[c-nsp] Telnet FROM a PIX Appliance?

[Brandon Bennett]

On Sun, Jul 6, 2008 at 12:26 AM, Ted Mittelstaedt <tedm at toybox.placo.com>
wrote:

>
> > What!?  The original PIX code was < 500k as the first versions from
> > Network Translations only had 512k flash moodules in them.  There is no
> > way that it was based on Windows, not even 3.1.
>

Straight from the horses mouth.  It's was written from the ground up.

http://www.control.auc.dk/~magnus/Mailboxe/firewall-archive/0000.html

also another good read:

http://home.cfl.rr.com/dealgroup/pix/pix_page_history.htm

Aparently they used Plan9 computer to develop it as well with the rumor that
PIX is a dediation to Plan9 being that IX is the roman numerals for 9.


> >I disagree.  The reason they use them is they are cheap.  Cisco
> >did not require a separate IOS license the way that they do with
> >a router running IOS-Firewall Feature set.
>

I have found that PIX/ASA does a much better job at stateful firewalling
that CBAC can even though they share 95% of the same inspect engines.  I
have never had an issue with scaling the CPU/memory on a PIX  or resource
limitations.   I have had this on IOS from time to time.


> Yes, and Cisco could have used the freely available NAT code
>that was BSD-licensed (ie: free, NOT GPL, really free).  They
>did not have to pay off the NTI guys for something already
>available for free.  And they didn't.  They wanted the NTI
>customer brainshare, and likely, to put a potential competitor out
>of business.

The fact of the matter is that NTI was doing it better and faster than the
Sun and BSD implentations out there at the time.  Combine this with the fact
that it was easy to setup, maintain, and monitor simiar to the rest of the
network gear and it just makes sense.   I don't think this is an example of
Cisco trying to dominate the market by "buying-out" competitors.  If that
was the case Cisco would not have continued the product line for 13 years
(and running).

>Let's just say Cisco's not discontinuing a PIX-like firewall.  But
>calling the ASA a PIX?  No, not at all.  The ASA is ever worse
>to deal with than the PIX

Dude, the ASA is a pix with some slight modifications.  The code was shared
until 8.x (you could boot asa code on a pix and pix code on an asa).  8.x
the ASA now runs a linux kernel, but most of the actually firewall code is
the same.  For all intent and purposes the ASA is the next-generation PIX.


Further more the price difference between the PIX and the ASA is not much.
There is still free 3DES/AES licencing, there is still free IPSec VPN
termination.  The only difference would be the additional licensing and
modules that the ASA can do (SSLVPN, IPS, etc)

Lets compare   Pix 515e could handl 190mbits clear text  The ASA5510 can
handle 300mbit clear text.

List price of a PIX-515E-UR-BUN. PIX 515E-UR Bundle (Chas, Unrestricted SW,
128MB, 2 FE,VAC+), USD 6,995.00
List price of a ASA5510-BUN-K9, ASA 5510 Appliance with SW, 5FE,3DES/AES,
USD 3,495.00

So the ASA is acutally FAR cheaper.   Even the ASA5520 (which may be bit
more of a better comparison) is still cheaper than the PIX515e.

The config is the same, the code is the same.  I am not sure why you say
they are far different.  I've been using PIX for nearly 8 years now and the
ASA is nothing different.


As far as the rest of your conversation,  it kinda getting far off topic. :)

Although I am not sure how much information I can take from a guy who though
PIX code was Windows 3.1 based.  (Not to mention Windows 3.1 didn't even
include a kernel!).

The wrap up: The PIX/ASA is very capible firewall, you quickly learn ways
around not being able to telnet from the box itself.  IOS as well shares a
lot from the PIX/ASA (and visa versa) and also can make a good firewall.
With the ASR1000 it can make a very very quick firewall :)   Also there are
other options from other vendors (blasphemy... I know) like a netscreen
(which ironically ALSO doesn't allow you to telnet from the box :) )

-Brandon Bennett
CCIE No 19406.