RE: [fw-wiz] insecurity in internet connection thro cable modems

From: Scot Hartman (shartman@inflow.com)
Date: 02/17/03

  • Next message: stefmit: "[fw-wiz] Re: insecurity in internet connection thro cable modems"
    From: Scot Hartman <shartman@inflow.com>
    To: firewall-wizards@honor.icsalabs.com
    Date: Mon, 17 Feb 2003 13:37:06 -0700
    

    I would suppose it would be a matter of what you are more comfortable with.

    They are both similar firewall types, but if you're partial to the PIX CLI
    then, well, you have your preference. If you like NS, can't blame you there
    either. We use both, each have their own strengths.

    If I was going to manage a single firewall or maybe a single point-to-point
    tunnel, I personally prefer the PIX because of my own comfort zone. Hit
    it via ssh, https, or use a console connection. I'm not as knowledgable
    with the NS CLI, so you tend to stay with what you know until changing
    really makes sense. The improvements in the recent firmware versions
    really augment the troubleshooting capability (tcpdump spelled 'capture')
    and I agree it is easier to generate keys.

    If I'm building a larger VPN infrastructure though, I'm going with the
    Netscreen and managing the whole mess with Global Pro. Adding and removing
    endpoints for a full-mesh or even a hub and spoke once you get beyond a few
    devices is made manageable. Some added niceties for polling to see if the
    tunnel is active is nice. I've also seen much better VPN throughput for
    the dollar on the NS-5 vs the PIX 501.

    Scot

    > -----Original Message-----
    > From: Dave Mitchell [mailto:dmitchell@viawest.net]
    > Sent: Sunday, February 16, 2003 10:39 AM
    > To: Noonan, Wesley
    > Cc: 'Brian Ford'; firewall-wizards@honor.icsalabs.com
    > Subject: Re: [fw-wiz] insecurity in internet connection thro cable
    > modems
    >
    >
    > Wes,
    > GlobalPro makes it easier to maintain a fleet of
    > Netscreens. I'm confused
    > as to why you feel their VPN support is lacking? I've been
    > able to interoperate
    > Netscreen IPSec with Cisco PIX, Cisco IOS, Checkpoint,
    > Cisco VPN3k, FreeSWAN;
    > just to name some. Support for preshared keys, x509 certs,
    > ldap auth, and securid
    > auth make me feel that Netscreen's IPSec has quite a few
    > features, not to mention
    > higher throughput due to their ASIC's.
    >
    > -dave
    >
    >
    > On Sat, Feb 15, 2003 at 01:27:51PM -0600, Noonan, Wesley wrote:
    > > Having used both, I strongly prefer a PIX. It is much
    > easier to maintain a
    > > bunch of PIXen than it is to maintain a bunch of
    > netscreens. It's not that
    > > the netscreens are bad, it is just that the TCO is too
    > high to try to
    > > maintain a "fleet" of them. In addition, I find their
    > (netscreen) VPN
    > > support to be... well... lacking. It is a very convoluted
    > process, much like
    > > the PIX was 2 years ago.
    > >
    > > HTH
    > >
    > > Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
    > > Senior QA Rep.
    > > BMC Software, Inc.
    > > (713) 918-2412
    > > wnoonan@bmc.com
    > > http://www.bmc.com
    > >
    > >
    > > > -----Original Message-----
    > > > From: Brian Ford [mailto:brford@cisco.com]
    > > > Sent: Saturday, February 15, 2003 12:56
    > > > To: firewall-wizards@honor.icsalabs.com
    > > > Cc: Dave Mitchell
    > > > Subject: Re: [fw-wiz] insecurity in internet connection
    > thro cable modems
    > > >
    > > > Dave,
    > > >
    > > > >More than
    > > > >likely, natting a home network behind a linksys soho
    > router would be
    > > > >sufficient.
    > > >
    > > > Yet another security policy that begins with "more than
    > likely". What
    > > > happens in the "likely" case when someone figures out
    > where you are and
    > > > wants to get at your stuff?
    > > >
    > > > >Putting in PIX 501's at someones home would be insane.
    > If you have to
    > > > >administer
    > > > >it, a small Netscreen is much easier than dealing with PIX.
    > > >
    > > > Gee Dave. Why would it be insane to use a PIX?
    > > >
    > > > To set up a PIX at home all you need is the PIX. You
    > don't need a PC and
    > > > the setup disk that NetScreen ships.
    > > >
    > > > The 501 ships with a default "plug and play"
    > configuration that for many
    > > > installs (including folks sitting behind a cable modem)
    > requires no
    > > > modification to get up and running.
    > > >
    > > > The PIX also supports Cisco AUS (Auto Update Server) so
    > that security
    > > > policy, operating system image, and configuration
    > updates can be securely
    > > > downloaded to the PIX from a central site without end
    > user intervention.
    > > >
    > > > You said "a small Netscreen is much easier than dealing
    > with PIX". Have
    > > > you really tried both products? Could it be that you
    > just don't like
    > > > PIX? Or that you just don't know about the PIX?
    > > >
    > > > Liberty for All,
    > > >
    > > > Brian
    > > >
    > > > At 12:00 PM 2/15/2003 -0500,
    > firewall-wizards-request@honor.icsalabs.com
    > > > wrote:
    > > > >Message: 5
    > > > >Date: Fri, 14 Feb 2003 14:03:11 -0700
    > > > >From: Dave Mitchell <dmitchell@viawest.net>
    > > > >To: "Perrymon, Josh L." <PerrymonJ@bek.com>
    > > > >Cc: "'Chapman, Justin T'" <JtChapma@bhi-erc.com>,
    > > > > "'firewall-wizards@honor.icsalabs.com '"
    > > > > <firewall-wizards@honor.icsalabs.com>
    > > > >Subject: Re: [fw-wiz] insecurity in internet
    > connection thro cable modems
    > > > >
    > > > >For normal users I'd recommend some sort of appliance
    > filter or firewall.
    > > > >More than
    > > > >likely, natting a home network behind a linksys soho
    > router would be
    > > > >sufficient. If you
    > > > >want to do VPNing and what not, I think a Netscreen 5
    > would be the best
    > > > >for the home
    > > > >firewall. Putting in PIX 501's at someones home would
    > be insane. If you
    > > > >have to administer
    > > > >it, a small Netscreen is much easier than dealing with PIX.
    > > > >
    > > > >-dave
    > > > >
    > > > >On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon,
    > Josh L. wrote:
    > > > > > Yeah... I ( Security Professional ) would
    > implement IPChains or a PIX
    > > > @
    > > > > > home...
    > > > > > But don't you think Linux is completely out of the
    > question for a
    > > > regular
    > > > > > end user?????
    > > > > >
    > > > > > I'm looking for an application based firewall for
    > my VPN users..
    > > > > > So far ZONE ALARM is my choice.. I just wished I
    > could integrate it
    > > > with
    > > > > > the PIX VPN client like the concentrator can.
    > > > > >
    > > > > >
    > > > > >
    > > > > > Any Ideas??
    > > > > > -JP
    > > > > >
    > > > > > -----Original Message-----
    > > > > > From: Chapman, Justin T [mailto:JtChapma@bhi-erc.com]
    > > > > > Sent: Friday, February 07, 2003 11:29 AM
    > > > > > To: 'firewall-wizards@honor.icsalabs.com '
    > > > > > Subject: RE: [fw-wiz] insecurity in internet
    > connection thro cable
    > > > > > modems
    > > > > >
    > > > > >
    > > > > > >
    > > > > > >ipchains is old ( for the previous Linux Kernel
    > 2.2 ), iptables
    > > > > > >http://www.iptables.org would be a better choice.
    > > > > >
    > > > > > Agreed. If it's an option at all, choose iptables
    > over ipchains.
    > > > It's
    > > > > more
    > > > > > flexable and it's a stateful packet filter, which
    > makes for a
    > > > "smarter"
    > > > > > firewall. IPtables (and ipchains for that matter)
    > can be a bit
    > > > > intimidating
    > > > > > to work with, especially if you're new to the
    > syntax. If you're going
    > > > to
    > > > > > "rolll your own" firewall, I would suggest searching
    > > > Google/Freshmeat.net
    > > > > > for "iptables generator". There are plenty of scripts/web
    > > > frontends/guis
    > > > > > that make creating simple "consumer-grade"
    > firewalls a snap. One that
    > > > I
    > > > > > particularly like is a cgi-based one at:
    > > > > >
    > > > > > http://morizot.net/firewall/gen/
    > > > > >
    > > > > > Good luck!
    > > > > >
    > > > > > --justin
    > > > > >
    > > >
    > > >
    > > > Brian Ford
    > > > Consulting Engineer
    > > > Corporate Consulting Engineering, Office of the Chief
    > Technology Officer
    > > > Cisco Systems, Inc.
    > > > http://www.cisco.com
    > > > e-mail: brford@cisco.com
    > > >
    > > > _______________________________________________
    > > > firewall-wizards mailing list
    > > > firewall-wizards@honor.icsalabs.com
    > > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > > _______________________________________________
    > > firewall-wizards mailing list
    > > firewall-wizards@honor.icsalabs.com
    > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards