LOL seems to be a common theme. Still now kind of worrisome considering
your first question was about ASA vulnerability.
I just have to reiterate what many have said on the list before make
sure those Mikrotiks have a descent Firewall ruleset and are upgraded to
the latest version as well. They do have some unfixed security issues in
the most current release.
I have never had any troubles configuring ASAs even from command line
its just another syntax. Then again I pretty much work on command line
only on everything from cisco/mikrotiks/juniper/nokia and have worked
with ASAs since that 1995 time frame.
On 11/15/2018 9:41 PM, Jaime Solorza wrote:
He replaced it with a Mikrotik... thanks for imput guys....
On Thu, Nov 15, 2018, 8:40 PM Ken Hohhof <[email protected]
<mailto:[email protected]> wrote:
Yes, ASA is the successor to PIX which Cisco acquired around
1995. Cisco grew by acquisitions, e.g. the Catalyst switch
product line. PIX had its own OS, Catalyst had its own OS, over
time they made them look more like IOS, but just enough different
to be confusing.
I think another justification of VPN firewall products was that
you could only get decent IPSEC performance on a box with
encryption in hardware. But now CPU chips are fast enough and many
have hardware acceleration for encryption, so that you don’t need
a special Cisco box. Just like it used to be the only way to
build a router with high throughput and low latency was hardware
based with ASICs and CAM.
*From:* AF <[email protected]
<mailto:[email protected]>> *On Behalf Of *Josh Baird
*Sent:* Thursday, November 15, 2018 8:56 PM
*To:* AFMUG <[email protected] <mailto:[email protected]>>
*Subject:* Re: [AFMUG] Router vulnerability
There is nothing more annoying than trying to match up a version
of Java with ASDM. I think you have a good strategy.
I mostly agree with everyone else here. The config is archaic,
and there are other options now that are easier and and can be
just as robust. I don't care how "enterprise" you are.
On Thu, Nov 15, 2018 at 9:20 PM Larry Smith <[email protected]
<mailto:[email protected]>> wrote:
True on pretty much all counts,
but, when dealing with certain "audit" agencies
(especially for banks), if you have anything other than
a name brand (Cisco ASA) firewall then you have 3,987 more
pages of paperwork to fill out and justify your reasons/selection.
We maintain several, you just keep a virtual PC with each version
of ASDM and the appropriate JAVA (they only talk realiably to one
specific version for each version of ASDM) and there's nothing
to it.
--
Larry Smith
[email protected] <mailto:[email protected]>
On Thu November 15 2018 18:58, Ken Hohhof wrote:
> If it’s company CEO, they should purchase Smartnet contract
and keep the
> firmware updated. That’s about the only way you are going
to fix
> vulnerabilities, hope Cisco fixes them, and keep up with the
latest
> firmware.
>
>
>
> IMHO the only reason to have a Cisco ASA at home is he needs a
> site-to-site VPN to an ASA at the office. Meaning he has
multiple devices
> at home that need to work across the VPN, otherwise he could
probably use a
> software VPN client on his computer. Or maybe non computer
devices like
> his phone needs to work across the VPN.
>
>
>
> Also IMHO if this is the case, he needs a Cisco security
trained/certified
> IT person to manage it. I was OK dealing with IOS but the
ASA series I
> always found very difficult to configure and maintain, I
pretty much
> wouldn’t touch them. One of my customers who had ASAs at HQ
and every
> branch office had a big IT company under contract to do all
their ASA
> maintenance and even though they were supposedly Cisco
experts, they would
> screw up and mess everything up trying to do a simple change
and end up
> taking a whole day to get it working again.
>
>
>
> A common approach seems to be start with ASDM to get a basic
working config
> because you’ll never get there from the command line, but
then SSH in and
> do the rest of the config manually. Then be sure to save a
copy of the
> config for when you inevitably break everything trying to
make a change.
>
>
>
> If the CEO just needs a fancy router, there are probably
better choices
> than an ASA. Just not a Sonicwall. Maybe a nice Netgear
AX8, which will
> look it’s about to take off and fly around the living room.
Or maybe a
> nice Google WiFi, he can put one in every room.
>
>
>
> But you’re probably going to say it’s the VPN thing. Some
people say it’s
> because they need a true firewall, not just a router. But
then I ask them
> what custom firewall rules they defined. And who monitors
the IDS logs and
> responds to the identified threats. If the answers are none
and nobody,
> then it’s just an expensive router. And BTW, in my
experience ASAs are
> like every other router, first troubleshooting step is to
power cycle them
> and see if the VPN light comes back on.
>
>
>
> I have some customers now using firewall appliances at every
site that they
> contract out to a big telco which I think is using firewall
appliances
> based on pfSense. I don’t really know enough to have an
opinion, but that
> seems a reasonable way to go. No Cisco maintenance contract
to buy just to
> get firmware updates. Just finding someone to sell you
Smartnet is a pain,
> I used to call up a place like CDW. I swear Cisco doesn’t
really want your
> business unless you’re a Fortune 500 company, or government,
or a big
> telco.
>
>
>
>
>
> From: AF <[email protected]
<mailto:[email protected]>> On Behalf Of Jaime Solorza
> Sent: Thursday, November 15, 2018 5:32 PM
> To: AnimalFarm Microwave Users Group <[email protected]
<mailto:[email protected]>>
> Subject: Re: [AFMUG] Router vulnerability
>
>
>
> Friend has one for ceo of his company...can you point me to
sure for ideas?
>
>
>
> On Thu, Nov 15, 2018, 12:15 PM Josh Luthman
<[email protected] <mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>> wrote:
>
> Who's using an ASA at home?
>
>
>
> ASA has a bunch of vulnerabilities - most fixed, some not...
>
>
>
>
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
>
>
> On Thu, Nov 15, 2018 at 11:42 AM, Jaime Solorza
<[email protected] <mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>> > wrote:
>
> What is the latest on router vulnerability to hacks on ASA
and home
> versions?
>
>
> --
> AF mailing list
> [email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
--
AF mailing list
[email protected] <mailto:[email protected]>
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
--
AF mailing list
[email protected] <mailto:[email protected]>
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
--
Trey Scarborough
VP Engineering
3DS Communications LLC
p:9729741539
--
AF mailing list
[email protected]
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
