[c-nsp] Telnet FROM a PIX Appliance?

[Ted Mittelstaedt]

-----Original Message-----
From: Brandon Bennett [mailto:bennetb at gmail.com]
Sent: Sunday, July 06, 2008 10:49 AM
To: Ted Mittelstaedt
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?


On Sun, Jul 6, 2008 at 12:26 AM, Ted Mittelstaedt <tedm at toybox.placo.com>
wrote:


>>I disagree.  The reason they use them is they are cheap.  Cisco

>>did not require a separate IOS license the way that they do with
>>a router running IOS-Firewall Feature set.

>I have found that PIX/ASA does a much better job at stateful firewalling
>that CBAC can even though they share 95% of the same inspect engines.  I
>have never had an issue with scaling the CPU/memory on a PIX  or resource
>limitations.   I have had this on IOS from time to time.

I have, actually.  With a lot of VPN tunnels terminated on a PIX 506.
Not that I blame the PIX though, as I had been telling the customer
almost a year earlier that they would need a 515.

I've also had trouble with stateful inspection on IOS on a router
with insufficent ram in it.  Once again, I predicted to the customer
in advance it would happen, the customer didn't want to spend
money in advance on ram, and sure enough it did happen at an
inconvenient time for them.

Both times I savored saying "I told you so", believe me.

>> Yes, and Cisco could have used the freely available NAT code
>>that was BSD-licensed (ie: free, NOT GPL, really free).  They
>>did not have to pay off the NTI guys for something already
>>available for free.  And they didn't.  They wanted the NTI
>>customer brainshare, and likely, to put a potential competitor out
>>of business.

>The fact of the matter is that NTI was doing it better and faster than
>the Sun and BSD implentations out there at the time.

I was not aware of any Sun NAT implementation at that time period.  If
there was, what was it?  Checkpoint did run on Solaris, I admined one of
those as a matter of fact, but it was not NAT.  And it was annoying.

As for the NTI being better than BSD, that's just your opinion.
First of all the NAT stuff was only on FreeBSD, NOT on any of the
other BSD's, and it definitely wasn't on Solaris.  When it was
released it was a set of kernel patches and an application, and
it wasn't applicable to any other UNIX.

Please point out any "bake-off's" comparisons that were done at
that time.  Most people didn't know what NAT was.  I never had
problems with the FreeBSD implementation of NAT and in fact, doing
it this way supported some applications that the Cisco IOS nat didn't.
(at the beginning) like PPTP client VPN's initiated from behind.  And
Netmeeting H.323 since you could also run a NM proxy on the system,
if you recall that was pretty common in the NT days for remote control
since it was free.

I never used the NTI stuff at that time so I don't have an opinion
on which was better, but I'll bet money you never used the FreeBSD
NAT patches either, so I'll put your "fact of the matter is"
statement down to youthful eagerness and leave it at that. ;-)

>Combine this with
>the fact that it was easy to setup, maintain, and monitor simiar to the
>rest of the network gear

If a PIX is so easy to setup and maintain then I would have not
had quite a lot of work over the years in administering them for
people.

I will say that the PIX command line is no worse to setup and
admin than IOS - once you know all of the idiosyncracies of the
PIXos - but that's no different than the idiosyncracies of IOS.
I do find the PIX GUI to be a big piece of crap, though.

But, the assertion that it's easy to setup is only the case when
your talking about real network admins.  For the general public,
that is frankly absurd.  What is easy to setup is a Linksys RV042.
(which will VPN into a PIX quite nicely, although you have to turn
off stateful packet inspection on it if your running Vista, per
http://support.microsoft.com/kb/934430/en-us)

>and it just makes sense.   I don't think this
>is an example of Cisco trying to dominate the market by "buying-out"
>competitors.  If that was the case Cisco would not have continued the
>product line for 13 years (and running).

Continuing the product line for 13 years is definitely not a
symptom of a company trying to buy out a competitor, your right
there.  What it IS a symptom of, is a company trying to keep
a captured customer base from bolting.  If there had been no
brainshare and no customer base for the NTI stuff then Cisco
would have done the same thing they did when they picked up
the ISDN technology they wanted from Combinet, they would have
almost immediately renamed the product line and moved all
the decent technology into IOS as quick as they could.

I'm sure you have been in the business long enough to understand
that companies only buy other companies to make money.  That
money comes from - drumroll - customers, does it not?  Thus
to put it simply, companies only buy other companies so they
can get more money out of customers.  They don't do it to
make prices cheaper for you, they do it so they can lock you
into them further, or because they pitched their products to
you and you didn't like them and so went with someone else, now
they bought that someone else, so they own you even though
you never liked them.

The stated reasons of "helping customers" are almost always
utter hogwash.  For the most part acquisitions essentially
reduce competition and thus allow
the acquiring company to maintain high prices or jack up their
prices.  This doesen't help customers.  The very FEW times
that an acquisition helps is when the acquired company was
going bankrupt - and your a customer who bought in to the
failing companies product line.  But boy, your gonna pay through
the nose to the acquiring company to maintain your service
agreements, and the fact of the matter is you made a decision
to buy into a loser's products - it's a regrettable decision
no matter how you slice it, and the acquiring company is
merely the less unpleasant than scrapping and replacing the
product.

If Cisco hadn't maintained the PIX product line for as long
as they did, I would agree that Cisco just bought NTI because
they wanted it's technology.  But you are missing the obvious
here.  Your saying the ASA is a PIX, meaning Cisco isn't killing
the PIX after all.  If so, why?  I'll tell you, it's because
there's a customer base out there that is large!  It is NOT
because it's better or worse to do the same thing that the
PIX does on an IOS router, it's because this large customer
base THINKS it's better to do the stuff the PIX does on a
standalone box that isn't a router.  The baby wants his
bottle and Cisco isn't going to take it away.  Simple as that.

>>Let's just say Cisco's not discontinuing a PIX-like firewall.  But
>>calling the ASA a PIX?  No, not at all.  The ASA is ever worse
>>to deal with than the PIX

>Dude, the ASA is a pix with some slight modifications.  The code was shared
>until 8.x (you could boot asa code on a pix and pix code on an asa).  8.x
>the ASA now runs a linux kernel, but most of the actually firewall code is
>the same.  For all intent and purposes the ASA is the next-generation PIX.

If it only has slight modifications then it's definitely not
next-generation.  Make up your mind, please! :-)

The reason -I- think the ASA is worse is because the ASA just
perpetuates the nonsense that a router can't be a firewall.
Sure it can, it just depends on what firmware is running on it.
Cisco missed the boat here to educate the customer base.  I
am just thankful Cisco jacked up the price so I can educate
my customers without them just hearing "mo money mo money
mo money mo money".

>Further more the price difference between the PIX and the ASA is not much.
>There is still free 3DES/AES licencing, there is still free IPSec VPN
>termination.  The only difference would be the additional licensing and
>modules that the ASA can do (SSLVPN, IPS, etc)

>Lets compare   Pix 515e could handl 190mbits clear text  The ASA5510 can
>handle 300mbit clear text.

>List price of a PIX-515E-UR-BUN. PIX 515E-UR Bundle (Chas, Unrestricted SW,
> 128MB, 2 FE,VAC+), USD 6,995.00
>List price of a ASA5510-BUN-K9, ASA 5510 Appliance with SW, 5FE,3DES/AES,
>  USD 3,495.00

>So the ASA is acutally FAR cheaper.

Don't you mean ASA5510-SEC-BUN-K9 with the 2GE ports?  How you going to get
300mbt through 2 FE ports?  Let's tack on an extra $1K, shall we?  And
where does Cisco get off charging an extra $3K for 50 miserable SSL VPN
licenses?  The SSL protocol is OPEN for God's sake.  Oh I get it, REMOVE
support for PPTP VPN's (ie: out of the box Microsoft VPN client that's
FREE) and replace it with SSL VPN client that -costs money-  Yeah, give
me more, baby.  Harder, Harder!

And, I forgot about AIP, what is that, $7K a year for a subscription?
So if you don't pay the $7K a year, then when the latest AIM comes out
that is written to get around the current inspection and is wasting your
employees productivity in spades, you have to buy a new ASA.  Great one,
that!!

> Even the ASA5520 (which may be bit more
> of a better comparison) is still cheaper than the PIX515e.

The point was rather a comparison between IOS-based router and
PIX or ASA, not between PIX and ASA.

In any case, how many companies have 300Mbit Internet connections?
How many companies have 190Mbit Internet connections?  And how exactly
do you get 190Mbts through a 515 which only had 2 10/100Mbt interfaces
on it? ;-)  These are BigCo comparisons your talking, and frankly,
BigCo's buy what they do because of their previously established
vendor relationships, they are not switching to ASA's because they
care about the price.  And most BigCo's buy direct from Cisco
anyhow, so the list prices are pure fiction.

A much more realistic comparison with product that's sold to
people who actually do care about the price is:

PIX-506E-BUN-K9  @  $1,395  vs ASA5505-UL-BUN-K9 @ $995.  So yes,
on the surface it LOOKS like a better deal - until you have to bend
over and take it in the shorts for that insane SSL VPN license.  Oh,
and of course, with the 5505, your screwed there since 50 SSL users
is the licensed limit, you have to go to the 5510 for more.  The old 506E
had no restriction on number of VPN clients.

In a router vs ASA comparison:

CISCO1841-SEC/K9  1841 Security Bundle, Advanced Security, 64FL/256DR
$2495

ASA5505-SSL-10-K9  ASA 5505 VPN Edition w/ 10 SSL Users, 50FW Users,
3DES/AES
$2095

Let's see, with the former I can use all of my free Microsoft VPN clients,
PPTP, L2TP, whatever I want, as many as I want.  I can put in as many
server to server VPN's as I want.  I can drop in a T1 card if needed.  I
can have as much stuff as I want behind it.

With the ASA I can have a max 10 SSL users, or I have to switch all my
Microsoft VPN clients over to L2TP.  I'm limited to 50 users.

For the extra $400 it's not worth dealing with the ASA when you can
have a real router.  And 5 years from now when some competitor has
come out with an ethernet-to-ethernet firewall that is better than
the ASA, well I can still use the router to feed the T1.

And on top of that IOS has had IPv6 for years, the ASA just finally
got a working implementation with version 8.0.3 or so I read.  (I
don't really know, maybe it still doesen't work right)

>>As far as the rest of your conversation,  it kinda getting far off topic.
:)

>Although I am not sure how much information I can take from a guy who
>though PIX code was Windows 3.1 based.  (Not to mention Windows 3.1 didn't
>even include a kernel!).

I never said CURRENT code was Win 3.1 based, I said I had heard that
the original PIX code from pre-Cisco days was Win 3.1 based.
Surely you remember that Win 3.1 will run in real
mode, without the GUI, by just putting command.com as the last statement
in the winstart.bat file.  Win 3.0, don't forget,
would run on an XT, in real mode, with a GUI.  Back in
those days a lot of people who wrote embedded stuff would
use DOS or a stripped Windows merely as a program loader,
so it didn't seem that farfetched to me when I heard it.

>The wrap up: The PIX/ASA is very capible firewall, you quickly learn
>ways around not being able to telnet from the box itself.  IOS as well
>shares a lot from the PIX/ASA (and visa versa) and also can make a good
>firewall.  With the ASR1000 it can make a very very quick firewall :)
>Also there are other options from other vendors (blasphemy... I know)
>like a netscreen (which ironically ALSO doesn't allow you to telnet
>from the box :) )

Or, a Linux box with squid as a transparent proxy, etc.

Ted