Firewalls: Re: Cisco software update?

Firewalls
(June 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Cisco software update?
From:	Brent Chapman <brent @ mycroft . GreatCircle . COM>
Date:	Wed, 01 Jun 1994 09:41:45 -0700
To:	rens @ imsi . com
Cc:	David Carrel <carrel @ cisco . com>, pace @ usace . mil (Joe Pace), firewalls @ greatcircle . com
In-reply-to:	Your message of Wed, 01 Jun 1994 08:36:53 -0400

Rens Troost <rens @
 imsi .
 com> writes:

# 
# >>>>> On Tue, 31 May 1994 18:56:10 -0700, Brent Chapman <brent @
 GreatCircle .
 COM> said:
# 
# 
#   brent> The point is, this is a feature Cisco's customers want.
#   brent> Instead of figuring out excuses why we shouldn't want it,
#   brent> Cisco should simply provide the feature.  Cisco's
# 
# There are lots of features cisco's customers want. I'm glad, both as a
# user and a shareholder, that cisco devotes it's development, testing,
# and support resources and  on things like improved frame-relay
# support, EIGRP, and multiprotocol tunneling instead of source-port
# filtering, which really does little or nothing to improve your actual
# security.

I have no quarrel with this.  Cisco has to make a business decision
whether or not to devote resources to improving their packet filtering
offerings.  If they feel they can get a better return on investment by
devoting their resources to other features, like frame relay, EIGRP,
and multi-protocol tunneling, so be it; _I_ don't need any of those
features for my application, though, so _I'm_ going to use another
product (like a BSDI box running screend, or one of the new Livingston
boxes, for instance) that _does_ provide the features I need.

It would be fantastic if Cisco routers had all the features I feel are
needed for a firewall router, because many of my customers already
have Ciscos, and would like to use what they already have (or get one
more of what they already have) for their firewall.  A customer has to
carefully weigh those factors against capability, though, and I think
the Cisco comes up short for this particular application.

If someone thinks that a Cisco provides the features _they_ need in
order to build a firewall that they understand and are comfortable
with, then by all means they should use a Cisco.  I don't feel that a
Cisco meets _my_ needs, though.  Cisco asked, in a public forum, why
not; I answered, hoping to stir discussion so that, if Cisco wants to
expand and improve their product in this direction, they'd have some
valuable input.

By the way, while we're talking about shortcomings of Cisco routers as
firewall routers, let me add one more that I forgot about last night:
logging.  They don't do adequate logging of their packet filtering
activities.


-Brent
--
Brent Chapman         | Great Circle Associates  | Call or email for info about
Brent @
 GreatCircle .
 COM | 1057 West Dana Street    | upcoming Internet Security 
+1 415 962 0841       | Mountain View, CA  94041 | Firewalls Tutorial dates

Follow-Ups:

Re: Cisco software update?
From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)

Indexed By Date	Previous:	Re: Cisco software update? From: Rens Troost <rens @ imsi . com>
Indexed By Date	Next:	Re: Cisco software update? From: pace @ usace . mil (Joe Pace)
Indexed By Thread	Previous:	Re: Cisco software update? From: "John P. Rouillard" <rouilj @ cs . umb . edu>
Indexed By Thread	Next:	Re: Cisco software update? From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)