What pix to buy? 2

[porress]

what kind of pix shall i buy?

we have 10mbps dedicated internet connection.

we have 1 network with about 600 computers and all of the with access to the internet can you advice me on one model that can handle this trafic?

I would like to create a DMZ for our web server and probably exchange OWA in the future, because we use exchange 2003 at the moment.

And create a vpn for me to connect from home to the network so i can work from home.

Any ideas? thank you!

 

[KiscoKid]

I think the PIX 515E will do the job for you. See for yourself..

http://www.cisco.com/en/US/partner/...2030/products_data_sheet09186a0080091b15.html

As standard it comes with 2 Fast Ethernet ports and a Restricted license. The Restricted license is the cheapest of all but doess offer DMZ support.

If you need to add resilience (i.e. a failover PIX pair), you will probably have to consider a Unrestricted license.

Hope this helps

 

[porress]

Thank you KiscoKid! now i know where to start...

 

[IPKONFIG]

Don't buy a PIX, purchase a Cisco ASA5510. It won't be long before Cisco announces that the PIX will be EOS

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[cajuntank]

I agree with IPKONFIG, the PIX is an appliance that is going by the wayside. The ASA appliances have better features for IPS, Anti-X, and content filtering. ASA55XX would be the way to go.

 

[NetworkGhost]

I have a hard time believing the pix will be going away before at least 2010 or so. The ASA is pretty much the Pix with extra features. If your looking for just a firewall and dont need the extra features, buy a Pix. With 7.0 on it, it rocks. Will definitly give you the few years until Cisco might discon the Pix.

 

[cajuntank]

Hate to act like I am pressing a point; however, gone are the days of needing just a firewall. The ASA device addresses the technology shift needed to help prevent threats to your network beyond that of just a firewall.
Investigate on your own before you buy, get with a Cisco Partner and layout your needs and concerns to help match up the right appliance. Many will do so at no charge.

 

[wirelesspeap]

This is my 2c:

The reason you want to go with ASA instead of Cisco Pix
is as follows:

1) ASA supports SSL VPN while CiscoPix does not support
SSL VPN. If you are only concerned with Cisco VPNclient
VPN, both ASA and Pix can do that.

2) ASA has a faster processor and more memory/flash than
regular Pix515. You may get better performance in ASA than
you would with CiscoPix 515E.

You can have multiple DMZes on a Cisco Pix515 with
Restricted license. You can create logical interface to
achieve this.

That being said, I tend to prefer Checkpoint running on
Secureplatform (aka SPLAT). You will like checkpoint much
better than Cisco Pix. Cisco, I don't care what they say,
is NOT a security company. Checkpoint Firewall is a much
better product, IMHO. No one can beat checkpoint in term
of managebilities provisioning. In term of
troubleshooting, nothing beats "tcpdump" and "fw monitor".
And please don't tell about cisco "capture". The tool is
a piece of crap. It is not real-time. Talk to Chekpoint
about Checkpoint NGx ExpressCI. It has IPS, web filtering,
Anti-virus integrated in CP.

my 2c

 

[NetworkGhost]

Im not sure where you get capture is not realtime. I would definitly argue a Pix vs Checkpoint any Day or ASA even. No doubt ASA will take over. My only point was that if you have the equipment in place for anti-spam etc.. then you dont need the ASA. ASA is still relatively new and I would wait for a few good solid revs to come out before purchasing. I believe to get the "extras" you have pay for an expansion card (antispam). I may be wrong. There has been no issues I havent been able to solve with Pix logging and a good ole capture. I do like the Checkpoint interface and yes tcpdump is nice but Checkpoint does have its own issues not to mention it requires a underlying OS, which has issues of its own.

Bottom line. ASA or Pix are both great buys.

 

[wirelesspeap]

1) ofcourse every vendors has its own issues/problems. Otherwise, none of us will have jobs and make the kind
of money we're makinng now so I am not complaining.

2) when I said "capture" is not real-time, what I mean
is that you have to a "show capture xxx" everytime you
want to see the debug. With tcpdump and "fw monitor", I
can everything in real-time flying across the screen. You
can argue that you can do the same thing with "debug" in
Pix but the output on pix is very difficult to understand.

3) If you want to see which traffics
(source/destination/service) hit which rule in the Pix, you
have to do "show access-list xxx" to see the hit count.
Imagine that you have 80,000 line of ACLs (when all the
object-group network and services are expanded), you can
go blind with it. Witch CP SmartView Tracker, it makes the
problem much easier to troubleshoot.

4) Cisco just releases Cisco Security Manager (CSM) which
they tried to compete with Checkpoint Provider-1. I tested
CSM and I can tell you that the product just sucks big
time. It is nothing but Cisco VMS on steroid.

5) With 7.x code, cisco begins to introduce Active/Active
configuration. Checkpoint has been doing it for years.
Not only checkpoint is doing Active/Active, you can
even do Active/Active/Active/Active/Active on five
different firewalls. Checkpoint is at least five years
ahead of Cisco in clustering technology.

Bottom line, both CP and Pix/ASA each has advantages and
disadvantages. Overall, IMHO, one would choose Checkpoint
over Pix by a wide margin. It is no secret that Checkpoint
is #1 in firewall market share. Cisco is NOT a security
company, definitely not in the Firewall/VPN/IPS market.
Cisco is at the bottom of market. In the IDS/IPS market,
real security people uses either SourceFire (aka Snort) or
ISS Proventia. No one in their right mind would want to
use Cisco IDS appliances or IDSM.

That being said, I am glad they both have issues/problems
so they keep me employed and make a very good living.

Cheers

 

[NetworkGhost]

The real bottom line is Pix outperforms over CP any day all the way up to the FWSM which checkpoint has no product that can compare. If you dont like pretty pictures to click on go to the Checkpoint. If you like performance go to the Pix.

 

[wirelesspeap]

Even FWSM can NOT outperform CP running in ClusterXL
Active/Active/Active/Active/Active mode. You need to
do additional research on this topic. Checkpoint is #1
in the firewall market space for a reason.

As I've said before, Cisco Pix and FWSM has its place in
the security arena. If you are strictly looking at
performance and your security policy is simple and static,
then go with Cisco. However, if you have a complex
security rulebase, Checkpoint is the answer.

When it comes to security product, cisco is at the bottom
of the list.

 

[NetworkGhost]

Ok, You can also stack the FWSM which WILL out perform Cluster XL. I have yet to hear anything Checkpoint can do that the Pix cannot. Security wise. Cisco beats Checkpoint hands down. Checkpoint is an appliance that will soon lose its place in the market. The big marketing they are doing with the Nokia Appliance is a last gasp of air before they choke. There is nothing the checkpoint can do or do better than the Pix or FWSM except for perform poorly and crash occasionaly due to hard drive issues or Kernel panics or full disk space.

 

[wirelesspeap]

Here is something for you to think about:

1) Currently in Pix version 7.1(x) code, there is a nasty bug in this code that if use the asdm to add/delete/modify
a security rule, the pix will block ALL traffics through
the Pix firewall. How do you like that? Cisco is
currently working on a interim release 7.1.(2).2 to
address this problem but I am sure they will break
something else along the way.

2) How do you use FWSM to block/allow traffics based on
domain name like microsoft.com or google.com if the IP
addresses are constantly changing. That can be done with
Checkpoint but NOT Cisco Pix or FWSM.

3) How do you stop Instant Messenging IMs such as Yahoo,
Google, AOL, etc... when those IMs use port 80 instead
the standard ports? Again, you can NOT do it with Pix
unless you have third party applications such as Websense.
With checkpoint, this can be done via SmartDefense and/or
Web Intelligence.

4) In Pix 6.3(x), how do you stop nacchi worm attack
without stopping ALL icmp traffics? You can do that with
CP but NOT Pix until version 7.x and I am not sure if it will work either.

ALL Managed Security Services (MSS) prefer
Checkpoint/Juniper Netscreen over Cisco Pix and FWSM.
As I've said before, Cisco Pix and FWSM have its place in
the security arena but you have a simple and static
configuration, the concensus is that most ppl will prefer
Checkpoint and Juniper NetScreen over Cisco Pix/FWSM
anytime.

You need to take off the Cisco blinder and see what else
available on the security market, beside Cisco.

On the other hand, your comments will carry great weigh if
you are certifited both cisco CCIE Security and Checkpoint
Master CCSE-NG+. If you have both, then I will be gladly
acknowledged that you're a security guru and you know what
you're talking about.

my 2c

 

[wirelesspeap]

Just to clarify my previous post, how do you do this in
Cisco Pix or FWSM?

1) stop nacchi worms
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
route-map nacchi permit 10
match ip address 100
match length 92 92
set interface null0
interface F0/0
no ip unreachables
ip route-cache policy
ip policy route-map nacchi

2) OSPF/GRE/IPSec
How do you achieve this on a Cisco Pix device? First of
all, you can NOT create GRE tunnel interface on the Pix or
FWSM. Basically, I want to route ospf via GRE and tunnel
this via IPSec for security. How do you do this on a Pix?

3) How can you accomplish hair-spinning on Cisco Pix?
Basically, your pix has a site-to-site vpn and remote
access vpn. Remote access users vpn in and then use the
site-to-site vpn tunnel to get to the other side.

By the way, these things can be accomplished via Cisco IOS
routers and Checkpoint as well. How do you do this in Pix?
You asked about things that can be done with Checkpoint
right? Well, these things can be done with Checkpoint
and Cisco IOS. How do you plan on accomplishing this
in Cisco Pix?

Before you start saying that Cisco Pix/FWSM beat checkpoint
hand down and checkpoint is on its way out, do some
research to back up your claims.

my 2c

 

[NetworkGhost]

One thing to remember that the Pix is not a router or proxy filter, it is a firewall. Those 3 should be kept separate.


1) Unless 7.0 has some features I dont know about then I dont think you can stop
byte length packets. But what I do believe is that if you have a solid policy, the worm shouldnt be
a threat.

2) OSPF via GRE over IPSEC is perfectly performable. This Pix will pass this traffic without issue.
No, the pix will not route the traffic but what are we trying to do, Security or routing?

3) Hair Pinning is achievable via the Intra-Interface command. (7.0)


4) Messenging can be stopped vis the Tunneling Application Control inspect. (7.0)


I am not against checkpoint at all. I think it is good for those that dont need to understand the architecture
of network security to implement and manage. The underlying OS does give capabilities of running other services
other than a firewall. You could run your web server, ftp, server, proxy server, log server, and even sendmail.
Sound like ISA?

I think a true security person would agree, you dont put all of your eggs in one basket.

I wouldnt say MSS would prefer checkpoint more than the Pix. Checkpoint is easy to manage and
even easier to get staff to run it, make changes, etc.. For large ACL implementation/changes, granular policies
I would rather have the Pix running. For customers that want to view policies"participate" in the firewall management
and be able view policies with Pictures. I would prefer checkpoint.

Checkpoint has had its fair share of bugs/"features" also. I am not claiming to be a Checkpoint or Pix GURU.
I do have experience with both devices, its my everyday job. I understand the architecture of both. I know the
handoffs of using one vs the other. Honestly I do have a preference for Cisco and the Pix and my knowledge of the
Pix is has more depth than my knowledge of the checkpoint.

 

[NetworkGhost]

I bet Pix can operate at a higher altitude than the Checkpoint!

 

[wirelesspeap]

NetworkGhost,

1) Pix can NOT stop byte length packet, Checkpoint can.
Checkpoint score = 1; Pix score = 0; It seems to me that
the firewall is completely useless if it can not even
stop simple nacchi virus.

2)Pix can not do OSPF/GRE/IPSec, Checkpoint can. Another
score for Checkpoint. In this case, I am trying to do
both. Routing OPSF or BGP via GRE and Encapsulate it with
IPSec. The last time I've read, IPSec is part of Security,
NOT routing and Switching.

3)When I am talking about hair-pinning, I am referring to
remote access vpn terminate on the External interface and
that VPN can use another site-to-site VPN to get to the
other side. Cisco VPN Concentrator and Cisco IOS/Firewall
can do that but Pix can NOT. Are you saying that the
VPN concentrator is NOT a security device?

4) I've tried to use Tunneling Application Control crap
that you talked about. Not only that shit didn't work,
users can bypass that mechanism quite easily. I opened
TAC case with Cisco and the Cisco TAC admitted to me that
their shit does not work until they can make it actually
in later release of 7.2.x

5) Are you saying that people who use checkpoint has NO
knowledge of network security architecture? I don't know
how to interpret it another way from your previous post.
That is a very aggorant statement to make.

6) Up until version 7.x, Cisco Pix and FWSM couldn't run
the firewall in transparent mode (layer 2). In contrast,
Netscreen and Checkpoint have been able to do it for
years.

7) You don't think MSS prefer Checkpoint over Pix?
Why don't you contact Sprint, MCI, Verio and most of the
MSS Providers and they will tell you what they use. Yours
truly happen to work for two of the companies mentioned
above.

8) Here is something new for you. With Cisco Pix device,
you can not have multiple secondary IP addresses on the
same interface. Guess what, both Cisco IOS/Firewall and
Checkpoint allow you to have multiple secondary IP
addresses on the same physical interface. The only way
you can do that on the Pix is through 802.1q
(i.e. trunking). With trunking, you burn up mor VLANs.

As I've said before, there are situations where you want
to use Cisco Pix and/or FWSM when performance is the main
concern. That being said, if you want "stateful"
inspection, then you go with Checkpoint. Checkpoint is
#1 in the firewall market share for a reason, because
it is "good".

Personally, I think both Cisco Pix/FWSM and Checkpoint are
a piece of crap, with Checkpoint being lesser of two evils.
If I have my own way, I would take OpenBSD firewall over
any commercial firewall vendors anytime. However, I am
making a good living with both Cisco and Checkpoint so you
will not see me complaining. Both of them have bug/issues
so that they keep us employed.

Next time, before you opened your mouth and say that Cisco
Pix is better than Checkpoint, do some research to backup
your claims. I just gave you a list of limitations that
Pix can NOT do.

my 2c

 

[NetworkGhost]

GRE over IPSEC the Pix can do.

Hairpinning the Pix can do. (7.0) One vpn cant access another VPN via the same terminated interface. Early OSs could not do this, I agree.

I never said that people who do checkpoint know nothing. I work with (in my opinion) some very knowledgable professionals who prefer checkpoint over Pix. Makes a fun office.

I cant vouch either way on the Application Tunnel Control.

Up until I was 10 months old I couldnt stand without hanging on to something. Who cares who did transparent mode first.

Checkpoint is deployed by most MSS because of the ability to centrally manage which checkpoint has a good application for (Provider 1) also lack of Pix professionals. Pix/FWSM is getting there but not yet. (Alot of Pixes coming into management by many major ISPs)


Multiple IPs are nice but is that really a feature for a FW or a Router, or OS for that matter. I would rather trunk that have multiple IPs.


Checkpoint #1 in the Market? Id like to see the numbers.


aggorant what what ?

On a side note, Where ya from?

 

[wirelesspeap]

1) I have a lot of customers who would like to migrate
from Checkpoint to Pix; however, due to the limitation
in Pix can NOT do multiple IPs on the same physical
interface, they are backing off. The other solution is
to use 802.1q which mean that they will have to pay more
additional VLANs which they didn't before with checkpoint.
Tell that to customers and you will a response from them
that Pix is shit. Rule #1, do NO harm but I guess Cisco
didn't listen.

2) Are you telling me that Pix can do GRE/IPSec like this
on the Pix:
interface Tunnel0
ip address 192.168.77.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 4.2.2.2
tunnel key 123456

interface FastEthernet0/0
description External Network
ip address 129.174.1.8
ip accounting output-packets
ip nat outside
ip route-cache flow
no ip mroute-cache
ip policy route-map block_worms
duplex auto
speed auto
no cdp enable

I am talking about terminating GRE traffic on the pix
interface itself. I am not talking about routing or
encrypting GRE traffic through the pix. How do you do
this on the pix?

3) "Up until I was 10 months old I couldnt stand without hanging on to something. Who cares who did transparent mode first."
If you need to have quadruple heart surgery bypass, are
you going to prefer someone who has done this many times
to operate on you or do you place your faith on someone
who has never done this before until recently? do I need
to say anything more?

4) "Application Tunnel Control" is more like vaporware
than anything else. As I've mentioned, it couldn't stop
MSN IM tunnel through port 80.

5) Are you trying compare Checkpoint Provider-1 with the
new Cisco Security Manager (CSM)? What a joke. Think of
it this way, Provider-1 is like someone who has a Ph.D from MIT working for Goldman Sach while CSM is like someone with a high school degree working at McDonald. I am testing CSM for the past 3 months and I can tell you that I have meeting with Cisco Developer Engineer every week giving feedback about this piece of shit that is not really funny. You said Pix/FWSM is getting there. What a sick joke. Yeah, they will get there maybe in ten years.
Another thing, this piece of shit is running only on
Windows. No F! MSS providers will be crazy to trust their
most important piece of infrastructure running on Winblows.

As someone who already failed the CCIE security lab 4
times, my opinion does not carry much weigh until I pass
the CCIE security lab. In my professional opinion, Cisco
Security product is at the bottom of the list especially
the Cisco IDS/IPS. By the time you configure a signature
to stop an attack in your environment, the damage is
already been done. That is how bad the product is.

my 2c
I am located in Maryland