Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)

hi chris i am not saying that cisco is bad. basically due to their bugs i know that every vendor has a lot of bugs in them with trying to get new features into it. basically what i meant was if u see granularity and minute control over the traffic which is passing through the firewall. in this consideration i feel netscreen and checkpoint are far better than pix. i have worked a lot on pix and i see it's a davanced natting box and nothing else. whereas in netscreen there are pre-defined attacks and screen options to filter traffic looking at the bits set in tcp header. similarly applicatioon intelligence for protocls like mcirosoft rpc and all netscreen and checkpoint have suport to filter such or permit such traffic. which pix is not even aware of. i mean this level of minute control . see ya good to discuss with u .



Chris Blask <chris@xxxxxxxxx> wrote: At 05:08 AM 26/05/2006, you wrote:

hi chris. u are right there are many vendors whoa re claiming to give a integrated security solution in one box. but at the same time they are having a lot of bugs in them . say for cisco. every new feature they introduce they will have a train of bugs in them. similarly with netscreen 5.3 ios it has a lot of bugs. the quality assurance of these products are not going through a rigorous testing and compliance. but to frank enough checkpoint and netscreen are far better off then what cisco security solutions can provide. what are ur views abt it. would surely like to know. see ya

Hey Sushil!

Generally, I'm not the guy to ask about the merits of product A version B.C versus product D vE.F - Many of our colleagues on the list know most of that better than I. That said, my thoughts:

o Bugs are bugs, and everyone has them. What's more important is the number of them, severity and time to fix. Cisco IOS has a particular problem in that it is a huge codebase, which a zillion different engineering groups write code for and with multiple functional trains designed for diverse uses all feeding into the same product. A lot of the problems apparent with that system could be fixed but are challenged by the fact that you have a gargantuan company still rife with "Wet Paint" signs.

- I don't see Juniper et al inherently better in this area - they just haven't gotten large enough to have the same set of problems. They are all trying as hard as possible to get there and suffer from those problems as soon as possible and will be happy to share them with you when they do.

- PIX was a counter-example, where we had a relatively small and independent code base and one dedicated (ass-kicking) team of engineers. We kept up a pace of improvements for a while there that was appropriately dynamic to fit the need of the market and evolve it to where it got boring (or at least where the Cisco machine made it so), and now you have ASA (aka: "how to kill viable branding for $100M or more"). Is that at net a bad thing? Hard to say as far as ASA goes outside of quarter-to-quarter detailed product comparisons, but as I mention in other posts, the market is maturing and overall I think that is good.

o My strong belief is that currently the nature of the individual components of an infosec solution are much less important than how you use them. Good firewalls managed badly suck, "weak" firewalls mananged diligently and used with the right collateral don't.

- Despite my plethora of reasons to criticize Cisco (you have no idea...), I think they have a couple of particularly good bits and are emerging parts of a good management strategy (largely despite their own strenuous efforts to the contrary). While security management matures (many years), vendors who can ship an entire network will tend to have an edge over those who can't.

- NetScreen and CP are fine product lines in general terms (lots of savvy customers harassing experienced product eng teams over a long period of time). A viable management structure should allow you to use whatever type of gadget you choose and coordinate it with every other one despite which vendor makes which part (which is generally true today across the infosec management space, though often still requiring a lot of effort).

Hope that adds some value for you somewhere, though it kinda feels like a rant... ;~)



A ship in port is safe, but that is not what ships are for. Sail out to sea and do new things.

- Admiral Grace Hopper, Computer Pioneer

Chris Blask

+1 416 358 9885

No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006

firewall-wizards mailing list

Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail Beta._______________________________________________
firewall-wizards mailing list