A good and patient fellow on the ISAserver.org mailing list made a comment indicating that the PIX was more secure and provided better network level security than the ISA firewall. That takes a lot of guts given that most of the ISA firewall experts in the world participate on the ISAserver.org mailing list and know that this is categorically untrue. For some reason, I’ve felt my creative writing gene activate since returning from this year’s Tech Ed, and it came out in my response today. I think ISA firewall admins will enjoy it and maybe it will provide them some ammo in their never ending war with the forces of ignorance (the networking guys educated by Cisco sales reps).
Here’s my witty reposte:
You are right. PIX is not very secure. It’s a router with some advanced ACLs and does neat routing tricks. But when it comes to security, you’re very very wrong that it’s more secure. Hardware doesn’t fall from heaven, and all “hardware” is controlled by software, and Syphco’s core compentancy is not application protection — it’s routing and switching.
I agree that there is no comparison between PIX and ISA — only a fool would be convinced that they get any real security from a PIX, becuase they never took the time to learn about network security and what the end game was. Check Point? That’s another story. Like the ISA firewall, Check Point is a so-called “software firewall” (something that pothead “hardware” firewall guys often forget). Check Point is better than ISA and you pay a LOT for that. However, a PIX is a joke and I think the more thoughtful firewall admins out there realize they’ve been hyMOtized by the Syphco sales reps.
PIX is a puppy dog, a little terrier, a lap dog or a pretty little Persian kitty cat — the ISA firewall is the brobdingnagian that provides your real security. The PIX is an emotional blanket, a network Prozac, an expensive and illusory work of security fiction. The PIX is the emperor with no clothes and is in front of more hacked Web sites and networks than any other firewall.
PIX Puppy Dog scaring away “port attackers”
You mention that the PIX software is “advanced” — I’ll give you the opposite perspective and proffer that it’s a trisomy 13 baby compared to the robust and healthy child that is the ISA firewall. No one has ever broken into an ISA firewall and I consider the ISA firewall mandatory. A PIX is nothing more than a historical superstition, a carry over from the dawn days of the Internet. I never never never never never never NEVER recommend putting a PIX in front or behind or anywhere near the ISA firewall (a Check Point? Sometimes that’s useful for defense in depth — Check Point, unlike PIX, is a real network security solution).
The PIX with worthless and weak. Who is it? What is it? What does it plan to do with it’s life? (name that tune!) On the other hand, the ISA firewall is built by people who understand software, understand security, and is much more than a stupid router with a “firewall” decal slapped on its bezel.
The ISA firewall’s VPN server is MUCH MORE SECURE than the simple PIX VPN. I’ve always wondered about the IQ of folks who have thought otherwise. It’s probably not an intelligence issue, but just an ignorance issue, since they probably don’t understand the weaknesses of the PIX VPN solution or the strengths of the ISA firewall’s VPN solutions — but that’s par for the course for folks who’ve been hypmotized by the Syphco sales reps, and have had the implanted suggestions reinforced by the ABMer idiot echo chamber.
Faster is not more secure.
Repeat
Faster is NOT more secure
Repeat
Faster is NOT more secure
Repeat
Faster is NOT NOT NOT more secure
Hardware is NOT more secure
Repeat
Hardware is NOT more secure
Repeat
Hardware is NOT more secure
Repeat
Hardware is NOT more secure
Repeat
Hardware is NOT more secure
Repeat
Hardware is NOT more secure
Repeat
Hardware is NOT more secure
Remember, PIX has many security vulnerabili es that you can check out at Secunia. Strangely enough, the ISA firewall has NONE. And don’t feed me that tired old drivel about “but it runs on Windows”. If you can show me how this is an issue after reading this http://www.microsoft.com/isaserver/2006/prodinfo/Firewall_Corewp.mspx (which you won’t do if you depend on your Syphco sales rep for tech info).
Finally, be careful about throwing Syphco PIX FUD around here. I’ve worked with the worthless PIX for a long time and studied it in depth. I know it’s cr*p on a cracker and it survives because it’s been grandfathered into the business. We’re all now suffering badly because the “network guys” who are clueless lusers when it comes to understand application security, have hijacked network security and companies get hacked far more often than they should because these dolts are “port openers” and “port closers”. The current situation has the clowns running the circus.
In conclusion, there are several neuroleptic medications I can recommend to anyone who seriously believes the worthless PIX is more secure than an ISA firewall.
IMNHO,
Tom
P.S. You’re welcome to borrow any of the creative phases I’ve included in this email. I only ask that you give the props 🙂
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP — ISA Firewalls