Sean,
Do you also allow telnet (or SSH) to your edge
routers? If not then how do you do remote admin. If
so.. well, never mind.
In the case of not being able to connect to the PIX
from the outside, well.... I have been doing remote
admin on networks with a PIX, which by the way did not
allow any connections to it from the outside till SSH
came along, for many years. There are things like
VPNs and remote access dial-ups to the private side.
You guys are going over some stupid and none valid
points to prove your point...
Bottom line, if you know how to properly set up a
Linux firewall, great. You have a very powerfull tool
at a very low price (almost free!)
If you are an enterprise, which makes money (and I
mean real money, and not your typical mom and pop)
with their infrastructure, one would be a fool to
implement a Linux firewall. Something that is
standards based and you can call many firms for
support and is backed by a company with it's balls on
the line for their products is the way to go. Lets
forget the technical is this better or taht and look
at the business logic (technical issues seem to never
be solved!)
I would rather implement Cisco because, I know when
the person who set it up leaves there are MANY people
out there, a phone call away, that can hop in and make
the needed changes. They don't have to ask what ver
of Linux I'm running, they don't have to look and see
which of many firewall (and router) apps are being
used... There is one common language which the PIX is
configured in.
Also, your Linux box is only as good as the hardware
you run it on... There aren't many cheap boxes with
the same MTBF as teh PIXs (or Nokia's or any
enterprise class FW.)
Moe.
--- Allen May <[EMAIL PROTECTED]> wrote:
> One more thing I forgot to mention. If compromised
> (& it has to be from
> inside because outside interface cannot be used to
> connect), all they can do
> to a PIX is mess up your config or add some lines.
> However, with TACACS+ &
> AAA authentication you can even limit what commands
> they can execute. If
> the config is messed up, just dial in and copy the
> config from the tftp
> server again.
>
>
> ----- Original Message -----
> From: "Sean Young" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>
> Sent: Monday, March 26, 2001 2:42 PM
> Subject: Re: Performance Comparision between Linux
> OS Firewall and Cisco PIX
> 525
>
>
> > Allen,
> > If SSH service is not open on the outside
> interface, how do you expect
> > to troubleshoot the problem when there is problem
> with the Firewall?
> > Tell me this, how can you troubleshoot a PIX
> remotely when there is
> > problem? My employer is certainly not going to fly
> me out-of-state to fix
> a
> > minor problem. Furthermore, can you absolutely
> guarantee me, in writing,
> > that the Cisco PIX
> > can never be compromised? Another thing, what
> makes you think that I am
> > also running other services besides Firewall
> features on Linux. If you
> > read my email carefully, you also notice that I
> only SSH and netfilter
> > (aka iptables) on the Firewall. Your reason is
> based purely on FUD
> > (Fear, Uncertainty and Doubt).
> >
> > Sean
> >
> >
> > >From: "Allen May" <[EMAIL PROTECTED]>
> > >To: "Sean Young" <[EMAIL PROTECTED]>,
> <[EMAIL PROTECTED]>,
> > > <[EMAIL PROTECTED]>,
> <[EMAIL PROTECTED]>
> > >Subject: Re: Performance Comparision between
> Linux OS Firewall and Cisco
> > >PIX 525
> > >Date: Mon, 26 Mar 2001 14:29:34 -0600
> > >
> > >Is the outside interface still open to SSH
> connections? If so & it's
> > >compromised, Linux is a full blown operating
> system that, when
> compromised,
> > >can have ANY program designed for Linux
> installed. Can you imagine
> > >something like a packet analyzer grabbing all
> your passwords and sending
> > >them out over the net to someone else? Ewww.
> That's my #1 reason for
> > >going
> > >with something like a PIX. Just make sure you're
> IDS is set to notify
> even
> > >in the event of a SUCCESSFUL connection. I've
> seen people who set it up
> > >for
> > >unsuccessful attempts only.
> > >
> > >I hope that guy wasn't fired BECAUSE he
> recommended the Cisco solution.
> > >That's totally a matter of point of view on that
> decision & his wasn't
> > >wrong..neither was the Linux choice. Some
> situations call for one while
> > >others call for the other.
> > >
> > >Oh and keep a copy of the correctly configured
> drive with all settings on
> > >hand. A hard drive is much more prone to failure
> than RAM/ROM just due
> to
> > >the moving parts involved.
> > >
> > >Allen
> > >----- Original Message -----
> > >From: "Sean Young" <[EMAIL PROTECTED]>
> > >To: <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>;
> > ><[EMAIL PROTECTED]>
> > >Sent: Sunday, March 25, 2001 3:05 PM
> > >Subject: Re: Performance Comparision between
> Linux OS Firewall and Cisco
> > >PIX
> > >525
> > >
> > >
> > > > Ken,
> > > > Thank you very much for the advice. This past
> Friday, my company has
> > > > decided to use Linux as our company Firewall.
> Furthermore, we've
> > >decided
> > > > that this Firewall will be running kernel
> 2.4.2 with only two services
> > > > running on it, SSH and netfilter (aka
> iptables). I've tested kernel
> > > > 2.4.2 in the lab and notice it performs better
> than kernel 2.2.x.
> I've
> > >also
> > > > performed various intrusion detection tests on
> the box using
> > > > Cisco NetSonar, Cybercop, ISS, Axent Netrecon
> but is unable to break
> > > > it. The linux box is rock-solid. I am also
> running portsentry (IDS)
> > > > on the Firewall itself.
> > > >
> > > > Also, we decide to running our squid proxy
> server on another linux box
> > > > to provide transparent caching for our
> internal users. As far as VPN
> is
> > > > concerns, we are going to implement FreeS/WAN
> on another box. I think
> > > > in the long run, it is going to save the
> company a lot of money. We
> > > > end up not buying the PIX and web-caching
> engine from Cisco. Oh, the
> > > > networking guy in our group who recommends
> Cisco PIX and Cisco web-
> > > > caching engine as a solution, he has been
> fired. Go figure.
> > > >
> > > > Regards,
> > > > Sean
> > > > P.S. Priscilla, why not implementing
> TRANSPARENT caching by using
> squid
> > > > to speed up internet connection for your
> users? Squid is free and
> very
> > > > secure and easy to use.
> > > >
> > > > >From: [EMAIL PROTECTED]
> > > > >Reply-To: [EMAIL PROTECTED]
> > > > >To: [EMAIL PROTECTED], "Stuart Brockwell"
> > ><[EMAIL PROTECTED]>
> > > > >Subject: Re: Performance Comparision between
> Linux OS Firewall and
> > >Cisco
> > > > >PIX 525
> > > > >Date: Sat, 24 Mar 2001 20:02:26 -0800
> > > > >
> > > > >Sean,
> > > > >
> > > > >Comments imbedded:
> > > > >
> > > > >On 23 Mar 2001, at 16:12, Stuart Brockwell
> wrote:
> > > > >
> > > > > > Hi Sean,
> > > > > > I am a Linux head my self, and one
> of our firewalls is in
> fact
> > > > > > running
> > > > > > on a Linux box. The only problem with
> this type of firewall is
> that
> > > > > > you inherit all of the known bugs that the
> software has. Given
> that
> > > > > > the source code to Linux is widely
> available, you have a lot of
> very
> > > > > > talented people out there who know these
> holes and are able to
> > >exploit
> > > > > > them very easily.
> > > > >
> > > > >It also means that there are a lot of
> talented people who are looking
> > > > >at the code to make sure that any holes are
> patched. In fact, when
> > > > >new exploits are found, Linux is usually the
> fastest platform to have
> > > > >a patch available. Compare this to having to
> wait weeks for vendor
> > > > >patches or having to prove to a vendor that a
> problem exists.
> > > > >
> > > > >Also, a service can only be exploited if it
> is running. A properly
> > > > >configured firewall doesn't run unecessary
> services, this makes it
> > > > >very difficult to exploit. Essentially, it
> would come down to trying
>
> > >to
> > > > >DoS it or running a password guessing program
> against it to get
> > > > >remote access.
> > > > >
> > > > >
> > > > > If you
> > > > > > maintain your own Linux firewall, you will
> need to continuously
> look
> > > > > > for the latest bug fixes to install on
> your Linux box to address
> the
> > > > > > latest round of holes that have been
> released.
> > > > >
> > > > >If the Linux firewall is properly setup, the
> only services running on
> > >it
> > > > >are ipchains and SSH. This means that you
> have to be aware of 2
> > > > >services. While there could always be a
> local exploit, if only
> > > > >trusted admins have access, the trouble with
> keeping up patches
> > > > >is minimal. It is certainly no more trouble
> than keeping up with
> > > > >bugs on a vendor platform.
> > > > >
> > > > > >
> > > > > > Cisco and companies such as Watch Guard
> closely guard their source
> > > > > > code, often you can elect to take on a
> maintenance contract with
> the
> > > > > > firewall where you recieve all the latest
> fixes for a 12 month
> > >period
> > > > > > (this is what we did). As this is their
> bread and butter, they
> > >spend
> > > > > > a lot of time looking for holes and fixes
> to known bugs.
> > > > > >
> > > > >
> > > > >While true, this doesn't mean that their code
> will have fewer bugs
> > > > >or that the bugs will be patched quicker.
> There is a very large
> > > > >support community for Linux that is very
> technical. Most bugs are
> > > > >patched in a matter of days, sometimes hours.
> > > > >
> > > > >
> > > > > > the main plus for each of
> > > > > > the commercial packages is that there is
> large support base, where
> > >as
> > > > > > skilled Linux admin staff who can lock
> down a firewall are very
> few
> > > > > > and far between.
> > > > >
> > > > >This is simply not true. There is a very
> large community of Linux
> > > > >developers and admins, and most of them are
> very knowledgable.
> > > > >There are good mailing lists and _plenty_ of
> good Linux
> > > > >security/firewall books, articles, web sites,
> etc. available.
> > > > >
> > > > >Locking down a Linux box is not rocket
> science. That is FUD that
> > > > >is propagated by vendors who want to sell
> product. It's not hard to
> > > > >configure a Linux box to be secure, the
> difficulty comes in running
> > > > >lots of services and providing access to
> users. If you have a box
> > > > >that runs web, ftp, smtp, nfs, etc., then it
> becomes much harder to
> > > > >secure, but none of these services should be
> running on a firewall.
> > > > >
> > > > >The bottom line is that there are several
> good commercial firewalls,
> > > > >but that doesn't mean that a Linux box cannot
> serve as a good, low-
> > > > >end alternative. Especially if cost is one
> of the main decision
> > > > >factors.
> > > > >
> > > > >-Kent
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >_________________________________
> > > > >FAQ, list archives, and subscription info:
> > > > >http://www.groupstudy.com/list/cisco.html
> > > > >Report misconduct and Nondisclosure
> violations to
> [EMAIL PROTECTED]
> > > >
> > > >
>
_________________________________________________________________
> > > > Get your FREE download of MSN Explorer at
> http://explorer.msn.com
> > > >
> > > > _________________________________
> > > > FAQ, list archives, and subscription info:
> > >http://www.groupstudy.com/list/cisco.html
> > > > Report misconduct and Nondisclosure violations
> to [EMAIL PROTECTED]
> > > >
> > >
> >
> >
>
_________________________________________________________________
> > Get your FREE download of MSN Explorer at
> http://explorer.msn.com
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> >
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
=====
_____________________________________________
Moe Tavakoli
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
