Friday, November 23, 2007

firewall-wizards Digest, Vol 19, Issue 16

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewalls that generate new packets.. (Dave Piscitello)
2. Re: Active-Active Single-context Failover on an ASA 5550
(Post, Lenny)
3. Opinions wanted... (Kurt Buff)
4. Re: Firewalls that generate new packets.. (Paul Melson)


----------------------------------------------------------------------

Message: 1
Date: Wed, 21 Nov 2007 11:28:11 -0500
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <47445C9B.4070208@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"

What part of this makes you wonder?

What IOS, PIX, etc. have in common is The Brand.

One sales force. One marketing force. One field engineering/technical
support force. The force is strong in them. Even if Cisco products are
enormously different under the hood, this is a compelling feature for
Cisco, as it had been for IBM and DEC in the past.

ArkanoiD wrote:
> On Sat, Nov 17, 2007 at 11:14:14AM -0600, Timothy Shea wrote:
>
>> And organizations like the
>> familiarity of the Pix (ASA) because everything else they have are
>> Cisco devices.
>
> Which always made me wonder: Pix have almost nothing common with IOS
> routers except Cisco label on it. For ASA, things chaged a bit, but the
> "firewall" part of the device is still the same.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071121/54001aaf/attachment.vcf


------------------------------

Message: 2
Date: Mon, 19 Nov 2007 08:02:29 -0700
From: "Post, Lenny" <Lenny.Post@devoncanada.com>
Subject: Re: [fw-wiz] Active-Active Single-context Failover on an ASA
5550
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5EE9C1E5476ED1428B8ADAA565D1E62501E3099A@CGYVEX02.cdn.dvn.com>
Content-Type: text/plain; charset="us-ascii"

In order to sucessfully configure Active/Active failover on 2 ASAs
requires that you run multiple contexts on each device. If you do not
have multiple contexts the default is Active/Standby (which appears to
be what you are seeing).

Cisco has a nice write up of how to setup Active/Active on their website
check out
http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl
e09186a0080834058.shtml

Lenny

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
Keith A. Glass
Sent: Friday, November 16, 2007 8:42 AM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] Active-Active Single-context Failover on an ASA 5550

I'm attempting to create an Active-Active failover configuration on a
pair of ASA 5550s.

Problem is, when I try clustering them up, I see the unconfigured
secondary come up and take over the cluster, replacing the ruleset on
the primary with the basic clustering setup config of the secondary

Basic config is 10.x.y.z /28 as internal, 10.x.y.a/240 as external, with
the State failovers on 192.168.10.10/.11 /24 and LAN Failovers as
192.168.20.10/.11 /24

Failovers are cabled with crossovers. and the int and ext addresses as
on the switch.

Any suggestions ???? Any idea what I'm doing wrong ??

Keith


_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged.
If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.


------------------------------

Message: 3
Date: Wed, 21 Nov 2007 08:40:51 -0800
From: "Kurt Buff" <kurt.buff@gmail.com>
Subject: [fw-wiz] Opinions wanted...
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<a9f4a3860711210840v3824fdc6wd4b2afc93550898b@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

All,

I've been working with Watchguards at my current employer for quite a
while, but we're looking to replace them.

We've received a recommendation from one firm for Sidewinders (a 410
and a couple of 110s for the branch offices).

We've received a recommendation against the Sidewinders from another
firm saying that they are too complex to manage easily, and require
extensive training to understand - they recommend Checkpoint instead.

Neither seems to be completely out of our price range, so it would
seem to come down to concerns regarding initial implementation and
ongoing management.

Are the Sidewinders that much more complex than Checkpoints?

Is one "better" (for whatever that might mean to you) than the other -
that is, if you have experience with both, which would you prefer, and
why?

I, of course, am excited to be learning a new platform, and want to
move away from some of the quirkiness of the ancient Fireboxes we
have, but want to make a reasonable recommendation to management.


Thanks,

Kurt


------------------------------

Message: 4
Date: Mon, 19 Nov 2007 14:06:23 -0500
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <00c901c82adf$47355410$4d00300a@ad.priorityhealth.com>
Content-Type: text/plain; charset="us-ascii"

> Lets say I am kind of disappointed. I figured that your question kick off
a "proxy" versus
> "everything else" type "discussion". It didn't .
> Ah the 90s.... good times good times...

OK, I'll bite. The discussion is over. You can't buy Gauntlet or
SEF/Raptor anymore. Sidewinder is still around, sure, but it's the only one
and has a miniscule share of the total firewall market. Of course, Cisco,
Check Point, and most of their competitors have proxies. Proxy firewalls
are dead. Long live proxy firewalls.


PaulM

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 19, Issue 16
************************************************

No comments:

Post a Comment