At 11:41 PM 11/21/97 -0600, Frank Knobbe wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>On 21 Nov 97 at 9:28, Woody Weaver wrote about: Re: Cisco PIX
>Firewall -- comments?
>> I think its disadvantages
>> is that the logging mechanism is primitive, it is not especially
>> flexible, and that its only based on stateful inspection. I
>> generally recommend it for a customer who wants a drop in place
>> firewall that they can forget.
>Ouch...never FORGET a firewall. Logging and checking log files is one
>the most substantial core principles of IT security.
I agree with the statement above; careful inspection of log files is
essential to security. However, there exist sites that don't *really* need
security in the sense that you and I are probably thinking of. What they
want is the equivalent to a simple door lock. Yes, it can be silently
defeated by a simple credit card swipe, but they have done something to
indicate where the velvet rope should be. One site in particular: I set up
a unix box to do various sorts of logging, and a perl script to parse the
logs and report back results to root (me and some local people). I had to
turn off the parser, because all it did was spread FUD to the local people
-- they didn't understand what the logs meant.
There are many sites that don't have the resources for security. But they
want *something*. The pix fills that niche pretty well, imho.
>I agree whole heartly, thoug, the logging sucks. Especially in a non
>Unix environment. Yeah, there is a Syslog for NT. But what about a
I don't think that is an adequate excuse. Syslog is an excellent tool for
maintaining log files, for a variety of environments. You can *drop* a
unix box in place for a couple of K, and not only will it provide you with
logs (which you can disperse to write only media if you care, or replicate
around the net) but it provides you with a platform that you can snoop
traffic that passes through your segment, a base to telnet to/from, a
platform to launch paging software, etc... If your office automation
network is a pure novell net, fine -- but your security tool should be the
best tool for the job, not dictated by the office environment.
Again, the caveat from above applies. For example, I don't think any
mission critical application should be NT based at this point in time,
especially security based applications. If I'm doing something like a
Checkpoint install, I will argue with my strongest force for them to put it
on a unix box, preferably a nice stable ultra. However, some clients will
make as a non-arguable constraint that they will be using NT, and
ultimately, I have to allow them to refuse my counseling, and make the best
of the environment they give me. Such is the reality of security planning.
>> On the third hand [...]
What, do you only have two? I always have two hands full, so have been
forced to grow another... :)
>-----BEGIN PGP SIGNATURE-----
>-----END PGP SIGNATURE-----
>-----BEGIN SPAM WARNING-----
>WARNING: ANYONE SENDING UNREQUESTED ADVERTISEMENT
>VIA EMAIL WILL BE ADDED TO A FILTER LIST, WHICH WILL
>AUTOMATICALLY DELETE EVERY MAIL FROM THE SENDER.
>THIS WILL DISABLE FURTHER CORRESPONDENCE.
>PLEASE REFRAIN FROM SENDING JUNK E-MAIL (SPAM).
>THIS E-MAIL ADDRESS IS NOT TO BE ADDED TO A MASS
>-----END SPAM WARNING-----
Robert Wooddell Weaver email: woody .
Senior Systems Engineer voice: 510.358.3972
Wiltel NSI pager: 510.702.4334