[c-nsp] Telnet FROM a PIX Appliance?

[Ted Mittelstaedt]

-----Original Message-----
From: Brandon Bennett [mailto:bennetb at gmail.com]
Sent: Monday, July 07, 2008 1:18 PM
To: Ted Mittelstaedt
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?

>And running a production webserver on a 486-DX2 is also not a good
>idea.  I don't see your point here.

I was under the impression you were attempting to argue that
IOS-based firewalls were inherently not as good as a PIX.  I
guess your comment here is acknowledging that's not the case.

>Well the point that Bradly Coile made is that he could not the the
>performance he wanted using traditional IP stacks on those platforms.
>Not so much my opinion, but his.

But of course, I would not expect anyone making and selling something
to diss their own product over something available for free.

>>Please point out any "bake-off's" comparisons that were done at
>>that time.

>Pointless and a waste of time.  If you want to argue PIX popularity
>13 years ago, be my guest.  I will not be subject to it however.

I'll take that as a retraction of your statement that the
NTI stuff was technically superior at that time, then. 'Nuff said.

>>If a PIX is so easy to setup and maintain then I would have not
>>had quite a lot of work over the years in administering them for
>>people.

>It was a lot easier in 1995/1996 to unbox a PIX and enter in some
>commands to setup NAT than It was to apply a patch and compile new
>FreeBSD kernel and userland utilities.   Now days this just comes down
>to a matter of preference.

That is true.  After all that is one thing your paying
for in most commercial products, isn't it?  Not functionality,
merely ease of use.

Once you learn how to use either of them, there's no advantage
to the commercial product in that respect.

There's only a handful of commercial products out there where
the commercial stuff is superior to what you could put together
yourself - given enough time, of course.

>>I will say that the PIX command line is no worse to setup and
>>admin than IOS - once you know all of the idiosyncracies of the
>>PIXos - but that's no different than the idiosyncracies of IOS.
>>I do find the PIX GUI to be a big piece of crap, though.

>There is at least something we agree on :)

:-)

>>?---- clip----------
>>a bunch of crap of aqusitions
>>--- clip-----------

>Who cares.

Anyone who buys and uses products.  Besides ease of use,
support is one of the other big selling points of any
product.  If the company selling such product is poorly
managed and acquired as a result, it very often affects
support.  Thus reducing the value of the product.
Naturally anyone owning an orphaned product is very much
interested in this.  In the case of the PIX, Cisco took
it and ran with it, thus NTI's customer base undoubtedly
breathed a sigh of relief.  That doesen't always happen
with all of Cisco's acquisitions.

>standalone box that isn't a router.  The baby wants his
>bottle and Cisco isn't going to take it away.  Simple as that.

>Interesting standpoint.  I view it more as a customer choice.

Customer choice only from what the vendor offers.  Some vendors
don't offer a lot.

>There are
>something I find easier on a pix (troubleshooting, captures, packet-tracer)
>and there are something I find much better on IOS (Lan to Lan IPSec) and
the
>are both very capible products.   If you want to push your customers onto
IOS
>firewalls knock yourself out.  I don't think anyone can argue that point.

You were before.

>They aren't charging for the SSL protocol, they are charging for all the
>additional features that comes with it.  Do you even understand what the
SSL
>VPN product is?  It provided proxied connections for http, citrix, rdp,
>exchange, in addition to almost any application you throw at that.  In
>addition it create a full tunnel through TLS and TLS over UDP.

Great, then unbundle the SSL VPN stuff and include it with the ASA
and leave the proxy stuff in the $3K add-on.  Most people don't
need it.  Old story of putting one feature a lot of people want
into a separate bundle of a big pile of stuff and making you pay
a lot for the big pile.  Then you feel compelled to at least look
at using some of the stuff in the big pile.  Embrace and extend.

> In the end its your network.  That was the point.

No, in the end it's our customers network, and what they want
and what they have to pay, that's the point.  The PIX was cheaper
than the equivalent IOS-based solutions when it was sold, now
the ASA is not.  I will grant that yes, you can get a lot more
feaatures in the ASA than you used to in the PIX.  But you pay more.
You also get those features in IOS for the same price as what
a hopped-up ASA costs.

As for PPTP being worse or better, that's not Cisco's call to
make.  As you said earlier, it's customer choice.  I'll agree
PPTP has more problems than a newer protocol.  But a customer
that has 200 remotes deployed with PPTP already isn't too
interested in paying the labor to switch them all over just
because they upgraded their firewall.

My main argument was that the IOS solution was better than
the PIX, and I'm just glad that now the ASA (configured with
adequate licensing) costs the same as the equivalent IOS
based solution because now my customers can't knee-jerk
choose the ASA over the IOS based stuff just because it is
significantly cheaper.  Which some used to do with the PIX.
I see nothing in your rebuttal that disproves
that.  The comparisons between PIX and current product were
just for fun, even from you, as that product isn't for sale
any longer.  No need to get so defensive over them.  But the
ASA vs IOS comparisons don't argue for the ASA being more
inexpensive unless you accept a very stripped-down unit.

Ted