I use Debian when I'm on a workstation, or some servers. Primarily for when I'm feeling lazy, want packages (LAMP boxen spring to mind) and similar. It has many of the simplicities that I adore about OpenBSD.
But for a mail server, or a firewall box, or a primary UNIX file/print server? OpenBSD all the way (for me, at least). pf has an almost intuitive interface (though it processes the list backwards to someone who's a router/PIX jock). The box is inherently secure. And if I'm not using a lot of newer packages (forgive me. I'm no coder. I don't port stuff) it's rock solid.
And, I guess, some of the quirkiness is more natural to me than some of the Linux stuff.
So. I guess it's a matter of best fit, and not having a hammer and assuming everything is a nail. Again, for me, at least.
I had on of the the early sony NR70s, without the camera (the low res just didn't seem worth it). For me, at least, it wasn't the/weight/ that did , but the size. The thing was just too tall to fit into a pocket comfortably so I stopped carrying it around.
(That and I never, ever got used to the keyboard. Go go gadget graffiti.)
When in the course of things I filled it with water and it was going to cost over $300 to repair, I started looking around and decided I needed a smaller form factor. This ruled out Pocket PC, etc, and I went back to a Tungsten. It might not have ALL the features, but it was the ones I need, and I carry it.
The large, thick, form factor is an absolute killer for me in these PDAs. (Though that small iPaq mentioned in the parent... that looks interesting.)
I had LASIK done last December. I was, previously, -5.5 in both eyes, with a very minor astigmatism. (Note: Not a developer, but a network engineer. Still a lot of screen time.).
The results were/amazing/. I'm 20/20 in one eye, 20/15 in the other. Nightvision is/improved/ over when I had contact lenses -- I have less haloing.
Now. I'm not saying I'm a typical case. But I'm also not the most finicky about drops, etc, and I'm way impressed with the results. Being able to see in the middle of the night, etc...
OK... I have a few beefs with this. (And. For reference. I do work for a Cisco reseller and have a couple of Cisco certs; I've installed a fair number of PIXEN)
1) Throughput
Yes. The PIX runs on relatively low powered hardware. Sounds like you have a PIX 515, which is a PPro 200. And which will firewall well over a T3. (Cisco quoted spec is 190Mpbs thru'put. I've not tested this, but I'd treat it as a marketing number.)
The Finesse OS Kernel is small (latest rev shrank to just over 1.5 MB). And fast. It doesn't need raw horsepower to punch traffic.
2) Price
The 515 is both significantly cheaper now/and/ significantly more powerful. (515E). It's still not cheap by any stretch of the imagination, but it's not $12k for the low end any more. (See other posts on the 501, 506, etc)
3) Outbound connections
Erm. This is just another ACL with the latest versions (anything since 5.0) of the PIX. Not exactly rocket science.
The old outbound/conduit syntax was, yes, complex and confusing. It's also been replaced with a standard ACL. (Almost. Regular masks, not wildcards.) ACLs are absolutely fundamental to Cisco, so if you have router familiarity you'd better understand them.
3) Not a good router
No. It's not. But then again -- it's NOT a router. It's a firewall. Why would I want my firewall to do all the general purpose commands?
4) Extra charge for SSH
Can you source this? All PIXen are now shipped with 56bit DES keys for free, and SSH support for free. (Yes. 56bit DES, not 128bit. Yes. This is less secure. Yes, it'd be nice to get 128bit for free, but that's also the level supported in the IPSec tunnels. It's $1k more for most PIXen for a 3DES key, much less on a 501)
I will agree that there are some limitations and flaws in PIX. That they only NOW added groups and NTP support was stupid. But those have been replaced.
As a couter argument: most homebuilt firewalls still have a full OS under them. Why do I want this? (And I realise this isn't universal, so please don't reply with links to all the stripped distros). I believe in a box doing what it's tasked to, not everything, and simplifying administration -- capital investment is depreceated, staffing isn't, so have each box easily understandable, know what it does and know everything it does, especially in a security environment.
> Thank you for contacting Best Buy's corporate headquarters with your > concerns. Regarding this issue, Best Buy has deactivated our temporary > wireless cash registers that transmit information via LAN connections. > These registers are not Best Buy's main register terminals and represent a > small percentage of the transactions processed within our stores. Please be > assured that customer privacy is of the utmost importance to Best Buy and we > will further investigate this matter. > > We do appreciate your taking the time to share your concerns with us. > > Respectfully, > Alex Reynolds > Contact Center Escalations > Best Buy Enterprise Customer Care
Slashdot Mirror
I use Debian when I'm on a workstation, or some servers. Primarily for when I'm feeling lazy, want packages (LAMP boxen spring to mind) and similar. It has many of the simplicities that I adore about OpenBSD.
But for a mail server, or a firewall box, or a primary UNIX file/print server? OpenBSD all the way (for me, at least). pf has an almost intuitive interface (though it processes the list backwards to someone who's a router/PIX jock). The box is inherently secure. And if I'm not using a lot of newer packages (forgive me. I'm no coder. I don't port stuff) it's rock solid.
And, I guess, some of the quirkiness is more natural to me than some of the Linux stuff.
So. I guess it's a matter of best fit, and not having a hammer and assuming everything is a nail. Again, for me, at least.
I had on of the the early sony NR70s, without the camera (the low res just didn't seem worth it). For me, at least, it wasn't the /weight/ that did , but the size. The thing was just too tall to fit into a pocket comfortably so I stopped carrying it around.
(That and I never, ever got used to the keyboard. Go go gadget graffiti.)
When in the course of things I filled it with water and it was going to cost over $300 to repair, I started looking around and decided I needed a smaller form factor. This ruled out Pocket PC, etc, and I went back to a Tungsten. It might not have ALL the features, but it was the ones I need, and I carry it.
The large, thick, form factor is an absolute killer for me in these PDAs. (Though that small iPaq mentioned in the parent... that looks interesting.)
OK.
/amazing/. I'm 20/20 in one eye, 20/15 in the other. Nightvision is /improved/ over when I had contact lenses -- I have less haloing.
I had LASIK done last December. I was, previously, -5.5 in both eyes, with a very minor astigmatism. (Note: Not a developer, but a network engineer. Still a lot of screen time.).
The results were
Now. I'm not saying I'm a typical case. But I'm
also not the most finicky about drops, etc, and I'm way impressed with the results. Being able to see in the middle of the night, etc...
OK... I have a few beefs with this. (And. For reference. I do work for a Cisco reseller and have a couple of Cisco certs; I've installed a fair number of PIXEN)
/and/ significantly more powerful. (515E). It's still not cheap by any stretch of the imagination, but it's not $12k for the low end any more. (See other posts on the 501, 506, etc)
1) Throughput
Yes. The PIX runs on relatively low powered hardware. Sounds like you have a PIX 515, which is a PPro 200. And which will firewall well over a T3. (Cisco quoted spec is 190Mpbs thru'put. I've not tested this, but I'd treat it as a marketing number.)
The Finesse OS Kernel is small (latest rev shrank to just over 1.5 MB). And fast. It doesn't need raw horsepower to punch traffic.
2) Price
The 515 is both significantly cheaper now
3) Outbound connections
Erm. This is just another ACL with the latest versions (anything since 5.0) of the PIX. Not exactly rocket science.
The old outbound/conduit syntax was, yes, complex and confusing. It's also been replaced with a standard ACL. (Almost. Regular masks, not wildcards.) ACLs are absolutely fundamental to Cisco, so if you have router familiarity you'd better understand them.
3) Not a good router
No. It's not. But then again -- it's NOT a router. It's a firewall. Why would I want my firewall to do all the general purpose commands?
4) Extra charge for SSH
Can you source this? All PIXen are now shipped with 56bit DES keys for free, and SSH support for free. (Yes. 56bit DES, not 128bit. Yes. This is less secure. Yes, it'd be nice to get 128bit for free, but that's also the level supported in the IPSec tunnels. It's $1k more for most PIXen for a 3DES key, much less on a 501)
I will agree that there are some limitations and flaws in PIX. That they only NOW added groups and NTP support was stupid. But those have been replaced.
As a couter argument: most homebuilt firewalls still have a full OS under them. Why do I want this? (And I realise this isn't universal, so please don't reply with links to all the stripped distros). I believe in a box doing what it's tasked to, not everything, and simplifying administration -- capital investment is depreceated, staffing isn't, so have each box easily understandable, know what it does and know everything it does, especially in a security environment.
In answer to the 'can't afford a full PIX' several people have already posted the answer to this:
PIX 501. 10 users max, sure. 2 interfaces max. But they're cheap and don't involve pirating the licence.
Again, taken direct from the vuln-dev list:
From BestBuy:
> Thank you for contacting Best Buy's corporate headquarters with your
> concerns. Regarding this issue, Best Buy has deactivated our temporary
> wireless cash registers that transmit information via LAN connections.
> These registers are not Best Buy's main register terminals and represent a
> small percentage of the transactions processed within our stores. Please be
> assured that customer privacy is of the utmost importance to Best Buy and we
> will further investigate this matter.
>
> We do appreciate your taking the time to share your concerns with us.
>
> Respectfully,
> Alex Reynolds
> Contact Center Escalations
> Best Buy Enterprise Customer Care
The issue here (from the vuln-dev story, where this broke) is that they're not even using WEP.
It also appears there is SQL database access, etc, etc.
Leads to a lot of scary options.