Slashdot Mirror
Build a Cisco PIX for 800 Australian Dollars
tallguy_wt writes: "Why fork out thousands of dollars to learn Cisco's PIX firewalling product when you can build your own for under 800 Australian Dollars, as shown in this article by Routermonkey."
← Back to Stories (view on slashdot.org)
and to think I just spent 84000$ for two pix535's. Your tax dollars at work!
Why fork out thousands of dollars to learn Cisco's PIX firewalling product when you can build your own for under 800 Australian Dollars?
Because it is illegal and you will go to jail for stealing CISCO's intellectual property.
Well, one reason why I buy Cisco is for the maintenance agreements, the support packs and the like you know all the expensive stuff that gives me peace of mind. When that firewall blows, who's neck is on the line?
Oh and the fact that the entire Cisco site runs on MySQL should be enough reason to give them all your employers hard earnt money
How much better is Cisco than the same system running Linux or *BSD?
According to the Universal Currency Convertor, AU$800 is about US$443.
"All art is quite useless." -- Oscar Wilde
...posting links to a story which encourages you sourcing stuff from a warez site ?
Gentlemen, start your penguins
800 AUS = 441.36 USD.
:)
Watson still has a few tricks on Sherlock.
I know I'm going to hell, I'm just trying to get good seats.
it'd be interesting to find out more information about the PIX card itself, like how it boots the OS, Is it like an IDE CF type card mounted onto that PCI Card, and if so, can you access it via another OS.. is it just a carrier for the IOS software, or does it perform other functions?
If you want to build your own one, you could as well do the same using things available under open source so that visitors from Cisco do not have to call Yevgeni and Boris to teach beat you up. ;)
Well, I can understand that learning the PIX in detail might be a good and interesting reason to build it up, instead of spending $15 000 or more in it.
ACTON, Mass.--August 30, 2002--OSDN today announced it has rethought it's company direction and expanded into the lucrative market of publically breaking the DMCA. "Cisco can't do shyat," cited Slashdot General Manager CmdrTaco, "We give props to our box0r hacking homeys" OSDN stock rose to a 2 cent high on the pinksheets following the announcement.
s200.org - visit it (me), love it (me).
Within 1 hour.
Microsoft - Where would you like to go today, Maybe Jail?
Or you could just buy an 806 with the SPI firewall package for around $500.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
From the article:
down the track, make the move over to a rack mount case, because rackmount cases get you chicks
Right... maybe big fat nasty hair grotesque chics.. no thanks...
yea you could call it a troll, but i have to say this isnt really like slashdot.
Posting a warez link on front pafe
A couple of days back you posted a zip file for crashing windows
What the routermonkey guy is suggestiong will definately land you up in jail no joking here.
Currently slashdot is kind justyfying priracy and stealing in names of rights and all bull shit.
This is not done. Free software and open source DO NOT EQUATE with piracy.
Slashdot is the domain of geeks, technologists who are sensible people and do not want warez and cracks.
If I wanted warez and cracks i would go to some warez site and get plenty.
And in case you are not really convinced, lemme tell ya.. getting hold of flash for cisco is illegal. "Difficult to procure" thats what the article says. Well its plain illegal. So atleast post a warning about this so that some poor dumb ass dosent really try this and land up in jail.
And could you please aviod such things in future?
My Aurora : http://www.youtube.com/watch?v=o91ZsGwJYyg
FB : https://www.facebook.com/TanveersPhotography
PIX is Cisco's firewall product. If you don't know, then you shouldn't try this at home ;-)
Well, I think it's good to do some hardware hacking, like TiVo modding and whatnot.
Using opensource software instead of using their expensive counterparts is also a nice thing to do.
But, excuse me, what is this fucking thing about?
This puts the whole community into a bad light.
This whole "hack" or "tutorial" or whatever you might call it is nothing but two things:
Take some standart hardware and install stolen software. Wow.
Would you call this an intelligent hack? Maybe the folks over at something like scriptslashkiddiedot.org would...
Go to www.freesco.org or any other single floppy OSS based distro, get an old pc and two NIC's and go. $100 max.
The reason to use CISCO is ultimate durability, stability, service, configurability, speed etc etc.
hacking this thing together is gonna give none of the above!
In what setting am i gonna need a cheap ripoff of a professional router?
Those places that need the real thing usualy also deserve the real thing !
Why are other peoples sig's always more witty ???
Linux iptables HOWTO
How to Build a FreeBSD-STABLE Firewall with IPFILTER
The OpenBSD Packet Filter HOWTO
Acts@core.mailboks.com Acrux@core.mailboks.com Adam@core.mailboks.com Adar@core.mailboks.com Ada@core.mailboks.com
Would it be fair use if you build these beast to store your backup of PIX OS on? It could be considered a very advanced backup medium, with a built-in functionality test ;)
karma capped
Thanks to this insightful article, I've realised the true money-saving potenial of stealing.
But all I have is U.S. dollars. Oh, well.
One of the arguments I have heard for choosing PIX is that it is a "hardware firewall" and therefore presumably more reliable, faster, and less likely to break. Perhaps this will make more people realize that the PIX is just a piece of software running on a PC -- just like almost all other firewalls in the market.
Finally! A year of moderation! Ready for 2019?
well Hulk Hogan is all your fault! ;P
...needs to be fired.
Everybody in the Cisco gig knows that the PIXs are nothing more than basic PCs, complete with floppy drive for software upgrades, this really is no revelation.
This guy just comes across as some network wanna be. Learning the commands is the simple bit, RTFM, (or just reverse normal IOS commands for a PIX) know when to use these commands and exactly what they do and how this will affect the enterprise is the bit that makes you CCIE material.
No doubt Cisco will get there own back when he does the CCIE lab.
A journey of a thousand miles starts with a brutal anal raping at airport security
"Today your slashdot moderators have been replaced with Frys employees...let's see if anybody notices..." First "How to test a T1" and now this...
What jackass would want to waste time and money recreating a POS firewall like a PIX? When's the article coming showing me how to clone a watchguard?
I predict Cisco won't claim DMCA against this, they'll see it, fall out of their chair at how completely stupid some people are, and continue their business.
For all the column inches devoted to how the DMCA/RIAA/whoever is immoral, you go and put a link to someone advocating theft. This isn't far from advertising warez... even if the server can handle the traffic, the slashdot effect still allows a lot of eyeballs to see that site.
I disagree with software piracy, and stealing music online; I occasionally do download MP3s, I won't deny it; just as I drank alcohol when I was under 18 (UK), but I would consider myself only a 'minor' user - these files are never on my HDD for too long (I think the record is about a week)
But this is qualitatively and quantatively very different from
How can any movement to safeguard our rights be taken seriously with this sort of lunacy? Valenti et al will be rubbing their hands in glee. This is another victory for them - if one of the most popular advocates of free software is advertising piracy, then that reflects very badly on the community as a whole.
And yes, I do consider my MP3 use to be wrong - I'll buy these songs if they release the single but I don't want an album of pricey crap because there's one song ion it I like - I can't wait for services where a comprehensive list of songs can be bought at a reasonable pprice, individually...
This idea was invented by Shampoo.
Try again at a later time.
Is the flash card he's talking about a PCI card?
BTW, I agree with the comments about building a linux FW. Kernel based firewalling and packet mangling is really at an amazing state right now...
On of the original principles established back when IBM was king is that if you built a workalike, they still must sell you the software. This is not Warez, Crackz or anything else, this getting fair use, as long as you legally source PIX.
...have any idea of how expensive 800 AUD is?
Translate amounts into some kind of real currency that doesn't involve kangaroos raping koalas. Something like: USD, CAD, GBP, EUR, or SFR.
I know what an AU$ is, I live here. I know how to convert to USD and EUR. Never heard of CAD, but guess Canadian, don't know how to convert. GBP? Great Britain Pounds? SFR? Star Formation Rate? What does that have to do with currency?
The last Cisco PIX I had to open to install a new NIC was a model 1500 IIRC, and it was just a low-end PC board (Intel BX) with a P166 and 32 or 64 Mb o Ram. And a PCMCIA card slot. This handled a T1 with about 1,000 users and had no downtime in over 5 years. The Cisco software was excellent.
There is nothing stopping anyone from downloading a image from Cisco's site if they so choose. Licencing is another matter. That would be against the law if I read the Cisco licence correctly.
This story does not link to a source for the files mentioned. That does not make this story OK. It is not OK that routermonkey has the filenames listed, as that makes it trivial to find using P2P networks.
That being said, you could just goto Cisco's web site and read up on their PIX products and read the docs to "learn how to configure it". But why, if the like Freesco, The LRP, and BSD are around. These will do anything the PIX can do and are quite simalar to the Cisco product. The reason the most businesses want a Cisco firewall is that the CFO/CIO don't want to get nailed by auditors for running a "freeware" firewall. They want a big name to cover their asses. The Freesco/BSD/IPtables combos will do just fine for your educational purposes.
I may be bad with names, but I'll never forget your IP address
I'm not sure if I understand what the point of this article is. Sure, it violates DMCA and the routermonkey broke many other laws (as many posters already mentioned), but what is the point. I understand, if not even agree, with the arguments for fighting RIAA, MPAA, Microsoft, and even RedHat (care to guess what tool posted that story?), but why are we against Cisco?
I didn't see where he mounted it in his pictures, and I haven't seen any motherboards that have the mounting socket for the flash like the PIX's I've taken apart. Is there a PCI card to do this, or is Cisco using something other than the pcmcia-like flash cards in the new PIX's?
Posting a warez link on front pafe
Was someone siffing on your fafe when you saif that, or do you juff talf thif way? =:>
Currently slashdot is kind justyfying priracy and stealing in names of rights and all bull shit.
This is not done. Free software and open source DO NOT EQUATE with piracy.
Get a sense of humor and logic please. No justification for the "theft" of Cisco's non-free technology is offered. This article simply states what can be done. It might make you wonder why big dumb companies shell out thousands of bucks for hardware that should cost about a hundred and hardware that has better free alternatives. It might also make you wonder why it's illegal to make a copy of machine only readable noise, especially code that's available off Cisco's tftp server. You might even research the mostly public University funded start up of Cisco. Naf, thaf woulf be insiful and infomatif.
A couple of days back you posted a zip file for crashing windows
You don't need a zip file to crash windows, silly troll, it does that all on it's own.
getting hold of flash for cisco is illegal. "Difficult to procure" thats what the article says. Well its plain illegal.
How about a link to that effect? Owning hardware illegal? Give me a break. What kind of silly laws do you live under?
Friends don't help friends install M$ junk.
That sounds really great, but then I visited their webstore. What exactly does the GPL license offer? Is it just the architecture source?
Clarify please ;)
$300 bucks (US) is all you need
Linux Router Project
--
If you moderate this, then your children will be next.
\Theft\, n. [OE. thefte, AS. [thorn]i['e]f[eth]e, [thorn][=y]f[eth]e, [thorn]e['o]f[eth]e. See Thief.]
1. (Law) The act of stealing; specifically, the felonious taking and removing of personal property, with an intent to deprive the rightful owner of the same; larceny.
Note: To constitute theft there must be a taking without the owner's consent, and it must be unlawful or felonious; every part of the property stolen must be removed, however slightly, from its former position ; and it must be, at least momentarily, in the complete possession of the thief. See Larceny, and the Note under Robbery.
-Dictionary.com
Drinking alcohol under 18 is not illegal in the UK. It is illegal to serve alcohol to under 18 year olds in licensed premises.
> these files are never on my HDD for too long (I think the record is about a week)
> But this is qualitatively and quantatively very different from /. virtually advocating pirating software worth several thousand pounds.
You are correct, /. isn't breaking the law but you are. You are stealing MP3s online, /. isn't doing anything illegal. Not only that but you've just fessed up to it in front of the millions (well a few dozen) /. readers. You need a better grip legal and illegal I think. Doh!
David
Seemed like a good idea at the time. Guess it wasn't.
Details on how to do this surfaced on some cisco study boards 12-18 months ago. Most of the people on the board were interested in this to be able to add a Pix to thier home study lab. Groupstudy had a very long thread on this. They were dubbed the 'FrankenPix'
Cisco is very well represented on the board, and they never said a word to anybody about not doing this, and sort of allowed it to happen.
On the other hand, when FrankenPix's started appearing on eBay, they cracked down, hard and quick. But, to this day, they still haven't said anything during the discussions o the cisco study boards.
My view on this is they really don't care if people build FrankenPix's for home study, after all, that's just going to help sell more Pix in the long run. (Checkpoint, afterall, will gladly give you 30-day trail licenses for FireWall-1 for home study) But, if you try to build and sell these, they WILL get you. (And honestly, if you want to use these boxes in a professional enviorment for day-to-day usage, you are asking for trouble.)
--dirt
I guess there is a lot of people who have been playing with ipfw, iptables, ipchains etc
And would realy, sincerely, like to know:
What can I do with a Cisco PIX that I can't do with Linux and IPTables ?
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
I recommend avoiding smoothwall (search usenet for "richard morrell smoothwall" for more info..).
Try IPCOP for a GPL fork of smoothwall that is not a hidden attempt at selling things and is GPL in spirit, not just name.
This article shouldnt have been how to make a pix it should be how to make a legal,cheap,open source alternative to one.
no sig.
The other way to learn the PIX OS for close to the same price is to pick up a PIX 501. These little boxes run for $400-$600 depending on where you find them and they run the full PIX OS. You're limited to 2 interfaces (no playing with a DMZ) but there really is a lot of stuff you can learn and do with these things.
I see a lot of "stealing" comments. So, instead, go the Open Source route and build your own firewall with the NetBSD/i386 Firewall Project
Yes, yes, I know, blatant plug
-John
Look, there's plenty of reasons why a company would want to purchase a PIX from Cisco. Many have been outlined in postings already
A student wishing to practice configuring a PIX would benefit greatly from this information. They obviously wouldn't be able to afford a full PIX, so putting together a test box is their only choice.
As far as I'm concerned, this info can only benefit Cisco, as they get a whole bunch of people that know their product inside out. That then tips over into increased sales, as these people recommend using a PIX to their boss.
DeeK
NetBSD/i386 Firewall Project
-John
I found one on ebay here .
Well yes, you can't indeed download a Porsche. The only resources you cost for downloading a file on the internet is some bandwidth from one of your warez peers (and granted, this bandwidth taken is also taken from other, legal users, but that's what Terms of Service exist for).
In the case of the Porsche however it cost resources paying the factory workers and the raw material entering the factory. The point is NOT the same.
Personally I only pay software that is reasonably priced - generally second hand games. Most of the software nowadays is 90 percent bloat, and after spending the most important part of my paycheck buying the hardware John Carmack and Bill Gates decided I had to have to run their software, I just can't afford their software anymore. Their fault. If they were to keep their software unbloated, I would have enough with a 486. Then I would be able to buy their software. Some time long gone, programming was an art, with limited resources so you really had to do your best to use the hardware properly. Now the software developers just write shitty code and waits for Intel to release the next stepping of their CPUs, leaving the low end users in the shit.
So the problem IMNSHO is between the hardware capitalists and the software capitalists. Either software is good, gets bought and hardware doesn't get upgraded, either hardware is good and software bloats.
And I can't afford both !
THe same %age of /. readers who REALLY understand how to use the web...
Conversion
I think you mean Francs. The last time I checked, the Swiss wern't paying for goods and services with sausages.
OLPC Australia
If AUD isn't real, what is it? Fake? Use the Web. No need to get a kangaroo to rape a koala (although that sight has gotta be worth a few bucks).
OLPC Australia
Okay, the first ten posts are crying about how illegal this is and how it shouldn't be on Slashdot. I'd just like to say STFU, it's interesting, compared to most of the crap that gets posted here. Most people can buy a cheap PIX from Ebay anyway, so the article is more interesting from a technical standpoint than anything else.
This has nothing to do with the DCMA or anything else, it's copyright infringement pure and simple. Cisco's code is NOT free, it is liscenced and the cost of that is included in the price of a firewall (in fact it is a lot more than the hardware). To download the software without a liscence is copyright infringiment no matter how you cut it.
Ok, so this is illegal, no question about it. It's copyright infringement, pure and simple. Now, as many have pointed out, there are plenty of free alternatives that are basically just as good. After all, you don't get any support for this, so why not keep it legal.
Now I looked at the links provided and I didn't see any firewall that has a feature I really want (the PIX doesn't ether yet): Layer-3 invisibility. Basically I want a firewall that appears invisible to devices on the network, and just filters traffic as it goes through.
Does anyone know of a GPL firewall that does this? I'm mainly interested because I can't use NAT (I have servers), but I don't have enough IP addressess to break apart my network into an inside/outside config.
"Why not write one then, mr genius?"
I didnt need to, I discussed and linked to a good open source one. Now... what was your contribution to the discussion again?
no sig.
I don't know much about PIX, but i've used a dozen of 1000,1500,1600, 2500, 2600 cisco routers and access servers.
Cisco's networking setup is MUCH better, logical and *documented* (show me GOOD iptables documentation, anyone?!) that linux or *bsd.
It took me several hours to implement very simple ip policy routing in linux, and it is still looks like more a hack..i did the same task on cisco router in 10 minutes.
Setting traffic shapers, queue priorities and so on just a matter of minutes. And you have more networking features which linux have not got yet even with the cheap 500$ used 1005 cisco router.
However, sometimes there are nasty bugs in cisco's IOS, but you can almost avoid it by using latest stable IOS release.
There are two low end PIX's now which only cost $400 and $900 US anyhow, so any justification for doing this has pretty much evaporated.
If you're just using one for study purposes I don't have a big problem with it, but agree with prevailing sentiment that only the insane would put one into production.
Think about it. You got a intel chipset mobo running Cisco software off of flash. I know some cisco guys....this isn't rocket science. Running openbsd or linux and following prudent concepts will get you the same thing.
Just because it says "Cisco PIX" doesn't mean it was hatched from a daemon's ass and is the best. At work, I use them. Great service and reliable performance. At home, openbsd.
That compact openbsd idea sound like a good start.
I can think of exactly 0 people who like working on them. They pump traffic, sure, but not well enough for the pain-in-the-ass factor.
To all the people finding this initial posting so terribly controversial, relax. This site is a glorified bbs, not an official newsletter for all the nerd community. The point is that the guts of the boxes are pretty simple. The huge price tag is for the proprietary IOS and support. If it's worth it to you, fine. But leave the little haxor monkey alone. 99% of the people--at least--on this page have done some pirating here and there. If you can't figure out that this is not legal and could land you in trouble if you throw it up somewhere visible, you should get at least 1-2 years for irretrievable stupidity.
Actually, the official, ISO-sanctioned acronym for our currency is CHF.
Karma: none (due to not believing in reincarnation)
As stated before, this "hack" is piracy and therefore illegal. Furthermore it is a stupid waste of money.
Why spend $800 for a amateurish, rigged up, pirated Pix when you can have the real thing for less. If what you really want is to learn about the Pix and its configuration simply hop on to eBay and buy the real thing. On eBay Pix 501s and 520s can be had for $400 and $500 respectively.
You should have made it clear that you wrote the article slashdot linked to (I only figured it out when I saw your URL is the same as the pix article). My post didnt mean your article, I mean Slashdots article.
Furthermore I was responding to the mention of smoothwall in my time honoured fashion of recommending IPCOP instead.
You can untwist your knickers now.
no sig.
I doubt there is any way for the editor to easily pull the story, and using raw SQL is so troublesome and so risky (for some /. editors) that they will try to avoid that if possible.
Legal arguments aside, this could be done with upgrade kits for Watchguard Fireboxes back in the day when you could hardware upgrade a Firebox. The upgrade kit was primarily a flash memory drive that plugged into the IDE port. Grab a like motherboard, same model ethernet cards, plug in the flash IDE and you had a firebox.
I haven't used the newer products (we moved to PIX), but I'd be real surprised if the new hardware didn't work the same way, although maybe they've decided to put some queer data in the BIOS flash that the firewall software checks.
I think there's money in it for a firewall companies to market a "firewall kit" of software and optional flash drives for use on whatever boxes are handy.
I'm sure they'd argue that it'd be too hard to support and would threaten the security by running on non-audited hardware (and it would kill off the high-margin hardware they sell, which would be the secret argument), but for a company willing to take a risk it might help them clean up in the low-end or large volume markets. It might be the perfect application for a purpose built BSD firewall distro. Yes, I know you can roll your own now, but there's significant advantages to buying pre-rolled kits.
Sure they are...
t em =2048707620? ViewItem&item =2048444062
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&i
http://cgi.ebay.com/ws/eBayISAPI.dll
Are there howto's on setting up BSD or Linux based firewall using some kind of a flash device (to eliminate hd)??? I realize you can use a CDROM drive, but that's still moving parts. You can get 128meg flash disks now, any way to use that like this pix card does?
This has been mentioned above, but not very clearly. As far as I know, the PIX software also requires an activation key, which costs money. You might be able to get one from a warez utility, but it is an extra step, and it is illegal. Also note that Cisco charges extra for the ability to just secure shell into your firewall(!). Unless you cough up a whole bunch of extra money, you have to use TELNET to configure a FIREWALL. This is really lame.
/proc filesystem. I searched and searched and could NOT find any way to do this on BSD. It may exist, but I couldn't find it.
Further, the PIX just isn't a very good firewall.
The hardware is well-built but incredibly underpowered. The one we have at work is only 200mhz. I don't know how far that will scale, but, personally, I don't think I'd want to be putting more than about 5 megabits through it. And Cisco charges about 12,000 dollars for the PIX.(!)
The command syntax is really hard to figure out. It just makes no sense at all. The documentation on Cisco's site is excellent, but I always have to resort to cookbook examples, because I don't use it every day.
The default configuration is 'allow all outbound traffic and all inbound replies'. It is very hard to change this. If you want a fairly secure network, you shouldn't allow direct outbound connections, but rather only through a proxy device of some kind. If your security policy requires outbound connection restrictions, this is really awkward to implement with the PIX.
The PIX isn't a very good router, either. It doesn't support most of the 'real' IOS commands. You can do some routing with it, but it's not very flexible.
I've worked with a lot of firewalls and have done a lot of firewalling, and in my opinion, Linux with iptables is about the best thing going. You will have to spend significant learning time to figure it out, as the documentation is not very good, but once you do, you can do pretty much anything with it. Linux has always been a great router, and with the introduction of iptables, became a great firewall too. If you don't want to build rules by hand, there's a program called 'fwbuilder' that gives you a Checkpoint-like GUI. FWBuilder also speaks OpenBSD's pf and I *think* Checkpoint's firewall language, but I'm not sure about that last.
OpenBSD has a good reputation as a firewall. I used it at home for a couple years, but I have moved to Linux since then. The PF language is very clean and easy to read, and if you're just starting with firewalling, it can be a good first opensource firewall. However, there were big performance problems with OpenBSD's bridging firewall code in 3.0; it choked hard over about 25K connections, and past about 30 megabits it just froze up for random periods of time. Very frustrating. Linux on the same hardware (with the iptables bridging patch) handles over 60 megabits flawlessly. And going over 30k connections is trivial; you simply echo a large number into a variable in the
They may have fixed the performance problems in more recent revs of OpenBSD. 3.0 was the first release of pf, and I threw it into a monster production environment based on the OpenBSD team's reputation. The later revs may be much better, but as of 3.0, Linux absolutely destroys OpenBSD as a firewall.
There's one cool thing the PIX does that I haven't figured out how to duplicate manually. It has an 'established' command, which allows you to say: "If I open a command on port X, allow a return connection on port Y for a short period of time." This is useful, for example, for IRC, where you connect on port 6667 and an ident connection comes back in on port 113.
I asked about this feature on the OpenBSD newsgroups, and got scoffed at... according to them, it's more secure to leave the port open all the time to everyone than just to allow return connections from a host to which you have connected and only for a short period of time. Frankly, I think that's just stupid. It's the typical apologist reaction... "that's a dumb feature to ask for because it's hard to do". They'll say it's stupid until someone takes the time to implement it, and then suddenly that's the only way to go and any system that doesn't do that is obviously broken.
I haven't found that capability in the Linux iptables stuff either, FWIW. As far as I know, only the PIX does this, and I consider it a very useful feature. (you can sort of simulate it with some of the kernel modules for different protocols, but I haven't found a way to do an arbitrary set of ports).
If you can live without the 'established' command, though, I'd probably, overall, recommend the Linux/FWBuilder combo. If you want to learn more about firewalling, OpenBSD's pf language is a nice simple way to start.
And if you really want to spend money on a firewall, Checkpoint is a much better solution than the PIX. It has many enterprise-class features that the free alternatives lack, like good VPN support and great support for managing clusters of firewalls. The Nokia Checkpoint boxes are *really* cool; they are based on a custom BSD-derived kernel. They cost more than the PIX, but in my opinion are wildly better and well worth the extra. (when I last looked, the prices on the Nokia boxes were in the 20K+ range. They may have dropped since the dotcom blowup.) The administration is easy, you get the power of BSD, and the hardware is really well-built. Very, very cool boxes.
Last I checked 3DES VPN capability was doable with Linux. Also, current versions of IPTables can be configured to use state information in making packet forwarding decisions--"stateful inspection".
I have been in network security for about 9 years now and I believe that PIX fails when you go over 2 or 3 networks. The problem is that you have to define security levels to each network. Though this may sound straight forward at first glance it does not work in the world of corporate security. You need to have a much more definable network security policy.
Pix would be best used as a border firewall with maybe 3 interfaces (Internet, internal, and Sync). Although this is still a packet filter and does not take state into considiration, but that's another story...
I would be interested in trying this with a Nokia box running Check Point. If you look at an IP440 it is clearly just a PC running IPSO (BSD diriv).
Nick Powers
Encryption: I may not agree with what you say, but I will defend your right to encrypt it...
Because it is illegal and you will go to jail for stealing CISCO's intellectual property.
More important than the legality are the ethical aspects of any given act. It's illegal to circumvent copy protection (according to the the DMCA) even if it is to make a copy for your own use. But doing so is not unethical.
In this case, we have an act that is both illegal and unethical.
This article never mentions pirating the Cisco IOS. Anyone who has ever purchased a Cisco product gets a login that gives them access to *any* piece of Cisco hardware's flash/boot software. Cisco makes it available. Granted, if you don't have the access then it becomes piracy.
Secondly, the article never actually mentions stealing a PIX flash card. Someone that legitimately owns an older PIX could, after the warranty/support/etc had expired, remove the flash card from their PIX and "upgrade" the hardware for a little nicer firewall. If you acquire the flash card through illegal means, however, then that would be stealing. Cisco might even sell them! (doubtful, but I don't have time to check it out)
As far as intellectual property goes...you aren't reverse engineering anything. Everyone knows the Cisco PIX is just a PC with a floppy drive and some flash memory. It even tells you that when you boot a real PIX.
All you are doing is constructing your own.
~.Evanrude
It was probably illegal and unethical for Compaq to of reverse engineered the IBM PC BIOS but they did and as a result it gave birth to industry we know today. Perhaps those dumb politicians creating all these anti this that and the other laws should remember that.
I guess I don't understand the ins-and-outs of this, but could you not buy the software and skip the hardware? That alone would save quite a bit of cash, and just might be legal (but almost certainly outside of your average EULA). Plus, you could install a replacement NIC for about $10, after a quick trip to Wal-Mart... I'd rather use a non-desktop OS as a security device wherever possible. There are risks to everything, but as Windows demonstrates, the more available you are the more you get hacked. Wouldn't Cisco have to be less 'hack-bait' than Linux? (I'm not even going to ask about Windows) I have a question about the story though, where the heck does the flash card go?
There is a little bit of theory behind it because the firewall has to work "backwards." You almost have to accept all packets in, and then enforce security as they are forwarded outbound. This is not a problem with most firewalls that can be coaxed into bridge mode as they allow you to either specify direction (pf, ipf) or enforce the policy on all interfaces in either and/or only in user specified direction anyway (firewall-1)
OpenBSD and whichever firewall you wish to run on it support it reasonably well. I am pretty sure you could follow an approximation of those instructions for Linux.
Try here at daemonnews.org for a link on how to do it with openbsd.
There are also commercial firewalls that support it, including Sun Sunscreen and Check Point Firewall-1 NG (only on their new Linux platform at the moment, but their other platforms may support it soon as well).
I work at Cisco, things are tough right now. The company is making money but did you know that they haven't given raises to their employees in two years? Did you know that plan on going at least one more before they give out a raise?
Did you know that they have cut promotions to 3% per year? I'll do that math for you. As a Cisco employee you can expect a promotion every 33 years. Not that it matters because if you do get promoted all you get are stock options with no raise.
Did you know that they have their "active management" guns blaring at full speed? This means that the managers are forced to cut 5% of their staff every quarter. (In fairness, they seem to actually cut less than that). However, they have certainly reduced their staff by over 20% in the past two years. There aren't any slackers left at the company.
Thank you for handing out information regarding how to steal our products.
Vanguard
--------------------
I understand that some of have it even worse. Some of you are not employed at all. I feel for you.
That which does not kill me only makes me whinier
Couln't we use a PCMCIA adapter and a 16mb compactflash card instead of the ISA flash thingie?
No, they are not deleted. just remove the space by the = sign. for the link challenged, use these
t em =2048444062
t em =2048707620
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&i
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&i
IBM published the source code, its inputs/outputs (functionality requirements) were documented by one group of developers, and new code to produce the same functionality written by people who had never seen the old code, and thus was legally reverse engineered.
Nothing about that article is remotely illegal, as he is simply describing how one would make a box using Cisco software.
:wq
I can publish a page on how to crack software, convert an AR-15 to an M-16, make meth, pick locks, launch dead babies out of catapults, and even have sex with dolphins, and none of that would be illegal, because I have the right to say pretty much anything I damn well please.
(Not that publishing some of those things is a good idea...unless you like feds showing up at your door.)
Talking about an illegal act isn't illegal (yet)...DOING it is.
There is absolutely no reason to pull this article...it's not as if the author is hosting IOS files.
One ring to rule them all. The (_O_) in Goatse.cx
It's hardly significant which side fired the first shot
To Greedo, tell that!
-- Yoda
I read the linked page as how to build a PIX-like firewall by slapping some PC parts together and adding a legally-acquired Cisco flash card containing the software. Am I confused about the nature of the flash card? I saw it as something like noticing you could buy Macintosh roms out of an Apple repair parts catalog, and then writing a page saying "Build your own Macintosh clone by putting some standard hardware together and adding Mac roms that you buy from Apple". Sure, you've possibly annoyed Apple by avoiding paying a lot more for a real Mac, but as long as you get the roms legally, where is the piracy? You're not copying the roms, you're getting legitimate ones. They're even still legitimate if you get them on a secondary market like from a trashed motherboard.
If all you want to do is run an OS from a flash disk on a PC, you can get a 16 MB CF card for under $20 and a CF to IDE adapter for another $20 or so. So I figured that the $400 for the PIX flash card has to mostly be going towards acquiring the software legally. Am I misreading the article?
Yeah, I'm in complete agreement with your accessment: Hacking together a Cisco PIX clone is going to offer you nothing.
Despite all the flaming of Slashdot for linking to this article, though, I think there's another reason for it besides the obvious. The point I got from it is "Cisco firewalls are really just 486DX computers in a pretty rack-mount case, with some proprietary firmware loaded in them."
Not that I didn't already know this. My work got a Cisco PIX, years ago, for free. (We initially purchased a Windows NT based software firewall product that was bought out by Cisco, and discontinued shortly afterwards. Since there were still 500 or so active users of the NT based product out there - Cisco just sent all of us free PIX's to get us switched over.) When I first examined it, I though "Man - no wonder they can afford to give these out for free! There's not much to it!" I was blown away when I saw their retail price for one.
I think many folks still view the Cisco firewalls as some sort of technologically superior product with costly parts inside. They're not - and the sooner people realize that, the sooner they can start feeling comfortable running a free Linux or BSD based firewall solution on a standard PC.
I own a PIX 506 box and have worked on the 515 and 525 as well.
Both the PIX 506 and 515 use an Intel socket 7 200Mhz MMX processor without a cooling fan, they just have a heat sink. The system board is just an Intel, nothing special there. PIX expansion slots are PCI slots. The Ethernet interfaces use Intel eepro i82557 (or was it i82559?) chips, just like your Intel NIC in your desktop. Everything is really standard, except for the software that runs on the box.
For people who know Cisco hardware, they seem to recognize that the PIX series of firewalls are far faster than say a 3600 series router, or any of the older Cisco hardware. The PIX firewalls were acquired by Cisco when they bought Network Translation. Reference;
http://www.cisco.com/warp/public/146/
So when you are buying that $4000 3640 with 128MB of RAM to handle the 100K or so of Internet BGP routes, you are buying something with the processing power of an Pentium computer or less.
Here are some facts on the Cisco 3600 series;
3620 64MB RAM maximum, 80Mhz RISC processor
3640 128MB RAM maximum, 100Mhz RISC processor
3660 256MB RAM maximum, 225Mhz RISC processor
One of the major considerations for Cisco is that their equipment has to be really stable and heat tolerant. People love to treat Cisco hardware like old telco hardware and keep it out in a barn and stuff, in the damp air, with a bunch of dust, whatever. We should all know how Intel processors are in regards to heat. But even an old 200Mhz Intel MMX processor can run without a cooling fan.
Cisco router hardware, in general, is really slow and sucks for processor speed. Juniper has mopped Cisco all over the floor in the core Internet market in the last few years because of port density, processing speed, and packet forwarding latency. In comparison, you look at a Juniper M40 versus a Cisco 12012, and the 12012 looks like a huge POS, and I don't mean packet over Sonet.
One of the things about the Juniper routers is that they use Intel processors and SDRAM -- not much special there. The hardware is all completely custom, but they choose to ditch the Motorola and IBM processors for Intel. Packet forwarding processors are totally different than the core processors that we are talking about here, so I will leave them out for the most part. Still, Cisco uses a lot of off the shelf stuff in their routers and companies like Juniper have manufactured their own or applied existing stuff better to get the wire speed forwarding rates on all interfaces, with a backplane speed that is greater than the sum of all possible interfaces on a router.
Cisco does not really see themselves as a hardware manufacture, but instead as a software company. However, if they do not shape up and start making some really good hardware, they are going to get kicked out by Juniper as they start to climb down the ladder and come out with smaller more affordable boxes and spread out from their core and big-box offerings (think M-5).
Lately Cisco has released a few good new hardware. The 10000 series aggregation boxes can mux Sonet down to fractional DS1s, which is pretty hot, but these boxes are really hard to use these days because of the serious downturn in the market and the fact that a lot of DS1 customers have gone away. Old 7513s that ISPs have in stock with fractional PA-2T3s work fine.
In switches, Cisco has come out with the 3500XL and 3550XL switches, which are really great.
But most people out there have 2600s and 3600s. There are a lot of 2500s still in use too. Some things are starting to hurt Cisco though. It can take a minute or two for all of those BGP routes to get filtered out when interfaces flap. Cisco does not even offer any kind of SSH2 capability with ANY of their routers (to my knowledge), they only support SSH1 on special IOS versions and platforms. I really wonder if these routers, with their slow processors, can handle new stuff.
I wonder how this will effect an IP6 roll out. I remember working on some 3600s and IP6 some time back. They had issues, but I understand that Cisco has worked a lot of those out.
Oh well.
The moral of the story is that Cisco hardware is kind of slow and it shows. On the other hand, it usually gets the job done.
I need to go back to finding myself a job. Posting on Slashdot ain't paying the rent.
Anyone out there have a Juniper Olive image? I would not mind having one of those in my lab.
I already mentioned it in another reply on this topic, but here's the deal:
You people assuming that the only purpose of linking to this story is to promote stealing Cisco's product are mistaken!
There are many folks out there who still believe a Cisco firewall product is somehow technically superior to most others. These are the same people who insist on blowing thousands of dollars on something like a PIX, and meanwhile, won't even consider a freeware solution running on an older PC.
The fact that someone has completely disassembled a PIX, shown you what's really inside one, and proceeded to build a "replica" the way he did proves a point. Hardware-wise, at least, you're likely better off (not *worse off*), using an old Pentium-based system to run something like FreeSCO, IP-Cop, Smoothwall GPL, or you-name-it.
It all comes down to this: Spend $12,000+ to legally run Cisco's proprietary firmware on a 486DX in a pretty rackmount case, or recycle your existing junk PCs with open-source alternatives at pretty much $0 cost. There's nothing else "magical" in the PIX box, folks.
And yes, I do consider my MP3 use to be wrong
Clearly you don't. Your handwringing relfects the mentality of a spousal abuser: "Yeah, I know I shouldn't beat my wife, but at least I feel like shit about it, so every now and then I might still get carried away."
Piracy is the Red Scare if the Information Age. If you really thought "pirating" MP3s was downloading Communism, and if you really thought it was wrong, you wouldn't do it.
The reason you do it is because your instincts haven't caught up with the propaganda of our media cartels. After all, if it were really stealing, would tens of millions of Americans openly download MP3s, burn overpriced (per FTC ruling) CDs for friends, and not think twice about it, even openly discussing it with their friends? When's the last time you heard someone openly discuss the last item he or she shoplifted in a store?
The sense of guilt doesn't carry over because people instinctively know that with CDs, like bottled water, they're paying for the media, not the content. They know without having to be told by the RIAA, and in spite of the RIAA, that digital content has no a priori value; and while some markup is permissible, $17.95 is a scandal. Or to put it another way:
I'll buy these songs if they release the single but I don't want an album of pricey crap because there's one song on it I like - I can't wait for services where a comprehensive list of songs can be bought at a reasonable price, individually.
In answer to the 'can't afford a full PIX' several people have already posted the answer to this:
PIX 501. 10 users max, sure. 2 interfaces max. But they're cheap and don't involve pirating the licence.
That's ok, they won't be for long. I've reported them to Cisco's legal department and eBays DCMA contact. This is clearly illegal activity pirating Cisco's life blood.
Yeh cry me a river... Your CEO just got the 7 VCR's on his boat swapped out of DVD players..... Yes thats right 7. So things may be leen for you, but don't run around crying and pointing fingers at everyone.
I X- FLASH-16MB=.html
Anyway, this whole article is BS. That cisco 16 MB flash card (and this is an empty flash card, thats where the whole piracy thing comes in) costs between $700 and 800 USD!
http://www.ibuyernet.com/prod~id~500939~CISCO_P
So the title of the article should be "Build a Cisco PIX for $1,000"... $400 to play with something like that... Maby... $1000 hummmm....
To clarify what the Private Link card does - it's basically Cisco's proprietary PIX-to-PIX VPN tunneling method, before IPSEC was out.
As others have said, why hack together this box when you can get a PIX 501 or 506 for less than or equal to the cost of the 16mb flash part, and you'd be legal. Plenty of eBay Buy-It-Nows for $439.
Second, I did a search on PIX-FLASH-16MB= (Cisco part number for the required 16mb flash), and couldn't find it for less than US$688 using Nextag.
I can understand where Cisco might have a market in really huge routers that are beyond what PC architecture can handle, but it seems the vast majority of their product line is equalled or even bested by a well built PC running Linux / netfilter. Why would anyone want to build an cheap knock-off of an inferior, proprietary design? And illegal to boot! (pun intended). If you want technilogical freedom, use free technology. Somebody should start marketing linux-based routers and firewalls and use a large percentage of the profits to further the iptables / netfilter project.
Cisco Software that he obtained and is using without a software license. If I go to your house, climb the pole outside, and start using your phone service to make long distance calls is that illegal? Peace out!
"I'll be better when I'm older"
Because you no longer want to rely on telnet?
And remember that "maintaining" Cisco devices means loading a new IOS image and rebooting - at least until they get module support in their NextGen IOS, or whatever they choose to call it.
Cisco may be the 800-pound gorilla of the networking world but, overall, they are behind the curve when it comes to both hardware and software technology.
Pain is merely failure leaving the body
What a bargain when you can by a genuine Cisco PIX 501 for less.
Not that I am blessing the practice of pirating firmware code from the Pix, but there is one issue. I looked into doing this a while ago just to play with the Pix. I've heard horrible stories about how bad it's logging is, and how it is a firewall to avoid. I wanted to check it out for myself. However, the card with the flash memory contains a serial number prom which is required to execute the Pix code. When you buy that card, you are buying a serial number 2nd hand that is required by the Pix code to execute (from my understanding). Obviously these cards are coming out of Pix firewalls. I realize that some might be from upgrades, and that could nullify the argument. But since these serial numbered flash cards are required and are most likely pulls from failed boxes, wouldn't that mean the number of "pirated" pix firewalls will never exceed the number of legit pix firewalls that were sold (until someone hacks the firmware to load from a standard IDE disk or IDE sandisk, it wouldn't boot when I rawrited it to a sandisk). Not something Cisco really needs to worry about as the number of flash cards with serial proms is probably limited.
Southeastern Virginia REPRESENT!
http://www.linuxjournal.com/article.php?sid=5846
The paper edition of that issue, August 2002,its 100th issue also discusses how to build a Linux router using PC parts and the LRP distribution.
While it gives numbers for the Linux configurations, it doesn't provide a head to head networking comparison with the Cisco 2620. On another note, I've been told that Cisco IOS could be headed for deep trouble if they don't change their development strategy - they mostly use microcode - VERY difficult to write and troubleshoot. ;)
That may be why their products are so expensive
Pain is merely failure leaving the body
If /. doesn't put stories like this up here (so people at Cisco can look at them and complain) then who would look at /.?
"I'll be better when I'm older"
I can't see anyone paying $400 for a 16 MB flash card unless it included some kind of software license. As for $400 being 1/3 the list price, that's unpersuasive. Paying 1/3 the list price for an older piece of equipment that was heavily discounted to begin with doesn't sound like that great a deal.
says you can only use it on cisco's hardware.
Everyone is freaking out too much... the only illegal thing in this process is if someone is selling copyrighted hardware.
Re-selling cisco flashcards is legal... first-sale doctrine and all that.
Just like Sun.. they act like they MUST know of all their big hardware in the world, where it is, who has it.. but in reality, you don't need sun's permission to buy a second hand server.
I work with Pix firewalls everyday. Infact I had recently upgraded a 520 from a 2 meg flash card to a 16 meg flash card. When installing the PixOS on your machine or Pix it was ask you if want to add another activation code (for the number of connections, URL filter, FA or other stuff.) This activation code is derived from the Serial number of your Pix (4XXXXXXXX), which is burned into the Pix ISA Flash card, or flash chip depending on your model. So you need this code to install and run your pix firewall. In reality you are really taking the only (identifiable/trackable) part of the pix within the flash card. I am sure Cisco isn't happy about it, but at least you gotta buy it from them. It's probaly the worst storage / price ratio on the planet too 16meg/~400bux. :)
:)
Anyhow thats serial and activation code are the most important part of that pix. Now if someone could clone that flash card, just about anyone could get a pix serial/activation code (easily obtainable from another real pix) and build their own free pix, without paying cisco a dime.
Disclaimer: I love cisco and think their equipment and service is worth every dime my employer pays for it
-ZiN-
"Thank you for handing out information regarding how to steal our products."
Steal your products? I think you need to relearn the meaning of "steal". Cisco sells network hardware. They compete with other companies that sell network hardware. Cisco's having a hard time in the market because their once all-encompassing monopoly and brand name recognition are slipping. People are finally realising that Router != Cisco, that there are other choices out there. One of these choices is to build your own hardware. Thanks to the linked article, its much easier.
Cisco's in trouble. They're facing tough competition, and a market that no longer automatically comes running to them as the only choice in networking. As a consequence (and judging form what you've said), things are starting to fall apart finance-wise. Now you're whinging that people have a cheaper option to implement hardware that your company sells for astronomical prices. To this I have three words for you - deal with it.
Believe it or not, we're not all here to help maintain Cisco's market share. If we can get the same functionality without actually forking out $X trillion dollars to do it, we will. If Cisco cant deal with that in any other way than crying that people are "stealing" its products, well tough f%$king shit dude.
Have the execs look at the company's strategies. Change the business plans, the products, whatever. Be proactive about keeping the marketshare - EARN it. Dont just whinge about losing it and ridicule people who help destroy the monopoly be showing people a *better alternative*
Janie took my gun...
But at least neither of us is responsible for the Spice Girls.
It is a slightly silly argument, but software really has very little comparable 'real-world' product as they all take resources to produce. Although it is annoying to see people taking extreme examples to make a point, on some occasions they can be useful to show something that otherwise cannot really be demonstrated.
Of course, your take on what I have written is slighty tangiential to my point - apart from the resources thing, which was not really the point of balls of the comment but more a side effect of the example. I think the point is still there.
Slashdot debates often have good points pulled apart because of minor flaws that don't really have any bearing on the overall argument - they are often just there to make people think slightly differently. I forgot this when I posted or I might have tried to find a more watertight example. In retrospect, maybe I should just have used Photoshop or something...
This idea was invented by Shampoo.