Miles,
I have had the pleasure / misfortune to have used the Pix 515 Firewalls
and there are several pro's and con's. There was some discussion on the
Security Focus mailing lists a few months ago about Cisco Pix firewalls
which I followed with a keen eye. After much debaiting the general
concensus of opinion was that the only reason to buy a PIX was for
throughput only.
My opinion is that the Pix is very uninfortative or forgiving 'out of
the box'. The examples provided in the manuals or on-line did not work
correctly because there was a config line missing ( I don't have the
details as a collegue solved this problem while I was on a plane but it
did take 8 days to pass one ICMP packet !!!! ) The Cisco PIX does it's job
well but without training or experienced personell the Administrative
burden can outweigh the cost of purchasing another product with a more
intuitive user interface.
As for advice - take some quality time to read the manual and become
comfortable with the concept of security levels and conduits. When you
understand these new concepts (they were new for me at the time) then
spend some quality time getting comfortable with the command syntax.
Lastly do not assume that because it's Cisco it will be as easy to
configure as a router. The little quirks like the 'TAB' key do not work as
it is a completely different kettle of fish. Treat it as a product from
another vendor and this will help a lot in picking up the basics.
Dave Stout
Internet Security Engineer
[EMAIL PROTECTED]
14/11/01 20:34
To: [EMAIL PROTECTED]
cc:
Subject: Cisco PIX 515 Firewall
Anyone out there have some experience using the Cisco PIX firewalls for
Corporate/Production networks? I'd like to try one of these little
buggers
out, but I'd like to get some do's and dont's from other admins with Cisco
PIX experiences. As I understand, these things don't just filter packets
based on addresses/ports but actually look at packet content like a proxy
or
IDS. Is this true? I've also heard that it will only scan content of the
first packet when a new connection/session begins, and then it uses
keep-state tables to auto-pass the rest of the packets in the session. I
remember the ipf package taking that approach as well and having security
problems with that because you can confuse the state table cache. Any
comments would be helpful.
Miles Stevenson
QuickHire Network Support Specialist
#**********************************************************************
This message is intended solely for the use of the individual
or organisation to whom it is addressed. It may contain
privileged or confidential information. If you have received
this message in error, please notify the originator immediately.
If you are not the intended recipient, you should not use,
copy, alter, or disclose the contents of this message. All
information or opinions expressed in this message and/or
any attachments are those of the author and are not
necessarily those of Hughes Network Systems Limited,
including its European subsidiaries and affiliates. Hughes
Network Systems Limited, including its European
subsidiaries and affiliates accepts no responsibility for loss
or damage arising from its use, including damage from virus.
#**********************************************************************
