At 09:01 AM 11/21/97 -0500, you wrote:
>I have a client who is thinking of installing a Cisco PIX firewall
>on their site. Their "business" is web development and hosting.
>What comments do y'all have about the Cisco PIX firewall? Some things
>about it bug me -- especially that it's a total "black box" approach, with
>no chance of say, writing your own proxies and such to run on the beast.
Yes, its an embedded operating system, fully proprietary. The usual
argument is that with open disclosure of the algorithms, lots of eyes can
examine to code for weaknesses. I would argue that the pix is widely
deployed, and lots of eyes have looked at effects to find weaknesses (and
such bugs do exist). Cisco's TAC is pretty good about responding to bugs
No, you don't run proxies on the box. Its a slimy approach, not an
application gateway. The advantage of stateful multilevel inspection is
generally speaking speed and simplicity. Its strengths are that it is easy
to configure and maintain, seems to be quite effective, and is generally
stable. I think its disadvantages is that the logging mechanism is
primitive, it is not especially flexible, and that its only based on
stateful inspection. I generally recommend it for a customer who wants a
drop in place firewall that they can forget.
On the other hand, it would strike me that someone whose primary business
is hosting and web development would (1) have some network savvy, and would
have resources in house to support a more sophisticated device [and not
screw it up by having a little knowledge] (2) have very generic needs, so
existing proxy features would be sufficient, and (3) would benefit from
detailed transaction analysis that could conveniently be provided by an
accounting agent placed at a choke point, i.e. the firewall, which would
lend credence to the argument that the pix is not the best choice.
On the third hand, I also have fairly sophisticated clients who are
essentially using this as a high performance NAT box as a part of a
security policy that is using security in depth; I think its an excellent
choice in that plan. You don't need proxies if your host itself is
hardened (arguable, but for a well watched public web server, I think
justified), and it goes well with access filters at all the routers, etc.
Its a good tool, technologically advanced and widely deployed. Its only a
tool, and might or might not be the right one for your environment. I've
got lots of places where it was the right tool, and I don't have anyone
that is unhappy with the box (once they fully understand the licensing
agreement, about which there is a good deal of confusion. But then the
*checkpoint*instructors* teach false statements about their licensing
agreement, so I guess I shouldn't complain.)
>Gimme info... lots of info... ;)
Robert Wooddell Weaver email: woody .
Senior Systems Engineer voice: 510.358.3972
Wiltel NSI pager: 510.702.4334