Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Why use old PIX OS?
- Thread starter baddos
- Start date
HI.
Some reasons:
* The upgrade is not free.
And Cisco does not seem to encourage customers to purchase it.
* Some organizations (primarly small buisnesses) do not have an administrator to take advantage of new features or even do not know that there is such option.
* Some administrators go by the rule - if it works, don't touch it.
You can argue with that, but only if they ask for your opinion...
* Until about a year ago, most pix devices were deployed to resellers (and from them to clients) with an old OS, for example version 4.4 for a pix 515 at the time when version 6.0 was already available, and not all resellers/dealers did upgrade it to current version before selling to end client.
Even nowdays you can see new devices deployed without the latest OS version. Not all resellers upgrade the box before field deployment.
Bye
Yizhar Hurwitz
Some reasons:
* The upgrade is not free.
And Cisco does not seem to encourage customers to purchase it.
* Some organizations (primarly small buisnesses) do not have an administrator to take advantage of new features or even do not know that there is such option.
* Some administrators go by the rule - if it works, don't touch it.
You can argue with that, but only if they ask for your opinion...
* Until about a year ago, most pix devices were deployed to resellers (and from them to clients) with an old OS, for example version 4.4 for a pix 515 at the time when version 6.0 was already available, and not all resellers/dealers did upgrade it to current version before selling to end client.
Even nowdays you can see new devices deployed without the latest OS version. Not all resellers upgrade the box before field deployment.
Bye
Yizhar Hurwitz
- Thread starter
- #3
Those reasons are all NULL. You buy an expensive firewall like a PIX, you should keep it up to date.
If you want to firewall without the added burden of a firewall, just make an access-list on your router.
I couldn't imagine buying a very expensive firewall, and running old vulnerable code on it.
If you want to firewall without the added burden of a firewall, just make an access-list on your router.
I couldn't imagine buying a very expensive firewall, and running old vulnerable code on it.
I went long time with 5.x for lack of PIX memory and additional NICs. Their stupid 16MB flash card and additional NICs are rediculously expensive.
I mean. come friggin on - they are darn ISA cards - $1500 (or whatever it was) is ridiculous.
Not to mention that I couldn't take the thing down for any extended period and did not have a spare PIX laying around to play with.
Some of us work in financially challenged smaller companies that really don't have $1500 laying around for upgrades and even less laying around for a formal testing lab and equipment.
I'll also echo yizhar with the "if it works dont mess with it." I don't know where you work and how many people you have to do infosec, but I am it for all 50 servers and 200+ workstations, 100+ websites, customer support and endless other resources.
It's not like I can just take a couple days and test my configs against a toy to make sure they work, putting it back up and standing around babysitting it to make sure everything works.
I'm on the floor crawling around installing workstations, printers, replacing hard drives, answering customer calls - the works. It's a big deal and considerable losses for my company to be down for even a day.
My work had to be done on the weekend, on my time, without overtime or comp time. That's the way smaller companies exist. And my operation IS 24 X 7 X 365 and they DID suffer losses for that downtime even though it was minimal.
Now think and really listen to people before you spew NULL or whatever moronic responses.
"If you lived here, you'd be home by now!"
George Carlin
I mean. come friggin on - they are darn ISA cards - $1500 (or whatever it was) is ridiculous.
Not to mention that I couldn't take the thing down for any extended period and did not have a spare PIX laying around to play with.
Some of us work in financially challenged smaller companies that really don't have $1500 laying around for upgrades and even less laying around for a formal testing lab and equipment.
I'll also echo yizhar with the "if it works dont mess with it." I don't know where you work and how many people you have to do infosec, but I am it for all 50 servers and 200+ workstations, 100+ websites, customer support and endless other resources.
It's not like I can just take a couple days and test my configs against a toy to make sure they work, putting it back up and standing around babysitting it to make sure everything works.
I'm on the floor crawling around installing workstations, printers, replacing hard drives, answering customer calls - the works. It's a big deal and considerable losses for my company to be down for even a day.
My work had to be done on the weekend, on my time, without overtime or comp time. That's the way smaller companies exist. And my operation IS 24 X 7 X 365 and they DID suffer losses for that downtime even though it was minimal.
Now think and really listen to people before you spew NULL or whatever moronic responses.
"If you lived here, you'd be home by now!"
George Carlin
- Thread starter
- #6
Ok... Let me get this straigt. You financially strapped company buys a CISCO firewall. They are so strapped for cash they can't upgrade it?
Why have your firewall vulnerable to attacks? It's like not patching a windows server, you just do it. Upgrade, upgrade, upgrade; it's the life of an IT guy. There are a lot of vulnerabilities in the PIX since version 5 and a lot more since 4. It's silly to through down $1500 - $20000 on a PIX, if in a year or so you'll let it be out of date since you were to cheap to through down for a $600 flash memory upgrade. Any CFO will tell you that doesn't make financial sense.
Ru55ell... I am using kiwi syslog on many devices including Cisco PIX. Did you have a question about that?
Why does version 6 need more than the two interfaces built into the PIX? I might be missing something here.
As far as the if it's not broke, don't fix it conern... Well if someone hacks a server that is "protected" by your 2 year PIX firewall, that would cause a lot of downtime and losses. And it would probably happen at night or on the weekend, and you would have to come in anyways w/o comp time.
I feel for you, and I am not trying to downgrade anyone's situation. I do plenty of side work for small companies, and I know the politcal and financial constraints for small companies. However, I don't know why a small company would be using an expensive cisco firewall when an offordable firewall would do. The best practices for security is to stay current, and that is all I am recommending. Code Red and SQL Slammer have proven to the IT industry that the "if it's not broke don't fix it" rule of thumb should never be taken seriously in a production environment.
-Bad Dos
Why have your firewall vulnerable to attacks? It's like not patching a windows server, you just do it. Upgrade, upgrade, upgrade; it's the life of an IT guy. There are a lot of vulnerabilities in the PIX since version 5 and a lot more since 4. It's silly to through down $1500 - $20000 on a PIX, if in a year or so you'll let it be out of date since you were to cheap to through down for a $600 flash memory upgrade. Any CFO will tell you that doesn't make financial sense.
Ru55ell... I am using kiwi syslog on many devices including Cisco PIX. Did you have a question about that?
Why does version 6 need more than the two interfaces built into the PIX? I might be missing something here.
As far as the if it's not broke, don't fix it conern... Well if someone hacks a server that is "protected" by your 2 year PIX firewall, that would cause a lot of downtime and losses. And it would probably happen at night or on the weekend, and you would have to come in anyways w/o comp time.
I feel for you, and I am not trying to downgrade anyone's situation. I do plenty of side work for small companies, and I know the politcal and financial constraints for small companies. However, I don't know why a small company would be using an expensive cisco firewall when an offordable firewall would do. The best practices for security is to stay current, and that is all I am recommending. Code Red and SQL Slammer have proven to the IT industry that the "if it's not broke don't fix it" rule of thumb should never be taken seriously in a production environment.
-Bad Dos
HI.
I just want to clear a point here, about " if it works, don't touch it".
I don't think that this approach is good.
As a general rule I'm in favor of "baddos" approach - do the needed maintanace including upgrades, and don't just sit and wait for the next crash.
I just tried to answer the initial question here, about why does people use old OS.
It is not that I recommend staying with old OS.
However, like "haknwak" and many other, I am also spending a lot of time crawling on the floor, and I don't think that he did wrong in his case.
Bye
Yizhar Hurwitz
I just want to clear a point here, about " if it works, don't touch it".
I don't think that this approach is good.
As a general rule I'm in favor of "baddos" approach - do the needed maintanace including upgrades, and don't just sit and wait for the next crash.
I just tried to answer the initial question here, about why does people use old OS.
It is not that I recommend staying with old OS.
However, like "haknwak" and many other, I am also spending a lot of time crawling on the floor, and I don't think that he did wrong in his case.
Bye
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question
- Locked
- Question