Firewalls: Re: What is a good Firewall?

Firewalls
(March 1998)

Indexed By Thread: [Previous] [Next]

Subject:	Re: What is a good Firewall?
From:	"Chris Sutherland" <sutherland @ mail . com>
Date:	Wed, 25 Mar 1998 09:29:31 -0700
To:	<firewalls @ greatcircle . com>

First I should apologise for the appanrent miscommunications in my previous
message, I was tired and did not express my self adequetly it seems. This
isn't meant as a flame, rather an eboration on my posting which has been
corrected. 


>The PIX box doesn't use Centri 4.0 to run on it at all. It runs an IOS
like
>code and has no hard drive to break into. Centri is an NT firewall
solution
>that runs on an NT machine. 

This is true. But Cisco also purchased Centri for the specific purpose of
front-ending on the PIX. My point was that this shows that Cisco themselves
see the PIX box as being inadequte unto itself.

>Also, a router is stateless inspection while the
>PIX is stateful. 

My main point it was it was "essentially glorified router." This is becuase
it does require another add-on for full functionality. I don't think it can
really be classified as a full fledge firewall.

>What do you mean by basic encryption technology? The
>encryption now available on the PIX is Triple DES with ISAKMP and IPsec
>standards.
>

By basic i was referring to standard. This was no comment on the quality.
My error.
>
>It is true the logfile is written in the clear to a trusted inside host,
but is
>that any worse than having it write to the hard drive of your Unix or NT
>firewall?
>
Actually it is much worse.

A lot of admins and architects seem to forget that once data is in their
"trusted network" it is in fact safe. The harsh reality is we need an "east
german border guard mentality" when doing secure systems. The people behind
the firewall can be just as malicious as those outside. 

Writing across to another host machine, in the clear, and not even
bothering digitally sign the logs is inviting problems. If you are writing
to the resident machine, issues like data integrity aren't as prevalent.

I also hold issues with _all_ firewall products that don't sign logs, after
all - where is the attackers first target when the network is penetrated?
The logfile. 


>Sounds like you have other issues.Jay 

Not really - i'm just a die-hard sceptic. And i have also penetrated the
PIX box when last i talked to a cisco rep it had "never been penetrated."
That kind of statement is inappropriate imho.

Anyway, please direct any flames to me personally unless they are still
useful and relevant to the list.

thanks

chris

Follow-Ups:

Re: What is a good Firewall?
From: Woody Weaver <woody @ wiltelnsi . com>
Re: What is a good Firewall?
From: Abe Singer <Abe . Singer @ integrators . com>
Re: What is a good Firewall?
From: Brian Macke <macke @ telegroup . com>

Indexed By Date	Previous:	Re: What is a good Firewall? From: Jay Querusio <jq @ oss-sun . opensystems . com>
Indexed By Date	Next:	linux based firewall cookbook... From: "Arahman" <arahman @ terradir . com>
Indexed By Thread	Previous:	RE: What is a good Firewall? From: The Magic Man <merlin @ monolith . darkcore . com>
Indexed By Thread	Next:	Re: What is a good Firewall? From: Brian Macke <macke @ telegroup . com>