Re: [fw-wiz] Skip the PDM

From: Victor B. Williams (vbwilliams_at_essvote.net)
Date: 11/20/03

  • Next message: Crissup, John (MBNP is): "RE: [fw-wiz] Skip the PDM"
    To: "Robert Fenerty" <robert@fenerty.com>
    Date: Thu, 20 Nov 2003 09:38:12 -0600 (CST)
    
    

    It's all a matter of perspective really.

    Cisco devices aren't for the faint of heart...and really, if a client
    doesn't *need* to have a Cisco device present, why install it?

    However, I couldn't disagree with you more about PDM version 3.0. I
    think it's the best GUI for configuring any firewall on the face of
    the planet...and that's including all the firewall GUI interfaces I've
    used...the one included with WEBMIN for ipchains/iptables, lokkit, all
    the Linksys/D-link/SMC interfaces for their COTS firewalls, etc etc.

    Firewalls and their software isn't, and never will be a technology
    that's understood by the masses...if it was, there wouldn't be a need
    for this list. I think anyone who understands the methodology and
    functionality of a firewall should be able to configure one with or
    without the GUI interface.

    I've always done the basic setup of a Cisco firewall from the commmand
    line, and then proceeded with all the extracurricular stuff with the
    GUI (VPN connections, AAA authentication, etc). I think doing that,
    you mitigate any problems you might have. For the most part, once a
    Cisco device is setup with the IP addresses and routes on each
    interface, it rarely changes...so doing that through the GUI is going
    to be less efficient anyway.

    Robert Fenerty said:
    > Hi,
    >
    > Although I sense that many subscribers to this list are the of the
    > ipchains/linux ilk, I thought I'd tell you about my experience
    > configuring a PIX 501 at a client's site. A pretty standard setup,
    > which took me THREE AND A HALF HOURS to install. I think we can all
    > agree that I'm not a firewall wizard. Maybe an apprentice to the guy
    > who mixes the mortar for the firewall.
    >
    > The PIX Device Manager (PDM) is a GUI-based app that runs as a web
    > server on the PIX 501. The 501's a tiny SOHO box with a Command-Line
    > Interface (CLI) fairly similar to those found on Cisco routers. The
    > differences tripped me up a bit; like grep options on HP-UX if you
    > were
    > raised on Sun.
    >
    > So to "speed things up" I tried using the PDM. Bad idea. In my
    > network
    > design, the office network uses the 172.16.x.y network to avoid any
    > routing problems that might arise when remote workers with 192.168.x.y
    > home networks connect to the office via software VPN.
    >
    > So I tell the GUI that the "inside" interface is 172.16.1.1, and the
    > DHCP pool starts at .2. Specify the gateway, DNS, etc. and you're
    > done.
    > Right? Wrong. I'm guessing that the PDM just collects command lines
    > and sends them to the PIX.
    >
    > The first error pops up when "ip address inside 172.16.1.1
    > 255.255.0.0"
    > conflicts with the factory default DHCP pool, which starts at
    > 192.168.1.2. So the interface IP isn't changed. And the request to
    > change the DHCP pool doesn't match the still-unchanged factory IP
    > address, so that's ignored too. At least the PDM pops up error
    > messages,
    > and it was pretty obvious to me what was going on. So I fixed it
    > manually.
    >
    > But the client paid $500 for this box. And a $100 Linksys or SMC box
    > wouldn't have had this problem. You'd think Cisco could do better.
    >
    > Then the DHCP server on the PIX wouldn't vend IP addresses. No
    > sniffer
    > handy, so I tried various debug options on the PIX. Finally got an
    > error message from the DHCPD saying that DHCP wasn't enabled. This
    > was
    > odd, considering that "dhcp enable inside" and other dhcp settings
    > were
    > in place. I don't know what I did to kick start it, but it eventually
    > started lending everyone IP addresses from its stingy pool of 32 DHCP
    > leases. It was pretty easy to setup the rest of it.
    >
    > Anyway, the point of this message was to say that the PDM is a rotten
    > little piece of software that only confuses things. So skip the PDM.
    >
    > Robert Fenerty
    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >

    "Real men don't even use monitors! I've just got a guy that can draw
    real fast."

    Victor Williams
    Network Architect
    Election Systems & Software
    http://www.essvote.com
    vbwilliams@essvote.net
    (402) 970-1100

    CONFIDENTIALITY NOTICE:
    This e-mail transmission and any documents, files or previous e-mail
    messages attached to it may contain information that is confidential,
    protected by the attorney/client or other privileges, and may
    constitute non-public information. It is intended to be conveyed only
    to the designated recipient(s) named above. Any unauthorized use,
    reproduction, forwarding, distribution or other dissemination of this
    transmission is strictly prohibited and may be unlawful. If you are
    not an intended recipient of this e-mail transmission, please notify
    the sender by return e-mail and permanently delete any record of this
    transmission. Your cooperation is appreciated.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Crissup, John (MBNP is): "RE: [fw-wiz] Skip the PDM"

    Relevant Pages

    • Re: ftp problem
      ... > here is my whole firewall script ... > # No restrictions on Loopback Interface ... > # or from this gateway server destine for the public Internet. ... > # Allow out secure FTP, Telnet, and SCP ...
      (freebsd-questions)
    • Re: Checkpoint experiences
      ... decide they want the firewall used by the big boys...often repeated, ... The Nokia appliance IPSO, is useful if you don't want to take the ... It is no wonder that the Nokia interface is called ... > billions on training, and classes, consultants, support contracts, etc. ...
      (comp.security.firewalls)
    • Re: Problem about ppp -nat
      ... ipfw firewall, ... Just setup your fw of choice as if the tun0 device is the external device and leave all the nat stuff completely out of it. ... My Internet interface is rl0, ... # /etc/rc.d/routing restart ...
      (freebsd-questions)
    • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
      ... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ...
      (comp.security.firewalls)
    • Proxy ARP and Routing
      ... some CPE from our ISP connected to a firewall. ... the public IPs on the physical DMZ network. ... packets to the host on the DMZ? ... on the DMZ interface. ...
      (SunManagers)