First I should apologise for the appanrent miscommunications in my previous
message, I was tired and did not express my self adequetly it seems. This
isn't meant as a flame, rather an eboration on my posting which has been
>The PIX box doesn't use Centri 4.0 to run on it at all. It runs an IOS
>code and has no hard drive to break into. Centri is an NT firewall
>that runs on an NT machine.
This is true. But Cisco also purchased Centri for the specific purpose of
front-ending on the PIX. My point was that this shows that Cisco themselves
see the PIX box as being inadequte unto itself.
>Also, a router is stateless inspection while the
>PIX is stateful.
My main point it was it was "essentially glorified router." This is becuase
it does require another add-on for full functionality. I don't think it can
really be classified as a full fledge firewall.
>What do you mean by basic encryption technology? The
>encryption now available on the PIX is Triple DES with ISAKMP and IPsec
By basic i was referring to standard. This was no comment on the quality.
>It is true the logfile is written in the clear to a trusted inside host,
>that any worse than having it write to the hard drive of your Unix or NT
Actually it is much worse.
A lot of admins and architects seem to forget that once data is in their
"trusted network" it is in fact safe. The harsh reality is we need an "east
german border guard mentality" when doing secure systems. The people behind
the firewall can be just as malicious as those outside.
Writing across to another host machine, in the clear, and not even
bothering digitally sign the logs is inviting problems. If you are writing
to the resident machine, issues like data integrity aren't as prevalent.
I also hold issues with _all_ firewall products that don't sign logs, after
all - where is the attackers first target when the network is penetrated?
>Sounds like you have other issues.Jay
Not really - i'm just a die-hard sceptic. And i have also penetrated the
PIX box when last i talked to a cisco rep it had "never been penetrated."
That kind of statement is inappropriate imho.
Anyway, please direct any flames to me personally unless they are still
useful and relevant to the list.