[autoenthusiast]

Quote:

Originally Posted by Samurai

Lady: Oh, Adam quit two years back, this admin is his replacement.
Me: That means this Server was untouched for two years.
Lady: Yeah...

Imagine a win2k server with operating system patches not installed for 2 years, especially the way MS churns them out and the amount of vulnerabilities that get identified every month. A major security risk !

[jassi]

samurai - i am assuming this win2k server running medical transactions was on a closed environment and not exposed to the internet. There is a difference between stability and being vulnerable. Expose such a server to the internet on it and you will be lucky if it lasted for a few hours Ofcourse I have know of some pretty old web servers running unpatched win2k on the internet for 5 years and they have been never attacked but thats because they run a true behaviour based personal firewall (no signatures no updates no patches no antivirus needed.

I agree with autoenthusiast - we need differentiate between stability and vulnerability (or risk of being attacked). A firewall which sits facing the internet has to be both. Imagine installing a microsoft hotfix every month on your so called win2k3 firewall just to keep it safe (hotfixes don't add any enhancements purely for closing holes in the software)

[Samurai]

I am still awaiting price quote for Cisco ASA 55xx firewalls.

[jassi]

Quote:

Originally Posted by Samurai

I am still awaiting price quote for Cisco ASA 55xx firewalls.

It takes not more than a few hours for most vendors to get a quote out

[Samurai]

Quote:

Originally Posted by jassi

It takes not more than a few hours for most vendors to get a quote out

I live in a village 425Kms away from Bangalore. It is different here.

[whatcanthisbe]

Quote:

Originally Posted by given2fly

However, the bottomline is any firewall or UTM device is as good as its configurator.

i just read the title and this is exactly what i was gonna post more over you can never be 100% secure unless you unplug yourself from the WWW. a belt and suspenders approach always works better than just having one level of protection.

[jassi]

Quote:

Originally Posted by whatcanthisbe

i just read the title and this is exactly what i was gonna post more over you can never be 100% secure unless you unplug yourself from the WWW. a belt and suspenders approach always works better than just having one level of protection.

any security device is as good as its configuration and the principle of defense in depth is an important aspect of any security design. In a chain the weakest link breaks first and in a security design the smallest misconfiguration or software vulnerability brings the whole network down

I don't think 100% secure and risk free environments exist - one of the facts I learnt when I was involved in information security/risk auditing

[Thad E Ginathom]

I am a years out of date for any real advice, but this was my then experience. Hmm... five or six years ago. No... six or seven... don't think we'd been using W2K for long.

It was our company's first real networked connection to the internet, and we took a fibre leased line connection. I think we started at 256 or 512Kb, but remember that was mostly mail server. It took a while for browsing and stuff to happen, and we never ran our own web server.

We took the line from Pipex, and they had, all along being selling us Checkpoint running on Windows for the firewall and to offer VPN services to remote offices. After a couple of visits from the marketing types, they brought a techie along and I asked him why I should buy a security tool based on an inherently insecure platform. He glared at the salesman and checkpoint on Solaris got substituted, upgraded shortly after to checkpoint/Nokia.

Of course, if there hadn't been a Unix bod (me) on the team, that question might not have been asked!

Oh, we ended up with a Gb fibre to another office and all sorts of stuff...

[jassi]

well yeah - checkpoint on Nokia is 1/3rd of all checkpoint firewall installs - Nokia runs a variant of BSD (now Linux) called IPSO which they acquired many years ago. Given that I once worked for these guys, I would say - very stable and potent combination. However Nokia's firewall appliances division is now up for sale and in these recession bound times, Checkpoint, given their ultra high pricing, would be bracing for a few competitive take downs in all their accounts with low cost more reliable long term players like Cisco and Juniper.

[Wind_mill]

Quote:

Originally Posted by jassi

But then again who has a 200mbps ISP link. Besides for anyone hosting webservers, throughput hardly matters, the performance is measured in connections and connections/sec, as each http request is a new connection.

In a multi-layered secure environment , throughput of the firewall matters while designing Internal Firewalls as well. A low throughput may create a bottleneck otherwise. We have architected soultions for couple of major Banks here in Europe and I can share some practical experiences in this.

I'm out of core technology roles for last couple of years and now part of a Big-4 consulting firm. However I thought I need to share the following experiences with Pix. (Things might have changed with ASA).

@Samurai:
I'm not sure about the existing architecture of the network where you are planning to incorporate Pix/ASA. Considering that you don't have a fulltime Network Engineer ,I suggest you to get a demo box and try it before actually buying/deploying the same.

We did a migration from Checkpoint NG to 515E back in 2002. Had to do lot of debugging to resolve un-foreseen issues.

Issue #1
We had a Oracle 8i server sitting behind Checkpoint Firewall with ODBC/JDBC Clients or App Servers connecting to it from other part of the world over VPN links. This just stopped working after PIX implementation. While Cisco TAC was unable to find the exact issue , our Oracle Support partner confirmed that its due to a compatibility isuue between SQLNET and CISCO NAT . We had to change the design of database connectivity - We used Oracle connection manager just to get compatible with Pix and had to role out this change in all locations. You can still find the threads related to this issue - just search Pix+NAT+Oracle in google.

Issue #2

The IP based video conferencing equipment (Polycom) stopped functioning . This was working without any issue earlier with Checkpoint NG . Cisco TAC confirmed that its due to the way Pix is handling H323 traffic . Finally they advice to remove the "Fix-up" of the same protocol and resolved it- this means firewall intelligence over this traffic is disabled.

I strongly suggest to keep the Vonage device outside the firewall to avoid such issues . I don't think there are much security issues in doing so.

Issue#3

We had a Web server kept in India and Client Applications (Developed in VC++) deployed across the US connecting to it using SOAP service. Pix way of handling Http traffic created a bottleneck here and nobody could "POST" any data. This was again resolved at the cost of disabling fix-up http or turning off the intelligent feature. To me , once it is turned off what we get is mere port level security.

Hope this helps!

[jassi]

Quote:

Originally Posted by Wind_mill

In a multi-layered secure environment , throughput of the firewall matters while designing Internal Firewalls as well. A low throughput may create a bottleneck otherwise. We have architected soultions for couple of major Banks here in Europe and I can share some practical experiences in this.

I'm out of core technology roles for last couple of years and now part of a Big-4 consulting firm. However I thought I need to share the following experiences with Pix. (Things might have changed with ASA).

@Samurai:
I'm not sure about the existing architecture of the network where you are planning to incorporate Pix/ASA. Considering that you don't have a fulltime Network Engineer ,I suggest you to get a demo box and try it before actually buying/deploying the same.

We did a migration from Checkpoint NG to 515E back in 2002. Had to do lot of debugging to resolve un-foreseen issues.

Issue #1
We had a Oracle 8i server sitting behind Checkpoint Firewall with ODBC/JDBC Clients or App Servers connecting to it from other part of the world over VPN links. This just stopped working after PIX implementation. While Cisco TAC was unable to find the exact issue , our Oracle Support partner confirmed that its due to a compatibility isuue between SQLNET and CISCO NAT . We had to change the design of database connectivity - We used Oracle connection manager just to get compatible with Pix and had to role out this change in all locations. You can still find the threads related to this issue - just search Pix+NAT+Oracle in google.

Issue #2

The IP based video conferencing equipment (Polycom) stopped functioning . This was working without any issue earlier with Checkpoint NG . Cisco TAC confirmed that its due to the way Pix is handling H323 traffic . Finally they advice to remove the "Fix-up" of the same protocol and resolved it- this means firewall intelligence over this traffic is disabled.

I strongly suggest to keep the Vonage device outside the firewall to avoid such issues . I don't think there are much security issues in doing so.

Issue#3

We had a Web server kept in India and Client Applications (Developed in VC++) deployed across the US connecting to it using SOAP service. Pix way of handling Http traffic created a bottleneck here and nobody could "POST" any data. This was again resolved at the cost of disabling fix-up http or turning off the intelligent feature. To me , once it is turned off what we get is mere port level security.

Hope this helps!

@windmill - let me clarify

1) we are talking of a perimeter firewall here in the case of samurai - not an internal firewall. Any outsider accessing his webservers behind the firewall will not go faster than his isp link which I don't think is more than 150mbps (samurai please correct me). Now I am sure he will have insiders (read lan users) accessing the webservers on the firewall dmz and that is where if and only if they are accessing at gigabit speeds (loads of users streaming video) then there will be a bottleneck. I am assuming this is not the case.

2) Things have changed a lot with both the PIXes and the ASAs. For one the PIXes when running fixups were on code 6.x. This was replaced with 7.x with application inspection feature, which included support for over 30 protocols (including http, voice, video, sip, skinny, rtp, h.323, h.243 etc) adn this was certified as part of CC EAL4+ testing. This was further improved in 8.x release and both 7.x and 8.x run on PIX and ASA. PIX is now EOLed and ASA is the default offering.

3) Checkpoint was the first to introduce h.323, but as of today it cannot be compared to Cisco ASAs voice/video support (which is derived from Cisco's experience in the VOIP and video industry - something that Checkpoint will never have). Checkpoint's voice/video inspection (nor any other vendors) is not part of the security evaluation target on their CC EAL4+ cert, whereas Cisco's is (links posted earlier). Supported protocol for voice video are sip. skinny, h.323 v1-4, gtp (3g mobile wireless), mgcp, rtp, rtcp, rtsp, tapi, jtapi

4) I am aware of the Oracle issue, I believe this was faced with 6.x code. This may have been resolved in the 7.x release when app inspection support for databsed was introduced to dynamically inspect and open up ports for ils/ldap, oracle sql *net (v1/2), ms rpc/dce rpc, ms n/wing, nfs, rsh, sunrcp, nis+, xwindows (xdmcp)

5) there are currently no known issues with video conferencing over IP as long as it runs over standards (read rfc non proprietry) based protocols. A lot of other solutions including Cisco's own video conferencing over IP and Telepresence solutions (featured in ads these days) work with ASAs. ASAs are tested thoroughly in voice/video environments by Cisco's own voice technonology business group

6) Among the other protocols in app inspection there is a very detailed http inspection map, which I have used successfully in many implementations to handle everything from basic URI request handling, http command filtering to dropping cross site scripting (XSS) attacks. I am not an expert at SOAP, but I am sure release 7.x onwards it can be easily handled.

7) The overall point I am trying to make here yes PIX fixups were a mess, I hated them and I was always a fan of checkpoints app inspection. However Cisco in the last few years has vastly progressed past those fixup days and is now comparable or better (in some cases like voip or video over ip) to other vendors in app inspection.

8) did i just make another long post !!

9) phew

[Samurai]

Quote:

Originally Posted by jassi

1) we are talking of a perimeter firewall here in the case of samurai - not an internal firewall. Any outsider accessing his webservers behind the firewall will not go faster than his isp link which I don't think is more than 150mbps (samurai please correct me).

Yes, let me clarify this immediately, I have a 1000kbps (1:1) leased line from Reliance.

PS: 150mbps ISP link? I would die at that speed...

[autoenthusiast]

Quote:

Originally Posted by jassi

I don't think 100% secure and risk free environments exist - one of the facts I learnt when I was involved in information security/risk auditing

Yes but you do have "Very very secure networks". Atleast that's the way I look at it. And secondly a lot would be dependent on the network security infrastructure and the network administrator/implementor/security admin, company security policies etc. It's an entire circular chain, one weak one and you have had it.
We do have a lot of capabilities today (compared to the yester years) where we can actually have active defence capabilities put in on the network (got it's pros and cons), unlike the earlier reaction based security mechanisms.

[autoenthusiast]

Quote:

Originally Posted by Samurai

Yes, let me clarify this immediately, I have a 1000kbps (1:1) leased line from Reliance.

PS: 150mbps ISP link? I would die at that speed...

Before that you'd die of the cost of paying for that fast an Internet link.

[Samurai]

Ok, I have to pick between these:

ASA5505-BUN-K9 ASA 5505 Appliance with SW, 10 Users, 8 ports, 3DES/AES
ASA5505-50-BUN-K9 ASA 5505 Appliance with SW, 50 Users, 8 ports, 3DES/AES
ASA5505-UL-BUN-K9 ASA 5505 Appliance with SW, UL Users, 8 ports, 3DES/AES

Since I don't understand how these user licenses appy, I don't know how many licenses I would need.

Say I am putting 100 devices on internal LAN and about 10 devices on the public network. How many user licences do I need?