitchell: "Re: [fw-wiz] insecurity in internet connection thro cable modems"
- Reply: Dave Mitchell: "Re: [fw-wiz] insecurity in internet connection thro cable modems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
