Re: [fw-wiz] Firewalls that generate new packets..
> So what you're really comparing is the default configuration
> of packet based firewalls with proxy based firewalls.[/color]
When engaged in selling Secure Computing gear, I always
put an emphasis on the "more reasonable default configuration"
and the fact that it's more complicated if not impossible to do
something stupid by accident.
I also take my time to carefully explain the concept of egress
E.g. does PIX still have these implied rules that say: if I
configure port X from here to there, this automatically implies
the same access to all interfaces with a lower security level than
'there'? This is the case in 6.x - now, whoever at Cisco came
up with this concept should be shot.
I have not looked at 7.x or ASA, yet.
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
P.S. I know that PIX access lists do not implement stupid things like
the above, but PIX Device Manager does. Now, which is a customer
with limited time and knowledge more likely to use?
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
Gf: J=FCrgen Egeling AG Mannheim 108285
firewall-wizards mailing list