From: tdt_cciesec (tdt_cciesec@yahoo.com)
Date: Mon Feb 26 2007 - 08:59:15 ART
you said:
"Your evidence is solely based on your own experiences, which BTW seems to
only entail managing 6 PIXs (how is that any real experience with them
anyway?). I've installed 50+ ASA's at various sized customer
sites, as well as worked with PIXs pretty much when Cisco bought it from
Network Translation and have never experienced the exact same problems you
have stated below. This is not to say I haven't experienced *any* problems"
have you ever try to use hairpin with 7.x prior to 7.2(1)? Did it work? I am not
asking for much, just a simple stuffs and the damn thing wouldn't even work.
I use 6 Pix firewalls as an example, but I've managed about 200+ Pix firewalls
since 1997, since the old centri firewalls running on Windows NT. All I am saying
is that if you don't use a lot of features on the Pixes, then it is a good product,
giving you good performance, even better than checkpoint, but the minute you
starting turning on enhanced features on the pix, you will have stability issues.
For example, even moderate URL filtering on Pix/ASA will result in high CPU.
you said:
"VRRP is supposed to be an open standard..."
When did that happen? Even if it is, different vendors decides how they want
to implement it. I guess at least I can use VRRP on the Nokia boxes. Can you
terminate VRRP on Pix/ASA? Furthermore, can you terminate GRE/IPSec
on Pix/ASA with version 7.x code? I can with the Nokia boxes.
you said:
"Both Checkpoint and Juniper can only provide point products at this time."
I agree with you on this. However, as you and I both took the security exam so
I have to ask you this. would you deploy Cisco IDS 4.1 appliances in your
production environment given the fact when you make a change in the IDS, it
takes about 5 minutes to apply the changes and sometimes it will not accept
the changes at all? Just for having an end-to-end solution product does not mean
that it is a good product. I'll take SourceFire and/or Juniper IDP over Cisco IDS
or IDM modules anytime.
Let me iterate this my point. I don't bash Cisco. I just wish cisco to concentrate
a more stable 7.x code before releasing the next generation 8.x.
tdt
"IE Rat (Formerly Lab Rat #109385382)" <techlist01@gmail.com> wrote: I'm sorry TDT, but when you say:
"I am not bashing Cisco or any vendors."
After saying:
"By releasing 8.x (anytime soon I guess)
before having a stable release of 7.x, telling me that cisco has no
credibility.
I am a big Cisco fan but they really turn me off when they start doing
stuffs like
this. It is no wonder why Checkpoint and Juniper have been kicking
cisco in the
butt when it comes to security. Cisco Pix and ASA are already a
mediocre
product and now cisco will make it worse."
...shows that you can't even make up your own mind on the subject. Which is
it? Bash Cisco based on your own experiences, which not everyone else has
experienced (namely me), or just say that you are not in fact bashing them
when you really are?
Your evidence is solely based on your own experiences, which BTW seems to
only entail managing 6 PIXs (how is that any real experience with them
anyway?). Personally, I've installed 50+ ASA's at various sized customer
sites, as well as worked with PIXs pretty much when Cisco bought it from
Network Translation and have never experienced the exact same problems you
have stated below. This is not to say I haven't experienced *any* problems,
but not enough to come close to concluding that the PIX is "mediocre at
best". Totally don't agree with that statement.
Also, not to say that v8.x will make Cisco's SSLVPN solution a clear leader,
but from being directly involved in a Cisco vs. Juniper SSLVPN contest for a
Fortune 500 company (with Juniper ultimately winning), I know for sure that
v8.x will make Cisco a much more attractive solution. I talked directly to
the Cisco ASA PSS a few months ago and he told me what's coming down the
pipe. Most people only know that Juniper is the SSLVPN market share leader
so they think they are the best. Well, I wonder if people know that Juniper
didn't have a CSD solution until they saw Cisco released it first in their
VPN-C? How does that make the all-powerful Juniper look now in that space?
"Laughable"? I wouldn't use that strong language for any of the security
leaders, let alone Cisco.
Just recently, I posted an email inquiring how to interoperate a Nokia box
and Cisco router using VRRP. VRRP is supposed to be an open
standard...well, to a company like Checkpoint, it still means "only Nokia
boxes." Needless to say, Checkpoint could not interoperate with Cisco due
to its own limitations. Am I supposed to say that Checkpoint sucks because
of this? If I were a true "security professional" I wouldn't dare say so
because Checkpoint has been a firewall leader for many years.
My point is, just b/c YOU have stated these as problems, doesn't mean (1)
that everyone considers them as bad as or worse than you thus labeling Cisco
illegitimate as a security company and (2) that your problems validate
tagging Cisco as a runner-up in the security realm.
So, before you continue to say anything else that's blatantly in error,
consider that Cisco sells the most security, as well as leads the overall
network security market share for '06--not Checkpoint and not Juniper.
That's not me saying it, that's Gartner, so I wonder where your information
comes from when you state that "Checkpoint and Juniper have been kicking
cisco in the butt when it comes to security?"
And although, I may be involved in Cisco sales (from working for a Cisco
Security Partner), I do know the statistics as well as the fact that Cisco
is really the only company that can provide an end-to-end security solution.
Both Checkpoint and Juniper can only provide point products at this time.
My $.02.
Ed
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
tdt_cciesec
Sent: Sunday, February 25, 2007 10:24 AM
To: awoland@aim.com; ma4d@hotmail.com; calikali2006@gmail.com
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: RE: ASA 8.0
Believe it. Pix is a mediocre product. I work for a large Managed Security
Service provider (MSS) and we managed over 600 Nokia/CP firewalls
appliances, 10 Juniper/NetScreen and maybe 5 Pix firewalls.
With CP, we use Provider-1 to centrally manage these checkpoint firewalls.
AFAIK, there is no such thing for Pix/ASA and FWSM. I recently test Solsoft
product to manage Pix/ASA products and the product is is mediocre at best.
Checkpoint and Juniper have their share of bugs. I understand that software
is
written by human and bugs are part of them; however, bugs on Cisco Pix/ASA
are the worst. Have you ever tried version 7.2(2)-2? After applying the
code,
if you try "show run + q" the box is rebooted, Is that an acceptable
solution?
Worse, on 7.2(2) code, if you have about 10 snmp-server commands in the
configuration, you can not perform "write mem". I guess what I am trying to
say
is that CP and Juniper have bugs too but not stupid bugs like Cisco.
Up until version 7.2(1), you can not even do hairpining with Cisco Pix for
clear-text traffics. Furthermore, you can't even do source-based routing on
these devices. These things can be done on Nokia and Juniper appliances.
When you said that when you want to upgrade from 6.x to 7.x, there is no
chasis replacement. That is NOT entirely true. What happened if you have
a Pix520 or a Pix506 or 506E? Don't you have to replace the chasis as well?
The limitations regarding the pix firewall, specifically Pix535, is that in
order
to upgrade from 6.x to 7.x, you must have some of the NICs in the 33Mhz bus
or during the monitor mode, the pix will NOT see any interfaces at all.
Well,
if you don't see any interfaces, then how are you suppose to upgrade from
6.x
to 7.x? By the way, before you challenge me on this one, you should check
with Cisco TAC because they agree with me on this one.
Have you ever tried to manage a Pix/ASA configuration with over 400,000
lines?
Furthermore, have you ever tried rearranging interfaces on a production Pix
firewalls? For example, you have to move a gig interface from a 33Mhz slot
to a
66MHz slot while moving the quad card from a 66Mhz slot to a 33Mhz slot. It
is
a freaking nightmare. I am talking about 6.x by the way, with logical
interfaces.
Need I say more?
The pix firewall can not block "active" ftp while allowing only "passive"
ftp through
the firewall at the same time when there is static NAT in place? Before you
want to challenge me on this, you need to to contact Cisco TAC and they will
confirm this for you. On Checkpoint and Juniper firewalls, I can do this in
a
heartbeat.
What you said about version 8.0 will make Cisco a leader in the SSL VPN
market. That is certainly laughable. Last time I checked, Juniper SSL VPN
is at the top followed by F5 Firewall Pass and then Aventel SSL VPN.
Cisco and Checkpoint SSL VPN is at the bottom of the list. You must be
working in sale I assume.
I am not bashing Cisco or any vendors. I like Cisco Pix firewalls when it
is
ok to do so. Believe it or not, I like Cisco Pix more than Checkpoint when
it comes to performance. Cisco will blow away when it comes to performance.
When it comes to manageability, Checkpoint centralize mangement is second
to none. Juniper is getting closed with NetScreen Security Manager (NSM).
Cisco, on the other hand, has the pittiful Cisco Security Manager (CSM).
This
product is pathetic, even to someone who likes Cisco products like myself.
I like Cisco products; however, I just wish before Cisco releases version
8.0,
they should just make version 7.x a stable version so that everyone can
benefit from it. BTW, the grass is NOT greener on the other side. CP and
Juniper are not making better software than Cisco, just a little more
stable.
tdt
awoland@aim.com wrote: WOW... I personally cannot beleive the mixed
amount of rumor floating around this list on the ASA 8.0... What I find
even harder to believe is that you feel the PIX/ASA were/are mediocre
products...
I come from a CheckPoint & NetScreen Background; also a background of PIX,
Cisco Centri Firewall (dead) and many, many others... I can certainly say
that there isn't a SINGLE firewall that is better than the PIX/ASA... You
cannot tell me that CheckPoint didn't have it's share of bugs, and you
CERTAINLY can't say that about NetScreen...
What you CAN credit Cisco for is always providing investment protection & a
WORLD class feature list in their products... When I wanted to upgrade my
NetScreen 5200's & 5400's to have Deep Packet inspection, I had to fork-lift
upgrade them to ISG's/SSG's... If I wanted deep packet inspection on my
PIX, I had to upgrade from 6.x to 7.x... No chassis replacement, and
CERTAINLY no re-wiring, etc...
8.0 was originally going to be 7.3 & includes bug fixes. However, Cisco
has advanced the code in 7.3 so much & added so much more FREE
functionality, that it warranted re-numbering to a whole new train! The ASA
8.0 includes over 30+ application inspection engines (industry termed deep
packet inspection)... There is no other single platform that can provide
that level of intelligence without adding in an IPS module, etc... And that
is available in the same 515 or 525 I have owned for 5.5 years...
8.0 also makes the Cisco ASA an industry LEADER in the SSL VPN market...
The features/functionality/usability of the product + the performance
enhancements it offers are unheard of in a single software release!
But, I guess your right... Lets bash the company that continues to provide
us the best products with the most investment protection in the industry...
How dare they continue to provide value.
To all who didn't deserve this thread, I appologize... But I am frustrated
with people on this list bashing Cisco & making it seem like the grass is
not only more green on the other side, but also that it is BROWN on the
Cisco side of the fence...
-Aaron
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
tdt_cciesec
Sent: Sunday, February 25, 2007 11:15 AM
To: Kal Han; M A
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: ASA 8.0
I found the idea that Cisco is going to release version 8.0 soon to be
really
laughable. It must be a sick joke or something.
Instead of releasing version 8.0, why dont they just concentrate on
fixing all the
bugs currently in 7.x and make it stable before going with 8.x? IMHO,
cisco should have version 7.2(2) or whatever the flavor at the moment
from "ED"
to "GD" before releasing 8.x code. By releasing 8.x (anytime soon I
guess)
before having a stable release of 7.x, telling me that cisco has no
credibility.
I am a big Cisco fan but they really turn me off when they start doing
stuffs like
this. It is no wonder why Checkpoint and Juniper have been kicking
cisco in the
butt when it comes to security. Cisco Pix and ASA are already a
mediocre
product and now cisco will make it worse.
my 2c
tdt
Kal Han wrote: 8.0 will run on both the
platforms.
But its going have separate images for pix and asa.
Unlike 7.2.2 which has only one/same image for both the platforms.
8.0 is mainly going to be web-vpn oriented release.
Might be releasing a software client for ssl vpn s.
Also you can expect to run more routing protocols on these boxes.
and some enhanced(rather new) voice security feature.... etc
Plus it will do everything VPN3K has been doing as they announced
that ASA is a complete super set of VPN3K.
(nac, web vpn with lots of features etc )
Ofcourse some of these features are already existing in 7.2
Thanks
Kal
On 2/22/07, M A wrote:
>
> I get the feeling that 8.0 will only run on the ASA, not the PIX.
Does
> anyone know for sure?
>
> Thanks.
> ----- Original Message -----
> From: "Church, Chuck"
> To: "Larry Roberts" ; "Christopher M.
> Heffner"
> Cc: ;
> Sent: Wednesday, February 21, 2007 11:47 PM
> Subject: RE: ASA 8.0
>
>
> > How about support for traffic shaping, and NBAR (without needing a
> > separate IDS module)? Those would be nice for one customer I deal
with
> > - Wireless ISP, limited bandwidth, has VoIP, and P2P traffic :(
> >
> >
> > Chuck Church
> > Network Engineer
> > CCIE #8776, MCNE, MCSE
> > Multimax, Inc.
> > Enterprise Network Engineering
> > Home Office - 864-335-9473
> > Cell - 864-266-3978
> > cchurch@multimax.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > Larry Roberts
> > Sent: Wednesday, February 21, 2007 8:05 PM
> > To: Christopher M. Heffner
> > Cc: Kaleem Khawaja; Tim; ccielab@groupstudy.com;
security@groupstudy.com
> > Subject: Re: ASA 8.0
> >
> > I will give you a teaser...
> >
> > Think proprietary enhanced best path indicator....
> >
> >
> > I'm running the beta code for 8.0 and ASDM 6.0 and it seems pretty
> > good. The changes made to ASDM make it more user friendly as well.
> > I have been focused on its certificate support for SSL and remote
admin
> > but I plan to dig into it in more depth shortly.
> >
> > And before the question comes in, no I wont give it out....
> >
> > :)
> >
> >
> > Larry
> >
> > Christopher M. Heffner wrote:
> >> Tim,
> >>
> >> Cisco PIX/ASA 8.0 is still in beta testing so the only
documentation
> >> available at this time is for the beta testers. I can tell you
that
> >> there are some really "COOL A**" changes coming down the line that
I
> >> have been testing in the beta program.
> >>
> >> Cisco is going all out with this release!
> >>
> >> Stay tuned for the official release in the near future.
> >>
> >> Regards,
> >>
> >> Christopher M. Heffner, CCIE 8211, CCSI 98760
> >> Strategic Network Solutions, Inc.
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > Of
> >> Kaleem Khawaja
> >> Sent: Wednesday, February 21, 2007 2:53 PM
> >> To: Tim
> >> Cc: ccielab@groupstudy.com; security@groupstudy.com
> >> Subject: Re: ASA 8.0
> >>
> >> Tim,
> >>
> >> I think you are correct, it seems that some one jumped the gun on
this
> >>
> >> take a look
> >>
> >> http://www.breezy.ca/?q=node/116
> >> and
> >>
> >> http://www.linksysinfo.org/forums/showthread.php?t=51386
> >>
> >>
> >> On 2/21/07, Tim wrote:
> >>
> >>> Hey Kaleem,
> >>>
> >>>
> >>>
> >>> Yep, I had this. I was looking for technical details, not
marketing
> >>> glitz.
> >>>
> >>>
> >>>
> >>> I think that maybe Cisco hasn't posted any real tech info on this
> > yet.
> >>>
> >>>
> >>>
> >>> But, I donno for sure.
> >>>
> >>>
> >>>
> >>> Thanks, Tim
> >>>
> >>>
> >>> ------------------------------
> >>>
> >>> *From:* Kaleem Khawaja [mailto:kaleem.khawaja@gmail.com]
> >>> *Sent:* Wednesday, February 21, 2007 12:15 PM
> >>> *To:* Tim
> >>> *Cc:* security@groupstudy.com
> >>> *Subject:* Re: ASA 8.0
> >>>
> >>>
> >>>
> >>> Tim,
> >>>
> >>> I am not sure if you have looked at this already or not, but here
is
> >>>
> >> one
> >>
> >>> presentation
> >>>
> >>>
> >>
> >
http://www.cisco.com/application/pdf/en/us/guest/products/ps6120/c1161/c
> >> dccont_0900aecd805c768e.pdf
> >>
> >>>
> >>> On 2/21/07, *Tim* wrote:
> >>>
> >>> Hi Guys,
> >>>
> >>>
> >>>
> >>> I've spent hours trying to find detailed info on what's new with
> >>>
> >> version
> >>
> >>> ASA
> >>> 8.0
> >>>
> >>>
> >>>
> >>> So far, no luck.
> >>>
> >>>
> >>>
> >>> Is the info just not posted yet?
> >>>
> >>>
> >>>
> >>> If anyone knows where to find this info, can you post the links?
> >>>
> >>>
> >>>
> >>> TIA, Tim
---------------------------------
Need a quick answer? Get one in minutes from people who know. Ask your
question on Yahoo! Answers.
---------------------------------
Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading
spam and email virus protection.
---------------------------------
Bored stiff? Loosen up...
Download and play hundreds of games for free on Yahoo! Games.
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:48 ART