[isalist] Re: Nothing is secure like PIX
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 21 Jun 2006 10:51:08 -0700
http://www.ISAserver.org
-------------------------------------------------------
This is a completely specious argument, with absolutely no basis in historical
fact.
When you can demonstrate that a properly-configured ISA server has *EVER* been
compromised due to a Windows vulnerability, this claim *may* warrant
consideration.
Until then, it's nothing more or less than simple punditious regurgitation.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA
Sent: Wednesday, June 21, 2006 08:53
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Nothing is secure like PIX
I completely agree that ISA is far more secure than PIX, the only part I would
concede to PIX (and that is why is still on the market) is the stability and
that is because don't run on windows as ISA do.
Regards
Diego R. Pietruszka
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Wednesday, June 21, 2006 11:05 AM
To: isalist@xxxxxxxxxxxxx
Cc: isapros-repost@xxxxxxxxxxxxx
Subject: [isalist] Re: Nothing is secure like PIX
Hi EM,
You are right. PIX is not very secure. It's a router with some advanced ACLs
and does neat routing tricks. But when it comes to security, you're very very
wrong that it's more secure. Hardware doesn't fall from heaven, and all
"hardware" is controlled by software, and Syphco's core compentancy is not
application protection -- it's routing and switching.
I agree that there is no comparison between PIX and ISA -- only a fool would be
convinced that they get any real security from a PIX, becuase they never took
the time to learn about network security and what the end game was. Check
Point? That's another story. Like the ISA firewall, Check Point is a so-called
"software firewall" (something to pothead "hardware" firewall guys often
forget). Check Point is better than ISA and you pay a LOT for that. However, a
PIX is a joke and I think the more thoughtful firewall admins out there realize
they've been hyMOtized by the Syphco sales reps.
PIX is a puppy dog, a little terrier, a laptop or a pretty little Persian kitty
cat -- the ISA firewall is the brobdingnagian that provides your real security.
The PIX is an emotional blanket, a network Prozac, an expensive and illusory
work for security fiction. The PIX is the emperor with no clothes and is front
of my hacked Web sites and networks than any other firewall.
You mention that the PIX software is "advanced" -- I'll give you the opposite
perspective and proffer that it's a trisomy 13 baby compared to the robust and
healthy child that is the ISA firewall. No one has ever broken into an ISA
firewall and I consider the ISA firewall mandatory. A PIX is nothing more than
a historical superstition, a carry over from the dawn days of the Internet. I
never never never never never never NEVER recommend putting a PIX in front or
behind or anywhere near the ISA firewall (a Check Point? Sometimes that's
useful for defense in depth -- Check Point, unlike PIX, is a real network
security solution).
The PIX with worthless and weak. Who is it? What is it? What does it plan to do
with it's life? (name that tune!) On the other hand, the ISA firewall is built
by people who understand software, understand security, and is much more than a
stupid router with a "firewall" decal slapped on its bezel.
The ISA firewall's VPN server is MUCH MORE SECURE than the simple PIX VPN. I've
always wondered about the IQ of folks who have thought otherwise. It's probably
not an intelligence issue, but just an ignorance issue, since they probably
don't understand the weaknesses of the PIX VPN solution or the strengths of the
ISA firewall's VPN solutions -- but that's par for the course for folks who've
been hypmotized by the Syphco sales reps, and have had the implanted
suggestions reinforced by the ABMer idiot echo chamber.
Faster is not more secure.
Repeat
Faster is NOT more secure
Repeat
Faster is NOT more secure
Repeat
Faster is NOT NOT NOT more secure
Hardware is NOT more secure
Repeat
Hardware is NOT more secure
Repeat
Hardware is NOT more secure
Repeat
Hardware is NOT more secure
Repeat
Hardware is NOT more secure
Repeat
Hardware is NOT more secure
Repeat
Hardware is NOT more secure
Repeat
Remember, PIX has many security vulnerabilies that you can check out at
Secunia. Strangely enough, the ISA firewall has NONE. And don't feed me that
tired old drivel about "but it runs on Windows". If you can show me how this is
an issue after reading this
http://www.microsoft.com/isaserver/2006/prodinfo/Firewall_Corewp.mspx (which
you won't do if you depend on your Syphco sales rep for tech info).
Finally, be careful about throwing Syphco PIX FUD around here. I've worked with
the worthless PIX for a long time and studied it in depth. I know it's cr*p on
a cracker and it survives because it's been grandfathered into the business.
We're all now suffering badly because the "network guys" who are clueless
lusers when it comes to understand application security, have hijacked network
security and companies get hacked far more often than they should because these
dolts are "port openers" and "port closers". The current situation has the
clowns running the circus.
In conclusion, there are several neuroleptic medications I can recommend to
anyone who seriously believes the worthless PIX is more secure than an ISA
firewall.
IMNHO,
Tom
P.S. You're welcome to borrow any of the creative phases I've included in this
email. I only ask that you give the props :)
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Egyptian Mind
Sent: Wednesday, June 21, 2006 9:01 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Nothing is secure like PIX
http://www.ISAserver.org
-------------------------------------------------------
Dears,
No doubt that ISA 2000 or 2004 or even 2006, have increased the
possibility of controling user access,,, by allowing or denying the browsing or
a tiny issue like downloding gif and not downloading jpg as an example..
This shows how much we can control user action,,,
Moreover, features like firewall services, securing VPN connection,
Nating, Publishing web sites, etc.... are very helpfull features to make or
Network Control is much easier...
But Nothing is secure like PIX...
I don't mean that PIX is more secure than ISA, or more capable of
handling requests... I'm talking about features and design and even the
hardware specification.... There is no comparison between ISA and PIX
I'm here, in my network ; using two failover PIX and two clustering ISA
servers as well.. every device has it's responsiblities...
ISA is responisble for handling he request from users and filtering it
depends on customized rules, and the great thing that ISA server is a domain
member, so I can customized the rules directly to specific user ,,,
PIX is my Huge Body Guard which stand infront of my Out Door, to filter
any request come in or out my door... YEs ..( in or out ) not just in .... and
it is built on a very advanced built-in program in the hardware it self, it is
the adaptive security algorithm, which has alot of tools to scan the coming
packet,... like if we said , the ultravoilet, infarraed, and eye scanner and
everything...
It's a very adaptive algorithm and it's very hard to penetrate,,, note
that this alogorithm is working on every packet goes or come , also depend on
your own cutomized rule you make on PIX,,,
and instead that the windows how operates, the adaptive security
algorithm are running using the same processing speed of it's processor, as it
is already loaded in the PIX processor and rams..
How faster do you think it will be !!!!!!?????
it also has a complete secure process for VPN connection and PATING,
NATING , ... etc
But PIX is not function as layer 7 appliance, so we use ISA for this
purpose,,, to control the Application layer and presentation layer... nothing
more, nothing less,, and also because PIX is not integrating with Active
Directory..
Finally, PIX is mandatory for security, and ISA is mandatory for
controling... but if we talked about the ability to be hacked , I think you
will agree with me that hacking a program runing on Windows platform is much
easier from penetrating program runing on security dedicated appliance........
(( you can ask Bill Jates about it ))
Best Regards
Mohamed Saleh
Senior Network Administrator
College of Business Administration, CBA
Jeddah, Saudi Arabia
Tel: +966-02-6563199 ext 2521
Cell: - +966-50-2953591
!~` Yesterday is a History` ~!
!~` Tomorrow is a Mystery` ~!
!~` Today is a Gift` ~!
!~` So we call it ...............` ~!
!~` Present .......Simple` ~!
________________________________
From: "Shane Mullins" <tsmullins@xxxxxxxxxxxxxx>
Reply-To: isalist@xxxxxxxxxxxxx
To: <isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Hardware.... (cringe) ...firewall ?
Date: Tue, 20 Jun 2006 13:12:08 -0400
>http://www.ISAserver.org
>-------------------------------------------------------
> Good Deal,
>
> We have used ISA since Proxy 2.0. I really liked the upgrade
>from 2.0 to ISA 2000. But, I really really like ISA 2004. Some
of
>the new features are great, esp in the VPN areas, stateful
packet
>inspection. Also, I like the way ISA integrates into AD, this
is
>huge if you are a Windows shop. Also, there are some third
party
>snap ins that are very helpful.
>
>Shane
>
>PS I also really enjoyed reading your ISA 2004 book.
>
>
>
>----- Original Message ----- From: "Thomas W Shinder"
><tshinder@xxxxxxxxxxx>
>To: <isalist@xxxxxxxxxxxxx>
>Sent: Tuesday, June 20, 2006 10:33 AM
>Subject: [isalist] Re: Hardware.... (cringe) ...firewall ?
>
>
>http://www.ISAserver.org
>-------------------------------------------------------
>
>Hi Shane,
>
>No problems, that's how I took it! :)
>
>The PIX tax reminds of when in the middle ages you could pay
the
>church
>to absolve you of your sins. The situation here is that
they're
>paying
>Cisco for their sin of slothfullness. Slothful in that they
haven't
>spent the time and effort to understand real network security
and
>blindly pay a router and switch company big money to protect
>comporate
>data (does anyone see the paradox in this?)
>
>Thanks!
>Tom
>
>Thomas W Shinder, M.D.
>Site: www.isaserver.org
>Blog: http://blogs.isaserver.org/shinder/
>Book: http://tinyurl.com/3xqb7
>MVP -- ISA Firewalls
>
>
>
>>-----Original Message-----
>>From: isalist-bounce@xxxxxxxxxxxxx
>>[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Shane
Mullins
>>Sent: Tuesday, June 20, 2006 7:56 AM
>>To: isalist@xxxxxxxxxxxxx
>>Subject: [isalist] Re: Hardware.... (cringe) ...firewall ?
>>
>>http://www.ISAserver.org
>>-------------------------------------------------------
>>
>>Hey Thomas,
>>
>> I meant that to be a plug for ISA 2004. I think ISA 2004
>>is great. We
>>have two ISA 2004 boxes that firewall and provide internet
>>access for 3,500
>>machines. ISA 2004 has been rock solid for us. ISA 2004
>>provides advanced
>>logging and caching functions that a "hardware" firewall
>>cannot provide. I
>>have nothing against unix, but ISA 2004 is great.
>> We could have paid 50k for a single pix to provide
>>firewall services.
>>Then signed up for a 5k a year maintenance agreement (so we
could
>>rcv
>>updates). And all machines need updates, even "hardware"
>>firewalls have an
>>OS. And ISA still does so much more.
>>
>>Shane
>>
>>
>>
>>
>>
>> > On 6/19/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
>> >> http://www.ISAserver.org
>> >> -------------------------------------------------------
>> >>
>> >> Yes, it's that good. Go Daddy and the ISP are clueless.
>>Have you ever
>> >> talked to your ISP's "tech guys" who make these
>>recommendations? Let's
>> >> just say that the typical interaction leaves you with the
>>feeling that
>> >> they're not on the top of the firewall and networking food
>>chains :)
>> >>
>> >> Thomas W Shinder, M.D.
>> >> Site: www.isaserver.org
>> >> Blog: http://blogs.isaserver.org/shinder/
>> >> Book: http://tinyurl.com/3xqb7
>> >> MVP -- ISA Firewalls
>> >>
>> >>
>> >>
>> >> > -----Original Message-----
>> >> > From: isalist-bounce@xxxxxxxxxxxxx
>> >> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of
Shane
>>Mullins
>> >> > Sent: Monday, June 19, 2006 1:10 PM
>> >> > To: isalist@xxxxxxxxxxxxx
>> >> > Subject: [isalist] Re: Hardware.... (cringe)
...firewall ?
>> >> >
>> >> > http://www.ISAserver.org
>> >> > -------------------------------------------------------
>> >> >
>> >> > ISA 2K4 is really good? There is an eval version. Maybe
he
>> >> > would let you
>> >> > try that.
>> >> >
>> >> >
>> >> > Shane
>> >> >
>> >> > ----- Original Message -----
>> >> > From: "G.Waleed Kavalec" <kavalec@xxxxxxxxx>
>> >> > To: <isalist@xxxxxxxxxxxxx>
>> >> > Sent: Monday, June 19, 2006 1:08 PM
>> >> > Subject: [isalist] Hardware.... (cringe) ...firewall ?
>> >> >
>> >> >
>> >> > > http://www.ISAserver.org
>> >> > >
-------------------------------------------------------
>> >> > > My boss has been talking to our ISP and also to some
folks
>> >> > at GoDaddy.
>> >> > >
>> >> > > Both use - and recommend - hardware firewall
solutions.
>> >> > >
>> >> > > What do I tell him? He is poised to make one of those
>>classic PHB
>> >> > > decisions.
>> >> > >
>> >> > > (currently on ISA 2K)
>> >> > >
>> >> > > --
>> >> > >
>> >> > > G. Waleed Kavalec
>> >> > > -------------------------
>> >> > > Why are we all in this handbasket
>> >> > > and where is it going so fast?
>> >> > > ------------------------------------------------------
>> >> > > List Archives:
//www.freelists.org/archives/isalist/
>> >> > ISA Server
>> >> > > Newsletter:
http://www.isaserver.org/pages/newsletter.asp
>> >> > ISA Server
>> >> > > Articles and Tutorials:
>> >> > http://www.isaserver.org/articles_tutorials/ ISA
>> >> > > Server Blogs:
>> >> > > http://blogs.isaserver.org/
>> >> > ------------------------------------------------------
>> >> > > Visit TechGenix.com for more information about our
other
>>sites:
>> >> > > http://www.techgenix.com
>> >> > ------------------------------------------------------
>> >> > > To unsubscribe visit
>> >> > http://www.isaserver.org/pages/isalist.asp Report
>> >> > > abuse to listadmin@xxxxxxxxxxxxx
>> >> > >
>> >> >
>> >> > ------------------------------------------------------
>> >> > List Archives:
//www.freelists.org/archives/isalist/
>> >> > ISA Server Newsletter:
>>http://www.isaserver.org/pages/newsletter.asp
>> >> > ISA Server Articles and Tutorials:
>> >> > http://www.isaserver.org/articles_tutorials/
>> >> > ISA Server Blogs: http://blogs.isaserver.org/
>> >> > ------------------------------------------------------
>> >> > Visit TechGenix.com for more information about our
other
>>sites:
>> >> > http://www.techgenix.com
>> >> > ------------------------------------------------------
>> >> > To unsubscribe visit
>>http://www.isaserver.org/pages/isalist.asp
>> >> > Report abuse to listadmin@xxxxxxxxxxxxx
>> >> >
>> >> >
>> >> >
>> >> ------------------------------------------------------
>> >> List Archives: //www.freelists.org/archives/isalist/
>> >> ISA Server Newsletter:
>>http://www.isaserver.org/pages/newsletter.asp
>> >> ISA Server Articles and Tutorials:
>> >> http://www.isaserver.org/articles_tutorials/
>> >> ISA Server Blogs: http://blogs.isaserver.org/
>> >> ------------------------------------------------------
>> >> Visit TechGenix.com for more information about our other
sites:
>> >> http://www.techgenix.com
>> >> ------------------------------------------------------
>> >> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
>> >> Report abuse to listadmin@xxxxxxxxxxxxx
>> >>
>> >>
>> >
>> >
>> > -- >
>> > G. Waleed Kavalec
>> > -------------------------
>> > Why are we all in this handbasket
>> > and where is it going so fast?
>> >
>> > http://www.kavalec.com/thisisislam.swf
>> > ------------------------------------------------------
>> > List Archives: //www.freelists.org/archives/isalist/
>>ISA Server
>> > Newsletter: http://www.isaserver.org/pages/newsletter.asp
>>ISA Server
>> > Articles and Tutorials:
>>http://www.isaserver.org/articles_tutorials/ ISA
>> > Server Blogs:
>> > http://blogs.isaserver.org/
>>------------------------------------------------------
>> > Visit TechGenix.com for more information about our other
sites:
>> > http://www.techgenix.com
>>------------------------------------------------------
>> > To unsubscribe visit
>>http://www.isaserver.org/pages/isalist.asp Report
>> > abuse to listadmin@xxxxxxxxxxxxx
>>
>>------------------------------------------------------
>>List Archives: //www.freelists.org/archives/isalist/
>>ISA Server Newsletter:
>>http://www.isaserver.org/pages/newsletter.asp
>>ISA Server Articles and Tutorials:
>>http://www.isaserver.org/articles_tutorials/
>>ISA Server Blogs: http://blogs.isaserver.org/
>>------------------------------------------------------
>>Visit TechGenix.com for more information about our other
sites:
>>http://www.techgenix.com
>>------------------------------------------------------
>>To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
>>Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>>
>------------------------------------------------------
>List Archives: //www.freelists.org/archives/isalist/
>ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
>ISA Server Articles and Tutorials:
>http://www.isaserver.org/articles_tutorials/
>ISA Server Blogs: http://blogs.isaserver.org/
>------------------------------------------------------
>Visit TechGenix.com for more information about our other sites:
>http://www.techgenix.com
>------------------------------------------------------
>To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>Report abuse to listadmin@xxxxxxxxxxxxx
>
>------------------------------------------------------
>List Archives: //www.freelists.org/archives/isalist/ ISA
>Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp ISA
>Server Articles and Tutorials:
>http://www.isaserver.org/articles_tutorials/ ISA Server Blogs:
>http://blogs.isaserver.org/
>------------------------------------------------------
>Visit TechGenix.com for more information about our other sites:
>http://www.techgenix.com
>------------------------------------------------------
>To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
>Report abuse to listadmin@xxxxxxxxxxxxx
>
------------------------------------------------------ List Archives:
//www.freelists.org/archives/isalist/ ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and
Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs:
http://blogs.isaserver.org/
------------------------------------------------------ Visit TechGenix.com for
more information about our other sites: http://www.techgenix.com
------------------------------------------------------ To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp Report abuse to
listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
