From: tdt_cciesec (tdt_cciesec@yahoo.com)
Date: Sun Feb 25 2007 - 15:23:38 ART
Believe it. Pix is a mediocre product. I work for a large Managed Security Service provider (MSS) and we managed over 600 Nokia/CP firewalls appliances, 10 Juniper/NetScreen and maybe 5 Pix firewalls.
With CP, we use Provider-1 to centrally manage these checkpoint firewalls. AFAIK, there is no such thing for Pix/ASA and FWSM. I recently test Solsoft product to manage Pix/ASA products and the product is is mediocre at best.
Checkpoint and Juniper have their share of bugs. I understand that software is
written by human and bugs are part of them; however, bugs on Cisco Pix/ASA
are the worst. Have you ever tried version 7.2(2)-2? After applying the code,
if you try "show run + q" the box is rebooted, Is that an acceptable solution?
Worse, on 7.2(2) code, if you have about 10 snmp-server commands in the
configuration, you can not perform "write mem". I guess what I am trying to say
is that CP and Juniper have bugs too but not stupid bugs like Cisco.
Up until version 7.2(1), you can not even do hairpining with Cisco Pix for
clear-text traffics. Furthermore, you can't even do source-based routing on
these devices. These things can be done on Nokia and Juniper appliances.
When you said that when you want to upgrade from 6.x to 7.x, there is no
chasis replacement. That is NOT entirely true. What happened if you have
a Pix520 or a Pix506 or 506E? Don't you have to replace the chasis as well?
The limitations regarding the pix firewall, specifically Pix535, is that in order
to upgrade from 6.x to 7.x, you must have some of the NICs in the 33Mhz bus
or during the monitor mode, the pix will NOT see any interfaces at all. Well,
if you don't see any interfaces, then how are you suppose to upgrade from 6.x
to 7.x? By the way, before you challenge me on this one, you should check
with Cisco TAC because they agree with me on this one.
Have you ever tried to manage a Pix/ASA configuration with over 400,000 lines?
Furthermore, have you ever tried rearranging interfaces on a production Pix
firewalls? For example, you have to move a gig interface from a 33Mhz slot to a
66MHz slot while moving the quad card from a 66Mhz slot to a 33Mhz slot. It is
a freaking nightmare. I am talking about 6.x by the way, with logical interfaces.
Need I say more?
The pix firewall can not block "active" ftp while allowing only "passive" ftp through
the firewall at the same time when there is static NAT in place? Before you
want to challenge me on this, you need to to contact Cisco TAC and they will
confirm this for you. On Checkpoint and Juniper firewalls, I can do this in a
heartbeat.
What you said about version 8.0 will make Cisco a leader in the SSL VPN
market. That is certainly laughable. Last time I checked, Juniper SSL VPN
is at the top followed by F5 Firewall Pass and then Aventel SSL VPN.
Cisco and Checkpoint SSL VPN is at the bottom of the list. You must be
working in sale I assume.
I am not bashing Cisco or any vendors. I like Cisco Pix firewalls when it is
ok to do so. Believe it or not, I like Cisco Pix more than Checkpoint when
it comes to performance. Cisco will blow away when it comes to performance.
When it comes to manageability, Checkpoint centralize mangement is second
to none. Juniper is getting closed with NetScreen Security Manager (NSM).
Cisco, on the other hand, has the pittiful Cisco Security Manager (CSM). This
product is pathetic, even to someone who likes Cisco products like myself.
I like Cisco products; however, I just wish before Cisco releases version 8.0,
they should just make version 7.x a stable version so that everyone can
benefit from it. BTW, the grass is NOT greener on the other side. CP and
Juniper are not making better software than Cisco, just a little more stable.
tdt
awoland@aim.com wrote: WOW... I personally cannot beleive the mixed amount of rumor floating around this list on the ASA 8.0... What I find even harder to believe is that you feel the PIX/ASA were/are mediocre products...
I come from a CheckPoint & NetScreen Background; also a background of PIX, Cisco Centri Firewall (dead) and many, many others... I can certainly say that there isn't a SINGLE firewall that is better than the PIX/ASA... You cannot tell me that CheckPoint didn't have it's share of bugs, and you CERTAINLY can't say that about NetScreen...
What you CAN credit Cisco for is always providing investment protection & a WORLD class feature list in their products... When I wanted to upgrade my NetScreen 5200's & 5400's to have Deep Packet inspection, I had to fork-lift upgrade them to ISG's/SSG's... If I wanted deep packet inspection on my PIX, I had to upgrade from 6.x to 7.x... No chassis replacement, and CERTAINLY no re-wiring, etc...
8.0 was originally going to be 7.3 & includes bug fixes. However, Cisco has advanced the code in 7.3 so much & added so much more FREE functionality, that it warranted re-numbering to a whole new train! The ASA 8.0 includes over 30+ application inspection engines (industry termed deep packet inspection)... There is no other single platform that can provide that level of intelligence without adding in an IPS module, etc... And that is available in the same 515 or 525 I have owned for 5.5 years...
8.0 also makes the Cisco ASA an industry LEADER in the SSL VPN market... The features/functionality/usability of the product + the performance enhancements it offers are unheard of in a single software release!
But, I guess your right... Lets bash the company that continues to provide us the best products with the most investment protection in the industry... How dare they continue to provide value.
To all who didn't deserve this thread, I appologize... But I am frustrated with people on this list bashing Cisco & making it seem like the grass is not only more green on the other side, but also that it is BROWN on the Cisco side of the fence...
-Aaron
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of tdt_cciesec
Sent: Sunday, February 25, 2007 11:15 AM
To: Kal Han; M A
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: ASA 8.0
I found the idea that Cisco is going to release version 8.0 soon to be really
laughable. It must be a sick joke or something.
Instead of releasing version 8.0, why dont they just concentrate on fixing all the
bugs currently in 7.x and make it stable before going with 8.x? IMHO,
cisco should have version 7.2(2) or whatever the flavor at the moment from "ED"
to "GD" before releasing 8.x code. By releasing 8.x (anytime soon I guess)
before having a stable release of 7.x, telling me that cisco has no credibility.
I am a big Cisco fan but they really turn me off when they start doing stuffs like
this. It is no wonder why Checkpoint and Juniper have been kicking cisco in the
butt when it comes to security. Cisco Pix and ASA are already a mediocre
product and now cisco will make it worse.
my 2c
tdt
Kal Han <calikali2006@gmail.com> wrote: 8.0 will run on both the platforms.
But its going have separate images for pix and asa.
Unlike 7.2.2 which has only one/same image for both the platforms.
8.0 is mainly going to be web-vpn oriented release.
Might be releasing a software client for ssl vpn s.
Also you can expect to run more routing protocols on these boxes.
and some enhanced(rather new) voice security feature.... etc
Plus it will do everything VPN3K has been doing as they announced
that ASA is a complete super set of VPN3K.
(nac, web vpn with lots of features etc )
Ofcourse some of these features are already existing in 7.2
Thanks
Kal
On 2/22/07, M A wrote:
>
> I get the feeling that 8.0 will only run on the ASA, not the PIX. Does
> anyone know for sure?
>
> Thanks.
> ----- Original Message -----
> From: "Church, Chuck"
> To: "Larry Roberts" ; "Christopher M.
> Heffner"
> Cc: ;
> Sent: Wednesday, February 21, 2007 11:47 PM
> Subject: RE: ASA 8.0
>
>
> > How about support for traffic shaping, and NBAR (without needing a
> > separate IDS module)? Those would be nice for one customer I deal with
> > - Wireless ISP, limited bandwidth, has VoIP, and P2P traffic :(
> >
> >
> > Chuck Church
> > Network Engineer
> > CCIE #8776, MCNE, MCSE
> > Multimax, Inc.
> > Enterprise Network Engineering
> > Home Office - 864-335-9473
> > Cell - 864-266-3978
> > cchurch@multimax.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Larry Roberts
> > Sent: Wednesday, February 21, 2007 8:05 PM
> > To: Christopher M. Heffner
> > Cc: Kaleem Khawaja; Tim; ccielab@groupstudy.com; security@groupstudy.com
> > Subject: Re: ASA 8.0
> >
> > I will give you a teaser...
> >
> > Think proprietary enhanced best path indicator....
> >
> >
> > I'm running the beta code for 8.0 and ASDM 6.0 and it seems pretty
> > good. The changes made to ASDM make it more user friendly as well.
> > I have been focused on its certificate support for SSL and remote admin
> > but I plan to dig into it in more depth shortly.
> >
> > And before the question comes in, no I wont give it out....
> >
> > :)
> >
> >
> > Larry
> >
> > Christopher M. Heffner wrote:
> >> Tim,
> >>
> >> Cisco PIX/ASA 8.0 is still in beta testing so the only documentation
> >> available at this time is for the beta testers. I can tell you that
> >> there are some really "COOL A**" changes coming down the line that I
> >> have been testing in the beta program.
> >>
> >> Cisco is going all out with this release!
> >>
> >> Stay tuned for the official release in the near future.
> >>
> >> Regards,
> >>
> >> Christopher M. Heffner, CCIE 8211, CCSI 98760
> >> Strategic Network Solutions, Inc.
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of
> >> Kaleem Khawaja
> >> Sent: Wednesday, February 21, 2007 2:53 PM
> >> To: Tim
> >> Cc: ccielab@groupstudy.com; security@groupstudy.com
> >> Subject: Re: ASA 8.0
> >>
> >> Tim,
> >>
> >> I think you are correct, it seems that some one jumped the gun on this
> >>
> >> take a look
> >>
> >> http://www.breezy.ca/?q=node/116
> >> and
> >>
> >> http://www.linksysinfo.org/forums/showthread.php?t=51386
> >>
> >>
> >> On 2/21/07, Tim wrote:
> >>
> >>> Hey Kaleem,
> >>>
> >>>
> >>>
> >>> Yep, I had this. I was looking for technical details, not marketing
> >>> glitz.
> >>>
> >>>
> >>>
> >>> I think that maybe Cisco hasn't posted any real tech info on this
> > yet.
> >>>
> >>>
> >>>
> >>> But, I donno for sure.
> >>>
> >>>
> >>>
> >>> Thanks, Tim
> >>>
> >>>
> >>> ------------------------------
> >>>
> >>> *From:* Kaleem Khawaja [mailto:kaleem.khawaja@gmail.com]
> >>> *Sent:* Wednesday, February 21, 2007 12:15 PM
> >>> *To:* Tim
> >>> *Cc:* security@groupstudy.com
> >>> *Subject:* Re: ASA 8.0
> >>>
> >>>
> >>>
> >>> Tim,
> >>>
> >>> I am not sure if you have looked at this already or not, but here is
> >>>
> >> one
> >>
> >>> presentation
> >>>
> >>>
> >>
> > http://www.cisco.com/application/pdf/en/us/guest/products/ps6120/c1161/c
> >> dccont_0900aecd805c768e.pdf
> >>
> >>>
> >>> On 2/21/07, *Tim* wrote:
> >>>
> >>> Hi Guys,
> >>>
> >>>
> >>>
> >>> I've spent hours trying to find detailed info on what's new with
> >>>
> >> version
> >>
> >>> ASA
> >>> 8.0
> >>>
> >>>
> >>>
> >>> So far, no luck.
> >>>
> >>>
> >>>
> >>> Is the info just not posted yet?
> >>>
> >>>
> >>>
> >>> If anyone knows where to find this info, can you post the links?
> >>>
> >>>
> >>>
> >>> TIA, Tim
---------------------------------
Need a quick answer? Get one in minutes from people who know. Ask your question on Yahoo! Answers.
---------------------------------
Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection.
---------------------------------
Bored stiff? Loosen up...
Download and play hundreds of games for free on Yahoo! Games.
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:48 ART