The bsd box is more flexible in what can be done. The pix has many more bells and wistles. The pix is considerably easier for our techs to manage. It also protects them better from some types of errors.

Overall, I believe they both have their place. I like the bsd better but the learning curve was considerably steeper.

There are times to use a box you can be intimately familiar with, and times when an appliance is a better choice. I would hesitate to criticize choices made by someone else unless that choice resulted in a series of intractable problems that other solutions would easily avoid.

I would characterize that last sentence as what led to my initial question. We had a series of issues that the vendor had no fix for and this finally convinced us to change vendors. When the vendor of a network security device criticizes you for not having his device behind a NATting firewall to protect it, I believe something is wrong. (In case you are wondering, some of us do use public addresses internally because of policy decisions made well above us).

I believe the best choice for the issue in question in my current environment is an appliance. Personally, I would prefer an open box, but looking at the technical level of my team, their current load, and my status as a temp, I need to choose what they can manage after I am gone.
rt

For anyone reading this, the current version of the PIX IOS is 7.0(2), and you won’t find it published on the Internet. Sonyfreak is giving you old news.

Also the command is not run show, it is show run, and if you were as experienced with the PIX as you indicate, then you would most likely have used the old, write term command, not the well known show run.

Show run works with later versions of the IOS, but those engineers among us who have been configuring the PIX for 10 plus years or better hsve hard coded into our brains that old write terminal command. Show run was not available in the early versions of the PIX IOS and wri t was became part of our vocabulary.

Little tell tale signs like that and the unneeded reboot illuminate your lack of any long term, serious professional experience with the PIX.

You may have instslled or managed one or two, but you are clearly no expert with it, which is not a bad thing, unless of course you are bad mouthing it to the world.

P.S

It’s not the vulnerabilites that are not published and that few people are aware of, that you need to worry about.

Worry about the ones that are published. They are the ones that will end up being used against your network 99.9 percent of the time.

Chris Weber
Layer9corp.com

First your name is cute, but when you denounce products that thousands and thousands of businesses use throughout the world,products that have awards and praise from some of the best minds in the business, you might try using your real name and website, so people know who you are, instead of skulking behind a juvenile moniker.

In answer to you logging question (or insinuation)of course we monitor our logs, we are a security firm. We log at trap level 7 (hurry go look that one up) and we run concurrent IDS systems including, yes, Unix based IDS systems and of course being core engineers (many of us came from the big telecoms)we track at the packet level using protocol analyzers with custom filters. We even have licensed Private Investigators that physically investigate incidents we deem to be serious.

And as for the closed or open source issue, I won’t address that again.I already did, and you apparently don’t get it. Let me know when you publish your ATM pincode so people can let you know what vulnerabilities are in it.

Of course, anyone who thinks there are 28 known vulnerabilities for BSD, well, we?ll just keep that to ourselves. (hint, try getting your data from somewhere other than Bugtraq,).

It?s apparent you just don?t know how to build out a PIX correctly, you even said so yourself when you told us how you used to have to reboot it, and then sat there and said, bad PIX, bad PIX. No real Cisco engineer has ever had to do that with a PIX to make a simple configuration change. But you did, which clearly demonstrates your lack of experience with it as it is a common issue with Junior PIX Admins and well documented on Cisco’s website.

Oh and by the way, ACL?s in the PIX are only a part of it?s Stateful Inspection process. The PIX is NOT a router, or a gnat box, but to you it probably is.

I saw a chimpanzee once use a Violin as a bat. He beat the heck out of that Violin, but it did not mean the Violin was faulty. The Chimp simply did not have the proper technical skills to use it as it was designed to be used.

No we see engineers in the field all the time working on the PIX who should not be working on the PIX.

Of course we are fine with that. Cleaning up messes from admins who install equipment they are not trained on accounts for about 60 percent of our business.

In fact, we consider you guys our best friends.

Chris

Sorry about going off track, but I?m done with this one astronomer. I forgot what the original question was anyway.

FreeBSD 5.3 – 28 total vulnerabilities (not the latest version)
Number affecting a machine running as a firewall – potentially 9 if running an AMD64.

It may be less than this, but I did a quick perusal of what would be considered a bug in the minimal install for a firewall.

Pix Firewall 6.3.2 – 2.

This is not astronomical on the FreeBSD side of things considering it is open source code. No one in their right mind would install the libraries, ports, and the entire FreeBSD system on their firewall and consider it secure (which could contain all 28 vulnerabilities). All you need is the basic setup and man pages if you please.

SF

Then being closed source doesn’t protect it from exploits. They still exist. What happens when, say, Cisco gets their code spilled out (extranetted) on the Internet for anyone to peruse or buy and look for exploits (wait! that recently happened). How safe do you feel that only a handful of people were ensuring that it’s “secure” versus the Internet-wide community looking at it to find exploits? If the PIX code was put on the Internet, you know the list would be much larger (therefore meaning that it’s not as secure as you’d hoped it was). Now, maybe the code is…

The PIX is the hardest of these firewalls that I’ve had to configure and it’s insecure by default allowing connection from the inside to the the DMZ or outside interfaces if no ACL has been configured on the interface. Sorry, I think the access-list rules are a terrible way to implement security for a firewall. I’ve implemented plenty of them on routers and with the PIX and hate using them.

The only thing I like about the PIX is that you can save the configuration and run show commands from any mode and don’t have to go back to priviledged exec like most Cisco hardware. I use mine as an expensive NAT box… However, I think that creating extensive access lists is inefficient and prone to error. With other firewall implementations, you don’t have to wipe out your whole ruleset when you want to change it (yes, you can use a named access list and do the NO form of the command to delete a line, but its inefficient).

Have fun with your PIX. I use the others as doorstops.

SF

When I say inexperienced I mean of course inexperienced with the PIX. I am sure you have solid knowledge with BSD and whatever else you work with and I don’t mean any dispargement of your skills. We all have our specialties.

Chris Weber
Layer9corp.com

Not to be too picky with the last comment (nothing personal but I don’t respect it when admins want to down a product when it is clear they simply aren’t skilled with it)but a few more comments.

The PIX IOS is closed because in order to truly be secure, you need to restrict access to the IOS code. Opening the code invites exploits.

Just take a look at a Free BSD vulnerability listing on a website like SANS one time. They go on for pages and pages and pages. Then go look up the vulnerabilties on the PIX, there is only one or two weaknesses listed and ALL of them have been long been corrected in newer IOS versions.

Keeping the PIX code private has obviously helped to keep it secure.

And as for the rebooting issue? In 15 years I have NEVER seen a configuration issue when you needed to reboot a PIX.

I do recall however that this was a common issue with early PIX admins who did not understand that you needed to clear the NAT translations on the Interface you just configured when making certain changes.

Instead these inexperienced admins would “reboot” the PIX in order to make the changes they just made take effect, and then blame the PIX when their bosses asked them why the network went down. I know because I managed some of them.

Of course the rebooting “worked” for them because it cleared the NAT translations. But a simple “clear xlate” from a command prompt would have accomplished the same thing without downing anything.

Like I said, if you know the PIX, it is a 1st rate security appliance.

Chris Weber
Layer9corp.com

Chris Weber
Layer9corp.com

Most problems associated with the PIX I have found are due to the users lack of experience or understanding of the it and the underlying IOS.

Chris Weber
Layer9corp.com

I have loved every Cisco product I’ve ever used from their switches to their routers, layer 3 switches, even the old AGS+ systems were good. I just cannot get with the PIX, sorry.

SF

I would not buy an appliance for a client or recommend one that I new very little about. Given your expressed level of experience for you and your staff, I would go with something simple like the Symantec product. It’s ease of use and simple install make it a perfect fit. And being IMB compatible based, it builds upon knowledge you already posess.

But if you insist on trying another appliance, I would make the vendor put one in your environment for a month so you can test it out and make sure it’s what you need. Most appliance vendors like MailXtreme do this, so I am surprised you have not gone this route.

On another note, you mention that your orginization is 2000 users. I am not trying to be critical here but it is somewhat disconcerting, at least if I was your client, that you are in a tech room trying to figure out how to secure their email. Is there no senior staff at this place that can make these decisions? 2000 users is a significant orginization and you would think that they would not be trusting their infastructure security to anything other than a senior engineer who knows the industry inside and out.

Could this be an example of why so many US firms are constantly being hacked by the Chinese?

Chris Weber
Layer9corp.com