[c-nsp] Telnet FROM a PIX Appliance?

Ted Mittelstaedt tedm at toybox.placo.com
Sun Jul 6 02:06:45 EDT 2008


Yes.  I heard this from the president/owner of Imagestream.
Considering what that company makes there's no question in
my mind that the reverse-engineered one of the very early
version PIXes.  There are vestiges of this even in current
code - notice for example that access-list subnet masks are
not IOS-style, they are DOS/Windows style - although I'm 
sure with the number of PIXes that Cisco sold once they
bought the product, any licensable Windows code was long
since removed.

Ted

> -----Original Message-----
> From: Tony Varriale [mailto:tvarriale at comcast.net]
> Sent: Thursday, July 03, 2008 9:50 PM
> To: Ted Mittelstaedt
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
> 
> 
> Holy crap.  Did you say Windows?
> 
> tv
> ----- Original Message ----- 
> From: "Ted Mittelstaedt" <tedm at toybox.placo.com>
> To: "Ziv Leyes" <zivl at gilat.net>; "Joerg Mayer" 
> <jmayer at loplof.de>; "Aaron 
> R" <aaronis at people.net.au>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Thursday, July 03, 2008 10:21 PM
> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
> 
> 
> >
> > Rubbish.
> >
> > The reason the PIX doesen't allow Telnet is that the original
> > PIX devices were built on a Windows core, Windows 3.1 as I
> > believe, with the GUI and most of the command line utilities
> > stripped away.  Because the PIX was an early out-of-the-hole
> > firewall, it captured a customer base of customers who needed
> > a firewall but frankly didn't understand much about what they
> > needed.  ie: dumb bunnies in cash-rich organizations willing
> > to buy sub-par technology that was hyped up to rediculous
> > amounts.  It's an old story in technology.
> >
> > This was a very valuable customer base which is why Cisco
> > purchased the PIX product line.  Cisco had little interest
> > in the lame firewalling technology of the PIX and has
> > spent at least a decade of careful work grooming the PIX
> > customers off PIXes and on to Cisco router platforms.  To
> > accomplish this they were -extraordinairly- careful to
> > preserve the PIX interface and limitations over the years.
> > But as anyone who works with PIXes knows, Cisco has really
> > not improved the basic technology of the PIX over the years.
> >
> > That is why the current Cisco IOS-based firewalls have
> > a firewalling feature set that knocks a PIX into a cocked
> > hat.
> >
> > It is also why Cisco has finally felt comfortable enough
> > that they have migrated the PIX customers worth keeping
> > over to their own product line, to announce that they were
> > discontinuing the PIX product line.  As they did recently.
> >
> > Ted
> >
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net
> >> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ziv Leyes
> >> Sent: Monday, June 30, 2008 5:31 AM
> >> To: Joerg Mayer; Aaron R
> >> Cc: cisco-nsp at puck.nether.net
> >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
> >>
> >>
> >> I guess it's more as a "working right" educational purpose, so
> >> you won't use your firewall as a debugging client.
> >> In newer versions there's the packet tracker that can help you
> >> debug connectivity problems.
> >> Ziv
> >>
> >>
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net
> >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer
> >> Sent: Monday, June 30, 2008 2:21 PM
> >> To: Aaron R
> >> Cc: cisco-nsp at puck.nether.net
> >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
> >>
> >> On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote:
> >> > It is disabled as a security feature. I have also wanted to do
> >> the same for
> >> > troubleshooting purposes.
> >>
> >> And why exactly is this a security feature? What is the *gain* in
> >> security?
> >>
> >>  Ciao
> >>   Joerg
> >> --
> >> Joerg Mayer                                           
> <jmayer at loplof.de>
> >> We are stuck with technology when what we really want is just 
> stuff that
> >> works. Some say that should read Microsoft instead of technology.
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>
> >>
> >>
> >>
> >> ******************************************************************
> >> ******************
> >> This footnote confirms that this email message has been scanned by
> >> PineApp Mail-SeCure for the presence of malicious code, vandals &
> >> computer viruses.
> >> ******************************************************************
> >> ******************
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> ******************************************************************
> >> ******************
> >> This footnote confirms that this email message has been scanned by
> >> PineApp Mail-SeCure for the presence of malicious code, vandals &
> >> computer viruses.
> >> ******************************************************************
> >> ******************
> >>
> >>
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/ 
> 
> 


More information about the cisco-nsp mailing list