Not sure if anyone else will find this interesting but here is a good link on these:
http://www.computerworld.com/cwi/story/0,1199,NAV47-74-212-466_STO61233,00.html At 10:27 AM 4/17/2002 -0500, Noonan, Wesley wrote: >The guy I have talked to about this is not answering his phone, and I can't >find the email discussion we had on this, but here are some things I have >found in looking: > >QNX is used by Cisco for a number of products for the realtime OS. > >Just found the other. VxWorks (guess I wasn't even slightly close in my >original thought for the name <g>) is also used by Cisco for a lot of their >stuff. > >I agree with you partially, but think the hang-up is more religious than >anything else. > >Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS >Senior QA Rep. >BMC Software, Inc. >(713) 918-2412 >[EMAIL PROTECTED] >http://www.bmc.com > > > > -----Original Message----- > > From: Clifford Thurber [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, April 17, 2002 09:15 > > To: Noonan Wesley; 'Mikael Olsson' > > Cc: '[EMAIL PROTECTED]' > > Subject: RE: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) > > > > I would be curious to know which UNIX if anyone knows. If I remember > > correctly Xenix was owned by Microsoft at one point in the 80's correct? I > > think where people get hung up is that anything thats asic-ased or has no > > hard drive that spins up they believe somehow does not contain an OS. > > > > At 09:12 AM 4/17/2002 -0500, Noonan, Wesley wrote: > > >A sizable chuck of Cisco (don't know for sure on the PIX, but I know on > > >their routers) runs an OS behind the scenes that is called Xenix, XNS, > > ZNS, > > >or something along those lines (I really don't recall the actual name). > > IOS > > >runs on top of that (is my understanding, kind of like how Banyan ran on > > top > > >of Unix). My point was simply, if one is going to cast the "a firewall is > > >only as strong as the underlying OS" stone, they need to be prepared to > > cast > > >that stone at virtually every firewall out there. It is hardly a ISA > > >specific issue (heck, FW1 runs on MS doesn't it?). > > > > > >Wes Noonan > > >[EMAIL PROTECTED] > > >281-208-8993 > > > > > > > > > > -----Original Message----- > > > > From: Clifford Thurber [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, April 17, 2002 08:48 > > > > To: Noonan Wesley; 'Mikael Olsson' > > > > Cc: '[EMAIL PROTECTED]' > > > > Subject: RE: Microsoft ISA server (Was: Re: Replacing my old PIX > > Classic) > > > > > > > > What is the conection between Xenix and Cisco here: > > > > > > > > ...Xenix (or whatever it is called that runs > > > > Cisco under the covers), Windows, etc. In > > > > > > > > > > > > At 08:17 PM 4/16/2002 -0500, Noonan, Wesley wrote: > > > > > > -----Original Message----- > > > > > > From: Mikael Olsson [mailto:[EMAIL PROTECTED]] > > > > > > Sent: Tuesday, April 16, 2002 17:56 > > > > > > To: Noonan, Wesley > > > > > > Cc: '[EMAIL PROTECTED]' > > > > > > Subject: Re: Microsoft ISA server (Was: Re: Replacing my old PIX > > > > Classic) > > > > > > > > > > > > > > - It's a pretty decent caching server, reducing bandwidth needs. > > > > > > > - It integrates tightly with existing windows networks > > > > > > > - Tiered management that can be delegated at different levels to > > > > > > > different users/groups > > > > > > > > > > > > Yes. In a mail that has yet to reach the list (?!?), I listed > > these > > > > > > > > > >That has happened to me a few time of late... > > > > > > > > > > > On the second point: I'm not sure I want my firewall integrating > > > > > > that tightly with windows boxes driven by ordinary lusers. > > > > > > > > > >Let me clarify, by that I meant things like using user security and > > not > > > > >needing to maintain a separate database, etc. > > > > > > > > > > > > > > > > > > It scales something fierce, both up and out. I've read reports > > of > > > > > > > it scaling out to 32 nodes and over 1Gbps in bandwidth. > > > > > > > > > > > > I though you were listing "pro"s here? > > > > > > I know of several firewalls that give you that performance with > > > > > > a single box. And don't even get me started on the TCO for those > > > > > > 32 boxes. > > > > > > > > > >What kind of box? The numbers I saw were on PIII 700's with 512MB of > > RAM. > > > > >Point taken on the TCO (but then again, Solaris boxes don't always > > come > > > > >cheap in a server form either... and we won't even get into what I > > have > > > > read > > > > >about Checkpoint's incredible licensing fees... may be the only thing > > > > thing > > > > >worse than ISA's per proc licensing agreement...) > > > > > > > > > > > > It is generally easier to manage for shops that already have an > > > > > > investment > > > > > > > in MS technologies and skillsets. > > > > > > > > > > > > I disagree. Substitute "generally" with "sometimes", and I'll > > agree. > > > > > > > > > >OK, consider it substituted. > > > > > > > > > > > Any "OS-less" firewall will be easier to get to point A than a > > > > > > windows box, even for an experienced windows administrator. And > > > > > > > > > >I dunno, I have seen more than one place boot PIX for ISA because of > > > > >specifically that. Now frankly, that perplexes me because I find the > > PIX > > > > to > > > > >be infinitely easier to deal with than ISA (hell, I went and bought > > it > > > > even > > > > >though I have the license and the hardware for ISA). > > > > > > > > > > > if said firewall has a management software running under windows, > > > > > > the difference there is nil: in both cases, the admin needs to > > > > > > learn a new management interface. > > > > > > > > > >Fair enough. I can see that. > > > > > > > > > > > > Built in VPN capabilities. > > > > > > > Stateful packet inspection and application level proxying > > > > > > > Native support for multiple interfaces > > > > > > > > > > > > While these are good points, I hardly think it is much of a > > > > > > pro for ISA server, given the number of other firewalls that > > > > > > also have these features. > > > > > > > > > >No, not pro's as much as "these are thing things that 'real' > > firewalls > > > > are > > > > >supposed to do, and it does". When people make the flawed comparison > > to > > > > >Proxy, I think the illumination they provide is relevant. > > > > > > > > > > > > Going on third party info here (may be wrong), but as of today > > it > > > > has > > > > > > > experienced fewer vulnerabilities from the date it was shipped > > till > > > > now > > > > > > than > > > > > > > either the PIX or FW1, and no vulnerabilities have caused a > > security > > > > > > > compromise (when it fails, it fails closed). > > > > > > > > > > > > You forgot to count the OS vulnerabilities. > > > > > > > > > >Actually, again to my knowledge ISA's exploits haven't allowed that. > > If > > > > you > > > > >want to bring that point in though, it becomes true for *every* OS > > that > > > > is > > > > >out there, BSD, Linux, Solaris, Xenix (or whatever it is called that > > runs > > > > >Cisco under the covers), Windows, etc. In short, that point being > > > > >"universal", it isn't really fair to attach it strictly to an ISA > > > > scenario. > > > > > > > > > >Besides, a good admin can and will kill a whole lot of those > > services, > > > > >processes and bindings that are responsible for many of those > > > > >vulnerabilities. > > > > > > > > > > > > It is highly extensible with a slew of third party add-ons for > > > > > > > everything from access control to IDS to monitoring to hardening > > > > > > > to logging and reporting. > > > > > > > > > > > > Hrm, I'm very tempted to say something acid-dripping about > > > > > > the general security quality of even "top notch" windows- > > > > > > based software. Not to mention a slew of it. > > > > > > > > > >I could do the same thing about the wealth of un-usable Unix apps. > > > > > > > > > > > I think you would have a somewhat different opinion of this > > > > > > if you just knew how many windows drivers actually protect > > > > > > their driver interfaces. (About one TOTAL in a normal install.) > > > > > > > > > >You assume somehow that I don't know this? > > > > > > > > > > > Not to mention the (IMHO) insane complexity of even setting > > > > > > an ACL on a shared object. > > > > > > > > > > > > Even assuming that Microsoft got ISA server right, I'm not sure > > > > > > that I'd want to be installing all those gadgets that actually > > > > > > make it do what a firewall should do (i.e. log stuff the gets > > > > > > dropped somewhere useful). > > > > > > > > > >You lose base here. Install what gadgets that actually make it do > > what a > > > > >firewall should do? I feel like we are right back at where we started > > > > >here... > > > > > > > > > >Wes > > > > >_______________________________________________ > > > > >Firewalls mailing list > > > > >[EMAIL PROTECTED] > > > > >http://lists.gnac.net/mailman/listinfo/firewalls >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
