RE: [fw-wiz] insecurity in internet connection thro cable modems

From: Scot Hartman (shartman@inflow.com)
Date: 02/17/03

  • Next message: stefmit: "[fw-wiz] Re: insecurity in internet connection thro cable modems"
    From: Scot Hartman <shartman@inflow.com>
    To: firewall-wizards@honor.icsalabs.com
    Date: Mon, 17 Feb 2003 13:37:06 -0700
    

    I would suppose it would be a matter of what you are more comfortable with.

    They are both similar firewall types, but if you're partial to the PIX CLI
    then, well, you have your preference. If you like NS, can't blame you there
    either. We use both, each have their own strengths.

    If I was going to manage a single firewall or maybe a single point-to-point
    tunnel, I personally prefer the PIX because of my own comfort zone. Hit
    it via ssh, https, or use a console connection. I'm not as knowledgable
    with the NS CLI, so you tend to stay with what you know until changing
    really makes sense. The improvements in the recent firmware versions
    really augment the troubleshooting capability (tcpdump spelled 'capture')
    and I agree it is easier to generate keys.

    If I'm building a larger VPN infrastructure though, I'm going with the
    Netscreen and managing the whole mess with Global Pro. Adding and removing
    endpoints for a full-mesh or even a hub and spoke once you get beyond a few
    devices is made manageable. Some added niceties for polling to see if the
    tunnel is active is nice. I've also seen much better VPN throughput for
    the dollar on the NS-5 vs the PIX 501.

    Scot

    > -----Original Message-----
    > From: Dave Mitchell [mailto:dmitchell@viawest.net]
    > Sent: Sunday, February 16, 2003 10:39 AM
    > To: Noonan, Wesley
    > Cc: 'Brian Ford'; firewall-wizards@honor.icsalabs.com
    > Subject: Re: [fw-wiz] insecurity in internet connection thro cable
    > modems
    >
    >
    > Wes,
    > GlobalPro makes it easier to maintain a fleet of
    > Netscreens. I'm confused
    > as to why you feel their VPN support is lacking? I've been
    > able to interoperate
    > Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint,
    > Cisco VPN3k, FreeSWAN;
    > just to name some. Support for preshared keys, x509 certs,
    > ldap auth, and securid
    > auth make me feel that Netscreen's IPSec has quite a few
    > features, not to mention
    > higher throughput due to their ASIC's.
    >
    > -dave
    >
    >
    > On Sat, Feb 15, 2003 at 01:27:51PM -0600, Noonan, Wesley wrote:
    > > Having used both, I strongly prefer a PIX. It is much
    > easier to maintain a
    > > bunch of PIXen than it is to maintain a bunch of
    > netscreens. It's not that
    > > the netscreens are bad, it is just that the TCO is too
    > high to try to
    > > maintain a "fleet" of them. In addition, I find their
    > (netscreen) VPN
    > > support to be... well... lacking. It is a very convoluted
    > process, much like
    > > the PIX was 2 years ago.
    > >
    > > HTH
    > >
    > > Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
    > > Senior QA Rep.
    > > BMC Software, Inc.
    > > (713) 918-2412
    > > wnoonan@bmc.com
    > > http://www.bmc.com
    > >
    > >
    > > > -----Original Message-----
    > > > From: Brian Ford [mailto:brford@cisco.com]
    > > > Sent: Saturday, February 15, 2003 12:56
    > > > To: firewall-wizards@honor.icsalabs.com
    > > > Cc: Dave Mitchell
    > > > Subject: Re: [fw-wiz] insecurity in internet connection
    > thro cable modems
    > > >
    > > > Dave,
    > > >
    > > > >More than
    > > > >likely, natting a home network behind a linksys soho
    > router would be
    > > > >sufficient.
    > > >
    > > > Yet another security policy that begins with "more than
    > likely". What
    > > > happens in the "likely" case when someone figures out
    > where you are and
    > > > wants to get at your stuff?
    > > >
    > > > >Putting in PIX 501's at someones home would be insane.
    > If you have to
    > > > >administer
    > > > >it, a small Netscreen is much easier than dealing with PIX.
    > > >
    > > > Gee Dave. Why would it be insane to use a PIX?
    > > >
    > > > To set up a PIX at home all you need is the PIX. You
    > don't need a PC and
    > > > the setup disk that NetScreen ships.
    > > >
    > > > The 501 ships with a default "plug and play"
    > configuration that for many
    > > > installs (including folks sitting behind a cable modem)
    > requires no
    > > > modification to get up and running.
    > > >
    > > > The PIX also supports Cisco AUS (Auto Update Server) so
    > that security
    > > > policy, operating system image, and configuration
    > updates can be securely
    > > > downloaded to the PIX from a central site without end
    > user intervention.
    > > >
    > > > You said "a small Netscreen is much easier than dealing
    > with PIX". Have
    > > > you really tried both products? Could it be that you
    > just don't like
    > > > PIX? Or that you just don't know about the PIX?
    > > >
    > > > Liberty for All,
    > > >
    > > > Brian
    > > >
    > > > At 12:00 PM 2/15/2003 -0500,
    > firewall-wizards-request@honor.icsalabs.com
    > > > wrote:
    > > > >Message: 5
    > > > >Date: Fri, 14 Feb 2003 14:03:11 -0700
    > > > >From: Dave Mitchell <dmitchell@viawest.net>
    > > > >To: "Perrymon, Josh L." <PerrymonJ@bek.com>
    > > > >Cc: "'Chapman, Justin T'" <JtChapma@bhi-erc.com>,
    > > > > "'firewall-wizards@honor.icsalabs.com '"
    > > > > <firewall-wizards@honor.icsalabs.com>
    > > > >Subject: Re: [fw-wiz] insecurity in internet
    > connection thro cable modems
    > > > >
    > > > >For normal users I'd recommend some sort of appliance
    > filter or firewall.
    > > > >More than
    > > > >likely, natting a home network behind a linksys soho
    > router would be
    > > > >sufficient. If you
    > > > >want to do VPNing and what not, I think a Netscreen 5
    > would be the best
    > > > >for the home
    > > > >firewall. Putting in PIX 501's at someones home would
    > be insane. If you
    > > > >have to administer
    > > > >it, a small Netscreen is much easier than dealing with PIX.
    > > > >
    > > > >-dave
    > > > >
    > > > >On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon,
    > Josh L. wrote:
    > > > > > Yeah... I ( Security Professional ) would
    > implement IPChains or a PIX
    > > > @
    > > > > > home...
    > > > > > But don't you think Linux is completely out of the
    > question for a
    > > > regular
    > > > > > end user?????
    > > > > >
    > > > > > I'm looking for an application based firewall for
    > my VPN users..
    > > > > > So far ZONE ALARM is my choice.. I just wished I
    > could integrate it
    > > > with
    > > > > > the PIX VPN client like the concentrator can.
    > > > > >
    > > > > >
    > > > > >
    > > > > > Any Ideas??
    > > > > > -JP
    > > > > >
    > > > > > -----Original Message-----
    > > > > > From: Chapman, Justin T [mailto:JtChapma@bhi-erc.com]
    > > > > > Sent: Friday, February 07, 2003 11:29 AM
    > > > > > To: 'firewall-wizards@honor.icsalabs.com '
    > > > > > Subject: RE: [fw-wiz] insecurity in internet
    > connection thro cable
    > > > > > modems
    > > > > >
    > > > > >
    > > > > > >
    > > > > > >ipchains is old ( for the previous Linux Kernel
    > 2.2 ), iptables
    > > > > > >http://www.iptables.org would be a better choice.
    > > > > >
    > > > > > Agreed. If it's an option at all, choose iptables
    > over ipchains.
    > > > It's
    > > > > more
    > > > > > flexable and it's a stateful packet filter, which
    > makes for a
    > > > "smarter"
    > > > > > firewall. IPtables (and ipchains for that matter)
    > can be a bit
    > > > > intimidating
    > > > > > to work with, especially if you're new to the
    > syntax. If you're going
    > > > to
    > > > > > "rolll your own" firewall, I would suggest searching
    > > > Google/Freshmeat.net
    > > > > > for "iptables generator". There are plenty of scripts/web
    > > > frontends/guis
    > > > > > that make creating simple "consumer-grade"
    > firewalls a snap. One that
    > > > I
    > > > > > particularly like is a cgi-based one at:
    > > > > >
    > > > > > http://morizot.net/firewall/gen/
    > > > > >
    > > > > > Good luck!
    > > > > >
    > > > > > --justin
    > > > > >
    > > >
    > > >
    > > > Brian Ford
    > > > Consulting Engineer
    > > > Corporate Consulting Engineering, Office of the Chief
    > Technology Officer
    > > > Cisco Systems, Inc.
    > > > http://www.cisco.com
    > > > e-mail: brford@cisco.com
    > > >
    > > > _______________________________________________
    > > > firewall-wizards mailing list
    > > > firewall-wizards@honor.icsalabs.com
    > > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > > _______________________________________________
    > > firewall-wizards mailing list
    > > firewall-wizards@honor.icsalabs.com
    > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



    Relevant Pages

    • SBS2k3 Server not responding to VPN Clients & Advice on SP2 Firewall configuration for VPN use
      ... We are using a Cisco PIX firewall and have remote workstations ... terminate on the PIX which is sitting in front out our internal network. ... The PIX VPN is working correctly and we are able to ping internal ... Unfortunately the external clients are unable to contact the SBS2k3 server ...
      (microsoft.public.windows.server.sbs)
    • Re: VPN and third party appliances
      ... The firewall is setup for NAT, I have checked my personal firewall at home ... into the network the connection stalls then eventually disconnects. ... a VPN config that I may have missed in AD or something with win2k3sbs. ... > remote access VPN with a Cisco PIX as the VPN Server. ...
      (microsoft.public.windows.server.sbs)
    • RE: Firewall Hardware Recommendations
      ... VPN Licensees + Client Licensees = More then a PIX 515. ... What cisco firewall do you currently have and what version OS ...
      (Security-Basics)
    • Re: Firewall Hardware Recommendations
      ... are an excellent alternative for second line and vpn solutions. ... Subject: Firewall Hardware Recommendations ... VPN Licensees + Client Licensees = More then a PIX 515. ... What cisco firewall do you currently have and what version OS ...
      (Security-Basics)
    • Re: Kindly help me with this PIX problem
      ... If you have read the configuration that I posted, ... firewall configuration didn't change over many years and it did work ... PIX, our company cannot send or receive email. ... That command allows ssh to the PIX, ...
      (comp.dcom.sys.cisco)