[c-nsp] Telnet FROM a PIX Appliance?

[Brandon Bennett]

>
> >I have, actually.  With a lot of VPN tunnels terminated on a PIX 506.
> >Not that I blame the PIX though, as I had been telling the customer
> >almost a year earlier that they would need a 515.


And running a production webserver on a 486-DX2 is also not a good idea.  I
don't see your point here.


> >I was not aware of any Sun NAT implementation at that time period.  If
> >there was, what was it?  Checkpoint did run on Solaris, I admined one of
> >those as a matter of fact, but it was not NAT.  And it was annoying.
>
> >As for the NTI being better than BSD, that's just your opinion.

Well the point that Bradly Coile made is that he could not the the
performance he wanted using traditional IP stacks on those platforms.  Not
so much my opinion, but his.


> >Please point out any "bake-off's" comparisons that were done at
> >that time.


Pointless and a waste of time.  If you want to argue PIX popularity 13 years
ago, be my guest.  I will not be subject to it however.



> >Most people didn't know what NAT was.  I never had
> >problems with the FreeBSD implementation of NAT and in fact, doing
> >it this way supported some applications that the Cisco IOS nat didn't.
> >(at the beginning) like PPTP client VPN's initiated from behind.  And
> >Netmeeting H.323 since you could also run a NM proxy on the system,
> >if you recall that was pretty common in the NT days for remote control
> >since it was free.


Again off-topic and pointless.  NAT didn't just one day get deployed on
nearly every enterprise network overnight.  It started somewhere, the
applications that ran over them doesn't matter.

>
>
> >I never used the NTI stuff at that time so I don't have an opinion
> >on which was better, but I'll bet money you never used the FreeBSD
> >NAT patches either, so I'll put your "fact of the matter is"
> >statement down to youthful eagerness and leave it at that. ;-)


I was aguing a technical point.  My grammar and choice of words may have
been poor.  I apologize

>
>
> >If a PIX is so easy to setup and maintain then I would have not
> >had quite a lot of work over the years in administering them for
> >people.


It was a lot easier in 1995/1996 to unbox a PIX and enter in some commands
to setup NAT than It was to apply a patch and compile new FreeBSD kernel and
userland utilities.   Now days this just comes down to a matter of
preference.

>
>
> >I will say that the PIX command line is no worse to setup and
> >admin than IOS - once you know all of the idiosyncracies of the
> >PIXos - but that's no different than the idiosyncracies of IOS.
> >I do find the PIX GUI to be a big piece of crap, though.


There is at least something we agree on :)

>
>
> >But, the assertion that it's easy to setup is only the case when
> >your talking about real network admins.  For the general public,
> >that is frankly absurd.  What is easy to setup is a Linksys RV042.
> >(which will VPN into a PIX quite nicely, although you have to turn
> >off stateful packet inspection on it if your running Vista, per
> >http://support.microsoft.com/kb/934430/en-us<http://support.microsoft.com/kb/934430/en-us>
> )


Both of which are produts of the 21st century.  I think you either really
misinterpreted my point or you are just grasping for anything.

?---- clip----------
>a bunch of crap of aqusitions
>--- clip-----------

Who cares.



>
> >If Cisco hadn't maintained the PIX product line for as long
> >as they did, I would agree that Cisco just bought NTI because
> >they wanted it's technology.  But you are missing the obvious
> >here.  Your saying the ASA is a PIX, meaning Cisco isn't killing
> >the PIX after all.  If so, why?  I'll tell you, it's because
> >there's a customer base out there that is large!  It is NOT
> >because it's better or worse to do the same thing that the
> >PIX does on an IOS router, it's because this large customer
> >base THINKS it's better to do the stuff the PIX does on a
> >standalone box that isn't a router.  The baby wants his
> >bottle and Cisco isn't going to take it away.  Simple as that.


Interesting standpoint.  I view it more as a customer choice.  There are
something I find easier on a pix (troubleshooting, captures, packet-tracer)
and there are something I find much better on IOS (Lan to Lan IPSec) and the
are both very capible products.   If you want to push your customers onto
IOS firewalls knock yourself out.  I don't think anyone can argue that
point.

>If it only has slight modifications then it's definitely not
> >next-generation.  Make up your mind, please! :-)


Oh jesus christ.  If your only argument on why you think the ASA is not a
PIX is some gramatical sematics on my part then you have bigger problems.


>
> The reason -I- think the ASA is worse is because the ASA just
> perpetuates the nonsense that a router can't be a firewall.
> Sure it can, it just depends on what firmware is running on it.
> Cisco missed the boat here to educate the customer base.  I
> am just thankful Cisco jacked up the price so I can educate
> my customers without them just hearing "mo money mo money
> mo money mo money".
>
> >Don't you mean ASA5510-SEC-BUN-K9 with the 2GE ports?

>How you going to get 300mbt through 2 FE ports?

Gigabit interface are not avaible on the 515.  Why is that a fair
comparison?



> >And where does Cisco get off charging an extra $3K for 50 miserable SSL
> VPN
> >licenses?


The same license  is required on IOS to support the same functionality

>The SSL protocol is OPEN for God's sake.


They aren't charging for the SSL protocol, they are charging for all the
additional features that comes with it.  Do you even understand what the SSL
VPN product is?  It provided proxied connections for http, citrix, rdp,
exchange, in addition to almost any application you throw at that.  In
addition it create a full tunnel through TLS and TLS over UDP.

All of which are not defined in the SSL standard!


> >Oh I get it, REMOVE support for PPTP VPN's (ie: out of the box Microsoft
> VPN client that's
> >FREE) and replace it with SSL VPN client that -costs money-  Yeah, give
> >me more, baby.  Harder, Harder!


IPsec license is still free.  L2TP over IPSEC is stil free and works with
Microsoft out of the box (and is secure!).   PPTP was removed cause it is
not a secure protocol!

>
> >And, I forgot about AIP, what is that, $7K a year for a subscription?
> >So if you don't pay the $7K a year, then when the latest AIM comes out
> >that is written to get around the current inspection and is wasting your
> >employees productivity in spades, you have to buy a new ASA.  Great one,
> >that!!


Say what?  There are cheaper Smartnet contracts out there.  Do some
research.

>
>
> The point was rather a comparison between IOS-based router and
> PIX or ASA, not between PIX and ASA.
>
> >In any case, how many companies have 300Mbit Internet connections?
> >How many companies have 190Mbit Internet connections?  And how exactly
> >do you get 190Mbts through a 515 which only had 2 10/100Mbt interfaces
> >on it? ;-)  These are BigCo comparisons your talking, and frankly,
> >BigCo's buy what they do because of their previously established
> >vendor relationships, they are not switching to ASA's because they
> >care about the price.


I said nothing about companies or the reason to buy ASA.  It was mearly
comparing the price of two similar firewalls.  You fabricated the rest.  Yes
when buying a firewall, or any gear for that matter, you must take a lot
into concideration.  No one is arguing that.


> >And most BigCo's buy direct from Cisco anyhow, so the list prices are pure
> fiction.


They still get a discount off of list on most gear.  So list prices are a
good comparison standpoint.  Now I can't say take the list prices from
Juniper and compare them to Cisco as I get different discounts from each
company, but to compare Cisco to Cisco it is 100% valid.


>
>
> A much more realistic comparison with product that's sold to
> people who actually do care about the price is:
>
> >PIX-506E-BUN-K9  @  $1,395  vs ASA5505-UL-BUN-K9 @ $995.  So yes,
> >on the surface it LOOKS like a better deal - until you have to bend
> >over and take it in the shorts for that insane SSL VPN license.  Oh,
> >and of course, with the 5505, your screwed there since 50 SSL users
> >is the licensed limit, you have to go to the 5510 for more.  The old 506E
> >had no restriction on number of VPN clients.


A PIX cannot support SSL VPN.  SSL VPN is an addition feature avablie (via a
license) on the ASA platform. ASA still includes free IPSec VPN client
termination (and lan to lan).   Yes there is a hard limit on the number of
_IPSec_ on the ASA platform which some have complained about, but you
shouldn't be terminating that many clients on a Pix 506 in the first place.
It has no hardware crypto!

>CISCO1841-SEC/K9  1841 Security Bundle, Advanced Security, 64FL/256DR
> >$2495
>
> >ASA5505-SSL-10-K9  ASA 5505 VPN Edition w/ 10 SSL Users, 50FW Users,
> >3DES/AES
> >$2095
>
> >Let's see, with the former I can use all of my free Microsoft VPN clients,
> >PPTP, L2TP, whatever I want, as many as I want.  I can put in as many
> >server to server VPN's as I want.  I can drop in a T1 card if needed.  I
> >can have as much stuff as I want behind it.

>With the ASA I can have a max 10 SSL users, or I have to switch all my
>Microsoft VPN clients over to L2TP.  I'm limited to 50 users.

Yes and those are some valid point of why you should use an IOS based router
as a firewall.  These reasons are definatly more apparent in SMB
situations.  Where you have sepearte hardware in a corproate enviroment most
of this is moot.

As far as PPTP goes, Dude is 2008!   PPTP has not only proven to be insecure
but it also doesn't work through PAT as it requires a GRE tunnel (GRE
doesn't have port numberes).   It's like saying I should run my network with
RIPv2 cause my routers support it.  Sure it's there, that doesn't mean you
should use it.

PIX forces certain level of security onto the users.  I cannot enable telnet
on the outside interface for example.  Argue this point if you must, but I
don't see it as a bad thing.   You can setup an IOS based PPTP server for
termination while you migrate your users to another platform.

As far as SSL VPN licenses go.  Cisco is currently the cheapest per SSL VPN
user in the industry.  Seems like to be thats not bad.  If thats still to
expensive for you, use IPSec, L2TP over IPSec, or an open source solution
like OpenVPN

>
> >And on top of that IOS has had IPv6 for years, the ASA just finally
> >got a working implementation with version 8.0.3 or so I read.  (I
> >don't really know, maybe it still doesen't work right)


According to feature navigator IPv6 IOS Firewall was added in IOS 12.3T,
although ahead of the curve then the ASA,  12.3T is also ED code and
shouldn't been used.

>
> >I never said CURRENT code was Win 3.1 based, I said I had heard thatthe
> original PIX code from pre-Cisco days >was Win 3.1 based.
> >Surely you remember that Win 3.1 will run in real
> >mode, without the GUI, by just putting command.com as the last statement
> >in the winstart.bat file.  Win 3.0, don't forget,
> >would run on an XT, in real mode, with a GUI.  Back in
> >those days a lot of people who wrote embedded stuff would
> >use DOS or a stripped Windows merely as a program loader,
> >so it didn't seem that farfetched to me when I heard it.


Seriously?!?  I don't even know what to say to that....

>
>
>  In the end its your network.  That was the point.