He replaced it with a Mikrotik... thanks for imput guys.... On Thu, Nov 15, 2018, 8:40 PM Ken Hohhof <[email protected] wrote:
> Yes, ASA is the successor to PIX which Cisco acquired around 1995. Cisco > grew by acquisitions, e.g. the Catalyst switch product line. PIX had its > own OS, Catalyst had its own OS, over time they made them look more like > IOS, but just enough different to be confusing. > > > > I think another justification of VPN firewall products was that you could > only get decent IPSEC performance on a box with encryption in hardware. > But now CPU chips are fast enough and many have hardware acceleration for > encryption, so that you don’t need a special Cisco box. Just like it used > to be the only way to build a router with high throughput and low latency > was hardware based with ASICs and CAM. > > > > *From:* AF <[email protected]> *On Behalf Of *Josh Baird > *Sent:* Thursday, November 15, 2018 8:56 PM > *To:* AFMUG <[email protected]> > *Subject:* Re: [AFMUG] Router vulnerability > > > > There is nothing more annoying than trying to match up a version of Java > with ASDM. I think you have a good strategy. > > > > I mostly agree with everyone else here. The config is archaic, and there > are other options now that are easier and and can be just as robust. I > don't care how "enterprise" you are. > > > > On Thu, Nov 15, 2018 at 9:20 PM Larry Smith <[email protected]> wrote: > > True on pretty much all counts, > but, when dealing with certain "audit" agencies > (especially for banks), if you have anything other than > a name brand (Cisco ASA) firewall then you have 3,987 more > pages of paperwork to fill out and justify your reasons/selection. > > We maintain several, you just keep a virtual PC with each version > of ASDM and the appropriate JAVA (they only talk realiably to one > specific version for each version of ASDM) and there's nothing to it. > > -- > Larry Smith > [email protected] > > On Thu November 15 2018 18:58, Ken Hohhof wrote: > > If it’s company CEO, they should purchase Smartnet contract and keep the > > firmware updated. That’s about the only way you are going to fix > > vulnerabilities, hope Cisco fixes them, and keep up with the latest > > firmware. > > > > > > > > IMHO the only reason to have a Cisco ASA at home is he needs a > > site-to-site VPN to an ASA at the office. Meaning he has multiple > devices > > at home that need to work across the VPN, otherwise he could probably > use a > > software VPN client on his computer. Or maybe non computer devices like > > his phone needs to work across the VPN. > > > > > > > > Also IMHO if this is the case, he needs a Cisco security > trained/certified > > IT person to manage it. I was OK dealing with IOS but the ASA series I > > always found very difficult to configure and maintain, I pretty much > > wouldn’t touch them. One of my customers who had ASAs at HQ and every > > branch office had a big IT company under contract to do all their ASA > > maintenance and even though they were supposedly Cisco experts, they > would > > screw up and mess everything up trying to do a simple change and end up > > taking a whole day to get it working again. > > > > > > > > A common approach seems to be start with ASDM to get a basic working > config > > because you’ll never get there from the command line, but then SSH in and > > do the rest of the config manually. Then be sure to save a copy of the > > config for when you inevitably break everything trying to make a change. > > > > > > > > If the CEO just needs a fancy router, there are probably better choices > > than an ASA. Just not a Sonicwall. Maybe a nice Netgear AX8, which will > > look it’s about to take off and fly around the living room. Or maybe a > > nice Google WiFi, he can put one in every room. > > > > > > > > But you’re probably going to say it’s the VPN thing. Some people say > it’s > > because they need a true firewall, not just a router. But then I ask > them > > what custom firewall rules they defined. And who monitors the IDS logs > and > > responds to the identified threats. If the answers are none and nobody, > > then it’s just an expensive router. And BTW, in my experience ASAs are > > like every other router, first troubleshooting step is to power cycle > them > > and see if the VPN light comes back on. > > > > > > > > I have some customers now using firewall appliances at every site that > they > > contract out to a big telco which I think is using firewall appliances > > based on pfSense. I don’t really know enough to have an opinion, but > that > > seems a reasonable way to go. No Cisco maintenance contract to buy just > to > > get firmware updates. Just finding someone to sell you Smartnet is a > pain, > > I used to call up a place like CDW. I swear Cisco doesn’t really want > your > > business unless you’re a Fortune 500 company, or government, or a big > > telco. > > > > > > > > > > > > From: AF <[email protected]> On Behalf Of Jaime Solorza > > Sent: Thursday, November 15, 2018 5:32 PM > > To: AnimalFarm Microwave Users Group <[email protected]> > > Subject: Re: [AFMUG] Router vulnerability > > > > > > > > Friend has one for ceo of his company...can you point me to sure for > ideas? > > > > > > > > On Thu, Nov 15, 2018, 12:15 PM Josh Luthman <[email protected] > > <mailto:[email protected]> wrote: > > > > Who's using an ASA at home? > > > > > > > > ASA has a bunch of vulnerabilities - most fixed, some not... > > > > > > > > > > > > > > Josh Luthman > > Office: 937-552-2340 > > Direct: 937-552-2343 > > 1100 Wayne St > > Suite 1337 > > Troy, OH 45373 > > > > > > > > On Thu, Nov 15, 2018 at 11:42 AM, Jaime Solorza < > [email protected] > > <mailto:[email protected]> > wrote: > > > > What is the latest on router vulnerability to hacks on ASA and home > > versions? > > > > > > -- > > AF mailing list > > [email protected] <mailto:[email protected]> > > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com >
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
