At 12:07 PM 9/25/01 -0400, Ole Drews Jensen wrote:
>In regards to network design in the security area, I would like to start a
>discussion / get feedback from those of you who have dealt / are dealing
>with this.
>
>I know that I can most likely pull up some websites that has answers to
>this, but I would like a feedback from "real people" that are working with
>this.
>
>I am only now in the process of finishing my last exam for the CCNP, and I
>am then planning on going towards the security specialization. Therefore, my
>knowledge of firewalls, vpn's, etc. are not that great.
>
>We have at the company I work for used Check Point, but that's a very
>expensive product, and needs to be relicensed over and over. We are
>currently using Gauntlet, but that will be discontinued on the Windows NT
>platform.
>
>Because of this, I am now trying to get some feeling for a good solution,
>and (of course) Cisco's PIX came to my mind. However, I have a couple of
>questions I would like to get some feedback on, and perhaps start a short
>discussion.
>
>How is the PIX compared to other products when looking at:
>
>1) Difficulty of administration?
>2) Price?
>3) Effectiveness of intruder protection?
>4) Speed (slowing down the communication)?
>
>and
>
>5) What would you recommend?
>
>Thank you very much for your time on this,
>
>Ole
Pixes are probably harder to work with then the other friendlier looking
ones. I do not consider that a big minus though. If you understand
firewalling, any solution will suffice assuming basic primitives are
available (pix included). There is a new GUI mode available, but I dismiss
the interface as a serious buying factor. However, since you do not
understand firewalls or so you say, this might be fairly hard. In my
viewpoint, you can make the GUI as "friendly" as possible, but it will not
make you an expert. Look at Microsoft and GUI based firewalls. If you do
not know what you are doing, no amount of fluff and point and click icons
is going to make you an expert in security.
Hm. In terms of a centralized manager, one might exist. I never worked
with a large enough number of pixes to need any management tools (just ssh
in), but I think one is available.
Pricing is probably fairly competitively priced to the others.
These are not intrusion detection systems. I would have to say, any
firewall is going to essentially do horrible in this category. An
intrusion detection system is simply a glorified sniffer that matches
against a heuristic database of alerts. A firewall does not do this,
especially not the Pix. I would not buy into Cisco's IDS system either if
you want a good intrustion detection system. Sorry Cisco fans, I like
their routers. Just not their IDS.
Speed? Excellent. Any decent firewall has a negligible performance
loss. Except for maybe firewalls on Microsoft NT. :)
I usually go with a commercial solution, but one thing that bugs me is the
Pix has HORRIBLE logging capabilities. I mean absolutely horrible. I much
prefer my open source IPFilter firewall over the pix in debugging
rulesets. I heard checkpoint is a bit better in logging. I just think it
is ludicrous that it is difficult to figure out precisely what is being
blocked at times.
As for IDS, I prefer snort+demarc combinations. IDS is a different
ballgame in my opinion. I personally would avoid any Cisco solution for
IDS. Their boxes are generally poor performers, and (last I checked) they
are not going to give up full decoded packets like snort will on a BSD box.
If you are really stuck, I can do commercial support. However, I think you
are looking for your own answers and are a self-starter.
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Ole Drews Jensen
> Systems Network Manager
> CCNA, MCSE, MCP+I
> RWR Enterprises, Inc.
> [EMAIL PROTECTED]
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> http://www.RouterChief.com
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> NEED A JOB ???
> http://www.oledrews.com/job
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Carroll Kong
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=21095&t=21012
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
