[c-nsp] Telnet FROM a PIX Appliance?

jason.plank at comcast.net jason.plank at comcast.net
Mon Jul 7 16:29:14 EDT 2008 

Brandon,

Much respect.

--
Regards,

Jason Plank
CCIE #16560
e: jason.plank at comcast.net

 -------------- Original message ----------------------
From: "Brandon Bennett" <bennetb at gmail.com>
> >
> > >I have, actually.  With a lot of VPN tunnels terminated on a PIX 506.
> > >Not that I blame the PIX though, as I had been telling the customer
> > >almost a year earlier that they would need a 515.
> 
> 
> And running a production webserver on a 486-DX2 is also not a good idea.  I
> don't see your point here.
> 
> 
> > >I was not aware of any Sun NAT implementation at that time period.  If
> > >there was, what was it?  Checkpoint did run on Solaris, I admined one of
> > >those as a matter of fact, but it was not NAT.  And it was annoying.
> >
> > >As for the NTI being better than BSD, that's just your opinion.
> 
> Well the point that Bradly Coile made is that he could not the the
> performance he wanted using traditional IP stacks on those platforms.  Not
> so much my opinion, but his.
> 
> 
> > >Please point out any "bake-off's" comparisons that were done at
> > >that time.
> 
> 
> Pointless and a waste of time.  If you want to argue PIX popularity 13 years
> ago, be my guest.  I will not be subject to it however.
> 
> 
> 
> > >Most people didn't know what NAT was.  I never had
> > >problems with the FreeBSD implementation of NAT and in fact, doing
> > >it this way supported some applications that the Cisco IOS nat didn't.
> > >(at the beginning) like PPTP client VPN's initiated from behind.  And
> > >Netmeeting H.323 since you could also run a NM proxy on the system,
> > >if you recall that was pretty common in the NT days for remote control
> > >since it was free.
> 
> 
> Again off-topic and pointless.  NAT didn't just one day get deployed on
> nearly every enterprise network overnight.  It started somewhere, the
> applications that ran over them doesn't matter.
> 
> >
> >
> > >I never used the NTI stuff at that time so I don't have an opinion
> > >on which was better, but I'll bet money you never used the FreeBSD
> > >NAT patches either, so I'll put your "fact of the matter is"
> > >statement down to youthful eagerness and leave it at that. ;-)
> 
> 
> I was aguing a technical point.  My grammar and choice of words may have
> been poor.  I apologize
> 
> >
> >
> > >If a PIX is so easy to setup and maintain then I would have not
> > >had quite a lot of work over the years in administering them for
> > >people.
> 
> 
> It was a lot easier in 1995/1996 to unbox a PIX and enter in some commands
> to setup NAT than It was to apply a patch and compile new FreeBSD kernel and
> userland utilities.   Now days this just comes down to a matter of
> preference.
> 
> >
> >
> > >I will say that the PIX command line is no worse to setup and
> > >admin than IOS - once you know all of the idiosyncracies of the
> > >PIXos - but that's no different than the idiosyncracies of IOS.
> > >I do find the PIX GUI to be a big piece of crap, though.
> 
> 
> There is at least something we agree on :)
> 
> >
> >
> > >But, the assertion that it's easy to setup is only the case when
> > >your talking about real network admins.  For the general public,
> > >that is frankly absurd.  What is easy to setup is a Linksys RV042.
> > >(which will VPN into a PIX quite nicely, although you have to turn
> > >off stateful packet inspection on it if your running Vista, per
> > 
> >http://support.microsoft.com/kb/934430/en-us<http://support.microsoft.com/kb/93
> 4430/en-us>
> > )
> 
> 
> Both of which are produts of the 21st century.  I think you either really
> misinterpreted my point or you are just grasping for anything.
> 
> ?---- clip----------
> >a bunch of crap of aqusitions
> >--- clip-----------
> 
> Who cares.
> 
> 
> 
> >
> > >If Cisco hadn't maintained the PIX product line for as long
> > >as they did, I would agree that Cisco just bought NTI because
> > >they wanted it's technology.  But you are missing the obvious
> > >here.  Your saying the ASA is a PIX, meaning Cisco isn't killing
> > >the PIX after all.  If so, why?  I'll tell you, it's because
> > >there's a customer base out there that is large!  It is NOT
> > >because it's better or worse to do the same thing that the
> > >PIX does on an IOS router, it's because this large customer
> > >base THINKS it's better to do the stuff the PIX does on a
> > >standalone box that isn't a router.  The baby wants his
> > >bottle and Cisco isn't going to take it away.  Simple as that.
> 
> 
> Interesting standpoint.  I view it more as a customer choice.  There are
> something I find easier on a pix (troubleshooting, captures, packet-tracer)
> and there are something I find much better on IOS (Lan to Lan IPSec) and the
> are both very capible products.   If you want to push your customers onto
> IOS firewalls knock yourself out.  I don't think anyone can argue that
> point.
> 
> >If it only has slight modifications then it's definitely not
> > >next-generation.  Make up your mind, please! :-)
> 
> 
> Oh jesus christ.  If your only argument on why you think the ASA is not a
> PIX is some gramatical sematics on my part then you have bigger problems.
> 
> 
> >
> > The reason -I- think the ASA is worse is because the ASA just
> > perpetuates the nonsense that a router can't be a firewall.
> > Sure it can, it just depends on what firmware is running on it.
> > Cisco missed the boat here to educate the customer base.  I
> > am just thankful Cisco jacked up the price so I can educate
> > my customers without them just hearing "mo money mo money
> > mo money mo money".
> >
> > >Don't you mean ASA5510-SEC-BUN-K9 with the 2GE ports?
> 
> >How you going to get 300mbt through 2 FE ports?
> 
> Gigabit interface are not avaible on the 515.  Why is that a fair
> comparison?
> 
> 
> 
> > >And where does Cisco get off charging an extra $3K for 50 miserable SSL
> > VPN
> > >licenses?
> 
> 
> The same license  is required on IOS to support the same functionality
> 
> >The SSL protocol is OPEN for God's sake.
> 
> 
> They aren't charging for the SSL protocol, they are charging for all the
> additional features that comes with it.  Do you even understand what the SSL
> VPN product is?  It provided proxied connections for http, citrix, rdp,
> exchange, in addition to almost any application you throw at that.  In
> addition it create a full tunnel through TLS and TLS over UDP.
> 
> All of which are not defined in the SSL standard!
> 
> 
> > >Oh I get it, REMOVE support for PPTP VPN's (ie: out of the box Microsoft
> > VPN client that's
> > >FREE) and replace it with SSL VPN client that -costs money-  Yeah, give
> > >me more, baby.  Harder, Harder!
> 
> 
> IPsec license is still free.  L2TP over IPSEC is stil free and works with
> Microsoft out of the box (and is secure!).   PPTP was removed cause it is
> not a secure protocol!
> 
> >
> > >And, I forgot about AIP, what is that, $7K a year for a subscription?
> > >So if you don't pay the $7K a year, then when the latest AIM comes out
> > >that is written to get around the current inspection and is wasting your
> > >employees productivity in spades, you have to buy a new ASA.  Great one,
> > >that!!
> 
> 
> Say what?  There are cheaper Smartnet contracts out there.  Do some
> research.
> 
> >
> >
> > The point was rather a comparison between IOS-based router and
> > PIX or ASA, not between PIX and ASA.
> >
> > >In any case, how many companies have 300Mbit Internet connections?
> > >How many companies have 190Mbit Internet connections?  And how exactly
> > >do you get 190Mbts through a 515 which only had 2 10/100Mbt interfaces
> > >on it? ;-)  These are BigCo comparisons your talking, and frankly,
> > >BigCo's buy what they do because of their previously established
> > >vendor relationships, they are not switching to ASA's because they
> > >care about the price.
> 
> 
> I said nothing about companies or the reason to buy ASA.  It was mearly
> comparing the price of two similar firewalls.  You fabricated the rest.  Yes
> when buying a firewall, or any gear for that matter, you must take a lot
> into concideration.  No one is arguing that.
> 
> 
> > >And most BigCo's buy direct from Cisco anyhow, so the list prices are pure
> > fiction.
> 
> 
> They still get a discount off of list on most gear.  So list prices are a
> good comparison standpoint.  Now I can't say take the list prices from
> Juniper and compare them to Cisco as I get different discounts from each
> company, but to compare Cisco to Cisco it is 100% valid.
> 
> 
> >
> >
> > A much more realistic comparison with product that's sold to
> > people who actually do care about the price is:
> >
> > >PIX-506E-BUN-K9  @  $1,395  vs ASA5505-UL-BUN-K9 @ $995.  So yes,
> > >on the surface it LOOKS like a better deal - until you have to bend
> > >over and take it in the shorts for that insane SSL VPN license.  Oh,
> > >and of course, with the 5505, your screwed there since 50 SSL users
> > >is the licensed limit, you have to go to the 5510 for more.  The old 506E
> > >had no restriction on number of VPN clients.
> 
> 
> A PIX cannot support SSL VPN.  SSL VPN is an addition feature avablie (via a
> license) on the ASA platform. ASA still includes free IPSec VPN client
> termination (and lan to lan).   Yes there is a hard limit on the number of
> _IPSec_ on the ASA platform which some have complained about, but you
> shouldn't be terminating that many clients on a Pix 506 in the first place.
> It has no hardware crypto!
> 
> >CISCO1841-SEC/K9  1841 Security Bundle, Advanced Security, 64FL/256DR
> > >$2495
> >
> > >ASA5505-SSL-10-K9  ASA 5505 VPN Edition w/ 10 SSL Users, 50FW Users,
> > >3DES/AES
> > >$2095
> >
> > >Let's see, with the former I can use all of my free Microsoft VPN clients,
> > >PPTP, L2TP, whatever I want, as many as I want.  I can put in as many
> > >server to server VPN's as I want.  I can drop in a T1 card if needed.  I
> > >can have as much stuff as I want behind it.
> 
> >With the ASA I can have a max 10 SSL users, or I have to switch all my
> >Microsoft VPN clients over to L2TP.  I'm limited to 50 users.
> 
> Yes and those are some valid point of why you should use an IOS based router
> as a firewall.  These reasons are definatly more apparent in SMB
> situations.  Where you have sepearte hardware in a corproate enviroment most
> of this is moot.
> 
> As far as PPTP goes, Dude is 2008!   PPTP has not only proven to be insecure
> but it also doesn't work through PAT as it requires a GRE tunnel (GRE
> doesn't have port numberes).   It's like saying I should run my network with
> RIPv2 cause my routers support it.  Sure it's there, that doesn't mean you
> should use it.
> 
> PIX forces certain level of security onto the users.  I cannot enable telnet
> on the outside interface for example.  Argue this point if you must, but I
> don't see it as a bad thing.   You can setup an IOS based PPTP server for
> termination while you migrate your users to another platform.
> 
> As far as SSL VPN licenses go.  Cisco is currently the cheapest per SSL VPN
> user in the industry.  Seems like to be thats not bad.  If thats still to
> expensive for you, use IPSec, L2TP over IPSec, or an open source solution
> like OpenVPN
> 
> >
> > >And on top of that IOS has had IPv6 for years, the ASA just finally
> > >got a working implementation with version 8.0.3 or so I read.  (I
> > >don't really know, maybe it still doesen't work right)
> 
> 
> According to feature navigator IPv6 IOS Firewall was added in IOS 12.3T,
> although ahead of the curve then the ASA,  12.3T is also ED code and
> shouldn't been used.
> 
> >
> > >I never said CURRENT code was Win 3.1 based, I said I had heard thatthe
> > original PIX code from pre-Cisco days >was Win 3.1 based.
> > >Surely you remember that Win 3.1 will run in real
> > >mode, without the GUI, by just putting command.com as the last statement
> > >in the winstart.bat file.  Win 3.0, don't forget,
> > >would run on an XT, in real mode, with a GUI.  Back in
> > >those days a lot of people who wrote embedded stuff would
> > >use DOS or a stripped Windows merely as a program loader,
> > >so it didn't seem that farfetched to me when I heard it.
> 
> 
> Seriously?!?  I don't even know what to say to that....
> 
> >
> >
> >  In the end its your network.  That was the point.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list