RE: ASA 8.0
From: IE Rat \(Formerly Lab Rat #109385382\) (techlist01@gmail.com)
Date: Mon Feb 26 2007 - 15:06:04 ART
1. Yes I have run into the hairpin issue many times. However, know this, as
any "true" security professional would know: Hairpin routing I insecure and
inefficient! I'm glad you would have liked to be able to do it in earlier
releases, but having a packet arrive at a less secure interface from a more
secure interface only to arrive back at a less secure interface is not a
good practice. Just because Checkpoint has allowed it doesn't mean it's the
best practice. Also, for the packet to traverse all over the firewall and
eat up valuable CPU cycles is inefficient. That's why DNS Doctoring and
Alias was introduced...the packet destination is re-written using the FQDN.
Cisco could have included that feature long ago (and at the least, in v7.1)
and finally gave in due to the high number (of dummies, IMO) of requests for
the feature. This doesn't make the PIX a bad product--not at all. The PIX
has traditionally been a firewall and has been used as such. For routing,
use a router. This segments the processing and responsibilities and leaves
the devices to do what they were made to do.
2. Are you saying that you don't think VRRP is not an open standard? Go
read up on: http://www.faqs.org/rfcs/rfc2338.html. "Different vendors
decide on how to implement it"? Doesn't that defeat the purpose? Then why
call it VRRP? Why not call it *HSRP*, which is what Cisco does? There
elements of the protocol that should be interoperable and configurable,
especially related to the following:
7.2 Transmitting VRRP Packets
The following operations MUST be performed when transmitting a VRRP
packet.
- Fill in the VRRP packet fields with the appropriate virtual
router configuration state
- Compute the VRRP checksum
- Set the source MAC address to Virtual Router MAC Address
- Set the source IP address to interface primary IP address
- Set the IP protocol to VRRP
- Send the VRRP packet to the VRRP IP multicast group
It's really not a complicated protocol, and Checkpoint should figure it out.
Cisco's VRRP implementation is much more flexible, in that you can determine
the group number, virtual IP address and such...easy stuff!
3. In answer to your question, I would DEFINITELY use IPSs in my network,
but why would I use v4.1? That is antiquated CCIE Security Lab v.1
software. Did you know that v6.0 is out now? If you say that it takes 5
minutes to make a change, then you have a bad/faulty box, b/c it doesn't
take that long to make a change. It may take that long to update a large
signature file sometimes, but that doesn�t bring down the functionality of
the box at all.
But forget the Security exam. Until v2, it has been grossly outdated and is
not as applicable. In fact, you asked this yourself: is there any advantage
to getting the CCSP? I would say so. Does the CCIE exam address CSA? Did
it address the ASA and IPS v.5 until just recently? No. The CCSP is much
more agile and flexible for today's Cisco efforts. That being said, it does
not prepare one to become an "expert" like the CCIE lab does, and that is
the drawback.
So let me further explain since it sounds like you're not involved in
pre-sales but work in a SOC. Cisco is the ONLY company in the world that
can offer integrated and end-to-end security. The SDN initiative is not a
hoax, it actually works when done right--I've seen it. The "shun" commands
alone are worth their weight in gold. The ability to filter further
upstream and automatically, based on network anomalies? That is something
only Cisco can do. Not only that, but now with v6, CSA can detect security
problems and talk directly to the IPS to update and apply signatures to
contain/filter the anomalous traffic. ICS pulls virus/worm information from
Trend Micro's database to keep the network protection up to date as well,
and will update routers and IPSs with signature information to prevent
against those latest outbreaks and apply filtering mechanisms automatically,
if desired.
You say you'll take Source Fire or and/or Juniper over IDS any day? How
about when it comes to analysis, false positive tuning and threat response?
You will have to manually sift through--potentially--mounds of data or spend
months tuning the box just to understand what's going on and what to do.
Have you worked with MARS before? A Cisco IPS integrated with MARS provides
so much relevant and concise information you wouldn't believe it. Not only
will MARS thoroughly reduce the amount of "white noise" coming from the IPS
device, it will also integrate closely with other network, host and security
devices to notify you whenever any problem occurs on your network,
accurately and without drama. In addition, MARS gives you a filtering
recommendation and location to apply it, or it can shut a switch port down
with a click of a button. I could go on and on with what Cisco's SDNI
products can do, but hopefully you get the picture. It's never about one
product. It's about applying a best practice, multi-layered strategy to
network security. The IPS is just a portion of the picture. It works in
tandem with everything else. No other company can make the claim that they
have an end-to-end security product offering.
4. I'm really addressing your statement of Cisco not really being a
security company and other companies having an edge on them (paraphrasing).
This is SO not correct (at least, based on worldwide sales numbers) and
should even not be construed as such based on your own experiences. Saying
"Cisco's products have problems" or "Checkpoint does this or Juniper does
that better than Cisco" is totally fair game, but to say that they have been
blowing Cisco out of the security game? C'mon, that's silly to say. My
company partners with Cisco because we can provide our customers a holistic
and integrated solution with their products, rather than push boxes from
another vendor. It's really as simple as that.
Ed
From: tdt_cciesec [mailto:tdt_cciesec@yahoo.com]
Sent: Monday, February 26, 2007 3:59 AM
To: IE Rat (Formerly Lab Rat #109385382); awoland@aim.com; ma4d@hotmail.com;
calikali2006@gmail.com
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: RE: ASA 8.0
you said:
"Your evidence is solely based on your own experiences, which BTW seems to
only entail managing 6 PIXs (how is that any real experience with them
anyway?). I've installed 50+ ASA's at various sized customer
sites, as well as worked with PIXs pretty much when Cisco bought it from
Network Translation and have never experienced the exact same problems you
have stated below. This is not to say I haven't experienced *any* problems"
have you ever try to use hairpin with 7.x prior to 7.2(1)? Did it work? I
am not
asking for much, just a simple stuffs and the damn thing wouldn't even work.
I use 6 Pix firewalls as an example, but I've managed about 200+ Pix
firewalls
since 1997, since the old centri firewalls running on Windows NT. All I am
saying
is that if you don't use a lot of features on the Pixes, then it is a good
product,
giving you good performance, even better than checkpoint, but the minute you
starting turning on enhanced features on the pix, you will have stability
issues.
For example, even moderate URL filtering on Pix/ASA will result in high CPU.
you said:
"VRRP is supposed to be an open standard..."
When did that happen? Even if it is, different vendors decides how they
want
to implement it. I guess at least I can use VRRP on the Nokia boxes. Can
you
terminate VRRP on Pix/ASA? Furthermore, can you terminate GRE/IPSec
on Pix/ASA with version 7.x code? I can with the Nokia boxes.
you said:
"Both Checkpoint and Juniper can only provide point products at this time."
I agree with you on this. However, as you and I both took the security exam
so
I have to ask you this. would you deploy Cisco IDS 4.1 appliances in your
production environment given the fact when you make a change in the IDS, it
takes about 5 minutes to apply the changes and sometimes it will not accept
the changes at all? Just for having an end-to-end solution product does not
mean
that it is a good product. I'll take SourceFire and/or Juniper IDP over
Cisco IDS
or IDM modules anytime.
Let me iterate this my point. I don't bash Cisco. I just wish cisco to
concentrate
a more stable 7.x code before releasing the next generation 8.x.
tdt
"IE Rat (Formerly Lab Rat #109385382)" <techlist01@gmail.com> wrote:
I'm sorry TDT, but when you say:
"I am not bashing Cisco or any vendors."
After saying:
"By releasing 8.x (anytime soon I guess)
before having a stable release of 7.x, telling me that cisco has no
credibility.
I am a big Cisco fan but they really turn me off when they start doing
stuffs like
this. It is no wonder why Checkpoint and Juniper have been kicking
cisco in the
butt when it comes to security. Cisco Pix and ASA are already a
mediocre
product and now cisco will make it worse."
...shows that you can't even make up your own mind on the subject. Which is
it? Bash Cisco based on your own experiences, which not everyone else has
experienced (namely me), or just say that you are not in fact bashing them
when you really are?
Your evidence is solely based on your own experiences, which BTW seems to
only entail managing 6 PIXs (how is that any real experience with them
anyway?). Personally, I've installed 50+ ASA's at various sized customer
sites, as well as worked with PIXs pretty much when Cisco bought it from
Network Translation and have never experienced the exact same problems you
have stated below. This is not to say I haven't experienced *any* problems,
but not enough to come close to concluding that the PIX is "mediocre at
best". Totally don't agree with that statement.
Also, not to say that v8.x will make Cisco's SSLVPN solution a clear leader,
but from being directly involved in a Cisco vs. Juniper SSLVPN contest for a
Fortune 500 company (with Juniper ultimately winning), I know for sure that
v8.x will make Cisco a much more attractive solution. I talked directly to
the Cisco ASA PSS a few months ago and he told me what's coming down the
pipe. Most people only know that Juniper is the SSLVPN market share leader
so they think they are the best. Well, I wonder if people know that Juniper
didn't have a CSD solution until they saw Cisco released it first in their
VPN-C? How does that make the all-powerful Juniper look now in that space?
"Laughable"? I wouldn't use that strong language for any of the security
leaders, let alone Cisco.
Just recently, I posted an email inquiring how to interoperate a Nokia box
and Cisco router using VRRP. VRRP is supposed to be an open
standard...well, to a company like Checkpoint, it still means "only Nokia
boxes." Needless to say, Checkpoint could not interoperate with Cisco due
to its own limitations. Am I supposed to say that Checkpoint sucks because
of this? If I were a true "security professional" I wouldn't dare say so
because Checkpoint has been a firewall leader for many years.
My point is, just b/c YOU have stated these as problems, doesn't mean (1)
that everyone considers them as bad as or worse than you thus labeling Cisco
illegitimate as a security company and (2) that your problems validate
tagging Cisco as a runner-up in the security realm.
So, before you continue to say anything else that's blatantly in error,
consider that Cisco sells the most security, as well as leads the overall
network security market share for '06--not Checkpoint and not Juniper.
That's not me saying it, that's Gartner, so I wonder where your information
comes from when you state that "Checkpoint and Juniper have been kicking
cisco in the butt when it comes to security?"
And although, I may be involved in Cisco sales (from working for a Cisco
Security Partner), I do know the statistics as well as the fact that Cisco
is really the only company that can provide an end-to-end security solution.
Both Checkpoint and Juniper can only provide point products at this time.
My $.02.
Ed
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
tdt_cciesec
Sent: Sunday, February 25, 2007 10:24 AM
To: awoland@aim.com; ma4d@hotmail.com; calikali2006@gmail.com
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: RE: ASA 8.0
Believe it. Pix is a mediocre product. I work for a large Managed Security
Service provider (MSS) and we managed over 600 Nokia/CP firewalls
appliances, 10 Juniper/NetScreen and maybe 5 Pix firewalls.
With CP, we use Provider-1 to centrally manage these checkpoint firewalls.
AFAIK, there is no such thing for Pix/ASA and FWSM. I recently test Solsoft
product to manage Pix/ASA products and the product is is mediocre at best.
Checkpoint and Juniper have their share of bugs. I understand that software
is
written by human and bugs are part of them; however, bugs on Cisco Pix/ASA
are the worst. Have you ever tried version 7.2(2)-2? After applying the
code,
if you try "show run + q" the box is rebooted, Is that an acceptable
solution?
Worse, on 7.2(2) code, if you have about 10 snmp-server commands in the
configuration, you can not perform "write mem". I guess what I am trying to
say
is that CP and Juniper have bugs too but not stupid bugs like Cisco.
Up until version 7.2(1), you can not even do hairpining with Cisco Pix for
clear-text traffics. Furthermore, you can't even do source-based routing on
these devices. These things can be done on Nokia and Juniper appliances.
When you said that when you want to upgrade from 6.x to 7.x, there is no
chasis replacement. That is NOT entirely true. What happened if you have
a Pix520 or a Pix506 or 506E? Don't you have to replace the chasis as well?
The limitations regarding the pix firewall, specifically Pix535, is that in
order
to upgrade from 6.x to 7.x, you must have some of the NICs in the 33Mhz bus
or during the monitor mode, the pix will NOT see any interfaces at all.
Well,
if you don't see any interfaces, then how are you suppose to upgrade from
6.x
to 7.x? By the way, before you challenge me on this one, you should check
with Cisco TAC because they agree with me on this one.
Have you ever tried to manage a Pix/ASA configuration with over 400,000
lines?
Furthermore, have you ever tried rearranging interfaces on a production Pix
firewalls? For example, you have to move a gig interface from a 33Mhz slot
to a
66MHz slot while moving the quad card from a 66Mhz slot to a 33Mhz slot. It
is
a freaking nightmare. I am talking about 6.x by the way, with logical
interfaces.
Need I say more?
The pix firewall can not block "active" ftp while allowing only "passive"
ftp through
the firewall at the same time when there is static NAT in place? Before you
want to challenge me on this, you need to to contact Cisco TAC and they will
confirm this for you. On Checkpoint and Juniper firewalls, I can do this in
a
heartbeat.
What you said about version 8.0 will make Cisco a leader in the SSL VPN
market. That is certainly laughable. Last time I checked, Juniper SSL VPN
is at the top followed by F5 Firewall Pass and then Aventel SSL VPN.
Cisco and Checkpoint SSL VPN is at the bottom of the list. You must be
working in sale I assume.
I am not bashing Cisco or any vendors. I like Cisco Pix firewalls when it
is
ok to do so. Believe it or not, I like Cisco Pix more than Checkpoint when
it comes to performance. Cisco will blow away when it comes to performance.
When it comes to manageability, Checkpoint centralize mangement is second
to none. Juniper is getting closed with NetScreen Security Manager (NSM).
Cisco, on the other hand, has the pittiful Cisco Security Manager (CSM).
This
product is pathetic, even to someone who likes Cisco products like myself.
I like Cisco products; however, I just wish before Cisco releases version
8.0,
they should just make version 7.x a stable version so that everyone can
benefit from it. BTW, the grass is NOT greener on the other side. CP and
Juniper are not making better software than Cisco, just a little more
stable.
tdt
awoland@aim.com wrote: WOW... I personally cannot beleive the mixed
amount of rumor floating around this list on the ASA 8.0... What I find
even harder to believe is that you feel the PIX/ASA were/are mediocre
products...
I come from a CheckPoint & NetScreen Background; also a background of PIX,
Cisco Centri Firewall (dead) and many, many others... I can certainly say
that there isn't a SINGLE firewall that is better than the PIX/ASA... You
cannot tell me that CheckPoint didn't have it's share of bugs, and you
CERTAINLY can't say that about NetScreen...
What you CAN credit Cisco for is always providing investment protection & a
WORLD class feature list in their products... When I wanted to upgrade my
NetScreen 5200's & 5400's to have Deep Packet inspection, I had to fork-lift
upgrade them to ISG's/SSG's... If I wanted deep packet inspection on my
PIX, I had to upgrade from 6.x to 7.x... No chassis replacement, and
CERTAINLY no re-wiring, etc...
8.0 was originally going to be 7.3 & includes bug fixes. However, Cisco
has advanced the code in 7.3 so much & added so much more FREE
functionality, that it warranted re-numbering to a whole new train! The ASA
8.0 includes over 30+ application inspection engines (industry termed deep
packet inspection)... There is no other single platform that can provide
that level of intelligence without adding in an IPS module, etc... And that
is available in the same 515 or 525 I have owned for 5.5 years...
8.0 also makes the Cisco ASA an industry LEADER in the SSL VPN market...
The features/functionality/usability of the product + the performance
enhancements it offers are unheard of in a single software release!
But, I guess your right... Lets bash the company that continues to provide
us the best products with the most investment protection in the industry...
How dare they continue to provide value.
To all who didn't deserve this thread, I appologize... But I am frustrated
with people on this list bashing Cisco & making it seem like the grass is
not only more green on the other side, but also that it is BROWN on the
Cisco side of the fence...
-Aaron
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
tdt_cciesec
Sent: Sunday, February 25, 2007 11:15 AM
To: Kal Han; M A
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: ASA 8.0
I found the idea that Cisco is going to release version 8.0 soon to be
really
laughable. It must be a sick joke or something.
Instead of releasing version 8.0, why dont they just concentrate on
fixing all the
bugs currently in 7.x and make it stable before going with 8.x? IMHO,
cisco should have version 7.2(2) or whatever the flavor at the moment
from "ED"
to "GD" before releasing 8.x code. By releasing 8.x (anytime soon I
guess)
before having a stable release of 7.x, telling me that cisco has no
credibility.
I am a big Cisco fan but they really turn me off when they start doing
stuffs like
this. It is no wonder why Checkpoint and Juniper have been kicking
cisco in the
butt when it comes to security. Cisco Pix and ASA are already a
mediocre
product and now cisco will make it worse.
my 2c
tdt
Kal Han wrote: 8.0 will run on both the
platforms.
But its going have separate images for pix and asa.
Unlike 7.2.2 which has only one/same image for both the platforms.
8.0 is mainly going to be web-vpn oriented release.
Might be releasing a software client for ssl vpn s.
Also you can expect to run more routing protocols on these boxes.
and some enhanced(rather new) voice security feature.... etc
Plus it will do everything VPN3K has been doing as they announced
that ASA is a complete super set of VPN3K.
(nac, web vpn with lots of features etc )
Ofcourse some of these features are already existing in 7.2
Thanks
Kal
On 2/22/07, M A wrote:
>
> I get the feeling that 8.0 will only run on the ASA, not the PIX.
Does
> anyone know for sure?
>
> Thanks.
> ----- Original Message -----
> From: "Church, Chuck"
> To: "Larry Roberts" ; "Christopher M.
> Heffner"
> Cc: ;
> Sent: Wednesday, February 21, 2007 11:47 PM
> Subject: RE: ASA 8.0
>
>
> > How about support for traffic shaping, and NBAR (without needing a
> > separate IDS module)? Those would be nice for one customer I deal
with
> > - Wireless ISP, limited bandwidth, has VoIP, and P2P traffic :(
> >
> >
> > Chuck Church
> > Network Engineer
> > CCIE #8776, MCNE, MCSE
> > Multimax, Inc.
> > Enterprise Network Engineering
> > Home Office - 864-335-9473
> > Cell - 864-266-3978
> > cchurch@multimax.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > Larry Roberts
> > Sent: Wednesday, February 21, 2007 8:05 PM
> > To: Christopher M. Heffner
> > Cc: Kaleem Khawaja; Tim; ccielab@groupstudy.com;
security@groupstudy.com
> > Subject: Re: ASA 8.0
> >
> > I will give you a teaser...
> >
> > Think proprietary enhanced best path indicator....
> >
> >
> > I'm running the beta code for 8.0 and ASDM 6.0 and it seems pretty
> > good. The changes made to ASDM make it more user friendly as well.
> > I have been focused on its certificate support for SSL and remote
admin
> > but I plan to dig into it in more depth shortly.
> >
> > And before the question comes in, no I wont give it out....
> >
> > :)
> >
> >
> > Larry
> >
> > Christopher M. Heffner wrote:
> >> Tim,
> >>
> >> Cisco PIX/ASA 8.0 is still in beta testing so the only
documentation
> >> available at this time is for the beta testers. I can tell you
that
> >> there are some really "COOL A**" changes coming down the line that
I
> >> have been testing in the beta program.
> >>
> >> Cisco is going all out with this release!
> >>
> >> Stay tuned for the official release in the near future.
> >>
> >> Regards,
> >>
> >> Christopher M. Heffner, CCIE 8211, CCSI 98760
> >> Strategic Network Solutions, Inc.
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > Of
> >> Kaleem Khawaja
> >> Sent: Wednesday, February 21, 2007 2:53 PM
> >> To: Tim
> >> Cc: ccielab@groupstudy.com; security@groupstudy.com
> >> Subject: Re: ASA 8.0
> >>
> >> Tim,
> >>
> >> I think you are correct, it seems that some one jumped the gun on
this
> >>
> >> take a look
> >>
> >> http://www.breezy.ca/?q=node/116
> >> and
> >>
> >> http://www.linksysinfo.org/forums/showthread.php?t=51386
> >>
> >>
> >> On 2/21/07, Tim wrote:
> >>
> >>> Hey Kaleem,
> >>>
> >>>
> >>>
> >>> Yep, I had this. I was looking for technical details, not
marketing
> >>> glitz.
> >>>
> >>>
> >>>
> >>> I think that maybe Cisco hasn't posted any real tech info on this
> > yet.
> >>>
> >>>
> >>>
> >>> But, I donno for sure.
> >>>
> >>>
> >>>
> >>> Thanks, Tim
> >>>
> >>>
> >>> ------------------------------
> >>>
> >>> *From:* Kaleem Khawaja [mailto:kaleem.khawaja@gmail.com]
> >>> *Sent:* Wednesday, February 21, 2007 12:15 PM
> >>> *To:* Tim
> >>> *Cc:* security@groupstudy.com
> >>> *Subject:* Re: ASA 8.0
> >>>
> >>>
> >>>
> >>> Tim,
> >>>
> >>> I am not sure if you have looked at this already or not, but here
is
> >>>
> >> one
> >>
> >>> presentation
> >>>
> >>>
> >>
> >
http://www.cisco.com/application/pdf/en/us/guest/products/ps6120/c1161/c
> >> dccont_0900aecd805c768e.pdf
> >>
> >>>
> >>> On 2/21/07, *Tim* wrote:
> >>>
> >>> Hi Guys,
> >>>
> >>>
> >>>
> >>> I've spent hours trying to find detailed info on what's new with
> >>>
> >> version
> >>
> >>> ASA
> >>> 8.0
> >>>
> >>>
> >>>
> >>> So far, no luck.
> >>>
> >>>
> >>>
> >>> Is the info just not posted yet?
> >>>
> >>>
> >>>
> >>> If anyone knows where to find this info, can you post the links?
> >>>
> >>>
> >>>
> >>> TIA, Tim
---------------------------------
Need a quick answer? Get one in minutes from people who know. Ask your
question on Yahoo! Answers.
---------------------------------
Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading
spam and email virus protection.
---------------------------------
Bored stiff? Loosen up...
Download and play hundreds of games for free on Yahoo! Games.
This archive was generated by hypermail 2.1.4
: Sun Apr 01 2007 - 06:35:49 ART