http://www.windowsnetworking.com/news/WindowsNetwo...7.html

Cheers,

Stefan

This thread is getting really interesting ….. let’s keep the objective of this thread in focus…facts and opinions.

Well Tom it seems that again you’re posting an opinion “PIX and even an ASA would not meet the specifications of regulatory requirements given the security and functionality issues with these “firewalls”

Which I would like to answer with a fact:

1. Your statement regarding EAL certification:

http://blogs.isaserver.org/shinder/2006/03/26/isa-...teria/ clearly states that the EAL certification ensures secure and reliable products

2. The list of Cisco EAL certified firewalls: http://www.commoncriteriaportal.org/public/consume...ex.php
Not only are the ASA and PIX certified EAL4+ but guess what…heaps of other Cisco firewall products…now that is a fact !

Well I would like to give you my opinion…about your postings that is…biased and not really fact driven…but hey ….. just my opinion….might become a fact is others agree….

BTW Beefcake thanks for your support…defense in depth all the way…trust no one…

Cheers,
stefan

Thanks! I’m glad you agree with me that a PIX and even an ASA would not meet the specifications of regulatory requirements given the security and functionality issues with these “firewalls”. At least the ISA Firewall can be used to shore up the security and fucntionality problems with those devices.

Thanks!
Tom

The latest version of the products in question are worlds ahead of their previous versions. Both of these products with (ASA w/Cisco IPS and 3rd party add ons to ISA) work great together. But then again, just my opinion. If you are in this market you also know these two products are only a small portion of the overall scheme.

Using the statement PIX, specifically 6.2 and less is like comparing to isa 2000 or Checkpoint on the white box running NT4 back in the day. Don’t waste our reading time!

Cheers!

Thanks for taking the time to reflect on my thoughts. As you state accurately, it’s all about opinions. And if I wasn’t clear in my first post I would like to apologize, since I do believe that that the compliance tester will find the possibilities of the ISA firewall to be of good quality.

As you stated also, presenting evidence is what it is all about. So i just want to make sure that I didn’t misunderstood you:

- If the PIX used would be outdated, you would call the company using it out of compliance (= opinion). Well I totally agree on that one. If the company would be using an ISA 2000 version, I would also call them out of compliance (my opinion). If the company would however be using an updated version of the PIX/ASA let’s say version ASA 7.X and above, I would call them within compliance (but hey that’s my opinion, and the opinion of DoD, NIST, etc).

- It’s also your opinion that the PIX/ASA passes exploits faster than an ISA firewall. Well it does pass it faster (if you allow it), but it even can filter and stop it faster then the ISA (and that is not an opinion but rather a fact).

- Your bug and exploit opinion might be a little bit fuzzed in the same way as some people have the “it’s Microsoft so it’s unsafe” vision. If you compare the bugtraq list of the ISA 2000 with the PIX..slight advantage for the ISA but very narrow margin…ISA 2004 compared to the ASA is a draw…so you see opinions and facts are sometimes better to be stated clearly to avoid confusion……

Cheers,

stefan

Also, just because the PIX/ASA passes expliots much faster than an ISA Firewall is not a good thing — in fact, it would be better that the PIX/ASA be much slower, then the exploits would get in and more slowly! Personally, I could never recommend a PIX for security reason and never recommend an ASA because of it’s bugs and large number of reported exploits

The most important issue here, I think, is that it’s all a matter of opinion. You can present your evidence and I can present mine — if either of us can’t or won’t present evidence, then the opinion with the most supportive evidence wins!

Thanks!
Tom

Having been a fan of ISA server from the early stages (proxy 2.0 certified ) and always following your site and comments with much interest, I find it kinda sad that you keep fudging the (what you call) hardware firewalls.

I do understand your angle of critique but calling the PIX outdated and not compliant with the above is simply not true.

You should compare apples with apples and keep your readers informed in a neutral way. The PIX/ASA product portfolio complies to all above requirements (and more) and does outperform the ISA server in many area’s.

So just keep your information up to date and objective to serve your audience right.

Cheers,

stefan