firewall

Are there mole tunnels under the Great Firewall of China?

CurtMonash — Fri, 31 Oct 2008 10:50:33 -0400

I think there are mole tunnels under the Great Firewall of China. Here's the story as to why.

Read more

ChalkTalk - ASA Firewall – Packet Classification in Multiple Contexts Mode

yusuff — Thu, 28 Aug 2008 04:03:26 -0400

I recently posted a chalktalk article about ASA Firewall – Packet Classification in Multiple Contexts Mode... thought it might be useful to NW readers. http://www.cisco.com/public/news_training/itsnews/tech/chalktalk/200804.html Security Contexts Overview

Read more

Securing the Line Part 3 - Access Control

Matthew Nickasch — Tue, 26 Aug 2008 13:51:16 -0400
Yesterday we discussed the use of Virtual LANs (VLANs) to segment and separate voice and data networks. This level of separation significantly increases security across both the data and voice networks, and also provides yet another of complication for any would-be hacker. While Voice VLANs sound like a good idea (and they are), they're practically useless without the proper inter-VLAN routing configuration and safeguards. LAN segmentation means virtually nothing without access control lists, firewalls, and policies to route and protect data on both VLANs.

Read more

Is Vyatta as fast, cheap and wonderful as it claims to be?

Cisco Subnet — Fri, 02 May 2008 17:54:25 -0400

Vyatta says forget about thinking of it as just an open-source router. The company wants to do the whole networking enchilada. "Think of us not just as a pure routing play but also firewall, VPN, WAN load balancing," says Vyatta's Dave Roberts in this video interview with Network World's Jim Duffy at Interop.

Read more

More MPF and a Quick Survey

brandon — Fri, 11 Apr 2008 00:45:47 -0400

So in my last post I talked about the Modular Policy Framework and we too a very short look at how a class-map, policy-map, and service-policy all fit together. I also said that today I would discuss how to add application layer functionality. Where I will, as promised but before I do that I want to take a quick survey. Please use the survey below to answer the following questions:

When it comes to studying for the CCSP, what do you do for lab access?

Does it make sense to build your own lab or does it make more sense to just run though to books?

If you are buying your own gear are you also planning on attempting the CCIE Security?

Read more

Knock, Knock...Who's there? Port Knock!

Noah Schiffman — Wed, 12 Mar 2008 02:34:05 -0400

In our society, it often takes tragedy, to bring about change; unfortunate, but true. I am no exception. Over the weekend, I may have accidently left a few ports open. With 65,535 of them, it's hard to remember if they're all closed and stealthed, or if 1241 is still open from my Nessus session, if my Slingbox is still slinging shows over 5001, or if one of those ports in the 27000 range was left open by my alter-ego, half-life addict.

Read more

Cyber Warfare: Frontline combat power gets a boost with the new Cisco ASR 1000 Router Series

jheary — Wed, 05 Mar 2008 15:51:12 -0500
Yesterday, Cisco officially announced its next generation, frontline, cyber superiority Battlestar, known as the Cisco ASR 1000 series routers. This new edge router series offers a 10 fold+ increase in routing, IPSEC, and Firewall performance versus previous midrange aggregation routers with these services enabled. Much has already been reported on it, but I wanted to focus on security. Is the new Cisco ASR 1000 Series unmatched in the raw combat power it is capable of unleashing on its enemies in cyberspace? Let’s dig into the performance characteristics and combat power of this next-gen edge router to see. And keeping in mind that raw combat power per se cannot guarantee cyber combat success, we’ll also look into the technological advances that it offers.

Read more

Cisco releases new Firewalls, the ASA 5580

jheary — Thu, 14 Feb 2008 23:26:24 -0500
Following closely on the heals of the release of the 4Gbps IPS appliance, Cisco released the ASA5580 Firewall. It comes in two models, a 5Gbps (ASA5580-20) and a 10 Gbps model (ASA5580-40). Now those aren't backplane speeds or pie in the sky, UDP 1500 byte packet throughput numbers with protection turned off either. Vendors marketing teams love to quote us numbers that are meaningless in the real world. The performance numbers Cisco is quoting are real world performance numbers based on a mix of various rich media traffic samples with recommended firewall protection features turned on. More performance numbers:
It can process up to 4Mpps!

It can sustain up to 2 Million concurrent connections

Read more

Dual-WAN Firewalls

mark8464 — Thu, 17 Jan 2008 20:56:36 -0500
The next time your shopping for a firewall, why not make it a dual-wan firewall? Now you may ask yourself, why would I need a dual-wan firewall? The anwser is 1) more bandwidth, and 2) more reliability. For the most part, these new dual-wan firewalls are close to the same price as traditional firewalls, but with a host of additional features. But what about the cost? Don't think you have to double your current monthly Internet link costs. If you have a T1 today, having a dual-wan does not mean you have to have another T1 line. The advantage of having a dual-wan router is that you can use any broadband connection, including a $39/mo DSL link as a backup or even to route non-critical traffic over.

Read more

Cisco points to security flaw in its firewall module

Cisco Subnet — Wed, 19 Dec 2007 20:29:31 -0500

A hole in Cisco's Firewall Services Module could result in a reload of the module, or if exploited repeatedly, could cause a sustained denial-of-service attack, warns the vendor. FWSM is an integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers.

Read more

IPv6 more secure? Forget it...

michael — Mon, 26 Nov 2007 16:03:01 -0500

So you heard as well that IPv6 is going to make the Internet more secure? Well, think again... In my opinion IPv6 is going to add a lot of complexity to our networks, and generally security goes DOWN when complexity increases.

Let me expand on this a bit. First of all, IPv6 doesn't change anything fundamental for security. IPv6 follows exactly the same paradigms as IPv4; you won't be able to trust the source address for example either. IPsec was meant to be a differentiator, but by now IPsec is equally deployed for IPv4. Equally? Actually, much more than for IPv6.

Read more

Hiring Network Security Professionals for Rackspace Managed Hosting

amanda.papp — Mon, 29 Oct 2007 09:14:47 -0400

Rackspace Managed Hosting currently has several Network Security openings for our San Antonio (headquarter) office. If you are interested, please email

Responsibilities:

* Perform ticket queue monitoring and prioritization.
* Perform required maintenance for installation, configuration, updates to firewalls and VPN connections.
* Candidate will regularly troubleshoot customer IPSEC client and site-to-site VPN connections.
* Candidate will also deploy and tune Cisco and Alert Logic IDS sensors, and configure monitor sessions on the access switch.
* Setup, configuration, troubleshooting and consultation of Cisco CSS content switches and Webmux load balancers.

Read more

Highlighting 5 NEW lesser known PIX/ASA Firewall Features

jheary — Tue, 28 Aug 2007 20:13:19 -0400
The 8.0.2 software release for the PIX and ASA platforms was a big one! My guess is you haven’t had the time, or the inspiration, to read through the release notes and drill into the configuration guide to find all of the new features you now get with the 8.0.2 code release. Fret not, I am here to help! (A little anyway) I won’t cover the major SSLVPN features in 8.0 since you’re probably already somewhat familiar with the huge updates to PIX/ASA SSLVPN features. Instead, here are 5 NEW 8.0.2 features that are less well known but that you’ll probably be interested in:

Read more

How to create an IPsec VPN between a Cisco router and Juniper NetScreen SSG5 appliance

Cisco Subnet — Tue, 17 Jul 2007 19:44:08 -0400

mrz's noise, a blog described as noise from a Mozilla network engineer, has posted up a guide to creating an IPsec VPN between a Cisco IOS router and a Juniper NetScreen SSG5.
The blogger posted the how-to after finding little help online.
Read on.
Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.

Cisco adds IronPort's content filtering to ASA firewall

Cisco Subnet — Fri, 22 Jun 2007 19:12:23 -0400

Cisco will begin offering IronPort's e-mail and Web filtering capabilities to its firewall customers after the network giant's purchase of the security vendor closes on June 25, reports InfoWorld. The malware distribution data gathered by IronPort's SenderBase IP address reputation service will be blended into Cisco's Adapative Security Appliance firewall.
Cisco announced plans to acquire IronPort for $830 million in January.

Read more

Adaptive Security Appliance key to Cisco turnaround success in firewall market

Brad Reese — Sun, 11 Mar 2007 04:57:35 -0400
By the end of 2005, Cisco was getting its butt kicked in the firewall market, even though the Cisco PIX firewall had long been a familiar name. According to The NPD Group/Distributor Track, which monitors the U.S. dollar volume sales of high-tech products through certain major distributors, Symantec held a 55.6 percent share of the firewall segment at the end of 2005, compared with Cisco's 17.8 percent. Dark Reading Risky Business reports that solution providers point to two key events as the impetus for what amounted to a dramatic turnaround in 2006. First, in June 2006 Symantec said it would decrease its investment in security appliances, including the Symantec Gateway Security appliance line, which includes firewall capabilities. Second, in July 2006 Cisco added two new models to its Adaptive Security Appliance unified threat management series, which also includes a firewall. In the wake of these events, Cisco's U.S. dollar volume share for firewalls leapt nearly 20 percentage points in 2006 to 37.7 percent, overtaking Symantec's results, which slipped 21 percentages points to 34.6 percent, the NPD data shows. Check Point Software Technologies is the third best-seller with a 15.2 percent share. "Cisco's SMARTnet support is another reason behind Cisco's recent firewall market gains because customers like having an entire organization that works with them to support complex solutions," said Gary Berzack, CTO of Cisco partner eTribeca, New York. Steve Pettit, president of Blue Spruce Technologies, Greenland, N.H., is seeing "a lot of customers" upgrading from Cisco's PIX firewall to the ASA, and he thinks the ASA series is also taking market share away from Cisco competitors including Symantec and Check Point. Migration Guide from Cisco PIX 500 to Cisco ASA 5500 Series "A big reason for Cisco's firewall market leadership is the trend toward companies looking to consolidate multiple functions within a single appliance, which has helped fuel sales of the ASA line," said Steven Reese, security practice manager at Nexus Integration Services, a Valencia, Calif., solution provider.

Firewalls
Top 3 Best-Sellers*

2006
MARKET SHARE MARKET-SHARE
CHANGE OVER 2005

Cisco Systems 37.7% +19.9

Symantec 34.6% -21

Check Point 15.2% +5.7

* RANKING BASED ON 2006 REVENUE SHARE; HIGHLIGHTED VENDOR GAINED GREATEST SHARE FROM 2005 TO 2006
SOURCE: THE NPD GROUP/DISTRIBUTOR TRACK (INCLUDES GTDC DATA)

You may find of interest the Miercom Lab Test comparing the Cisco ASA 5520 Adaptive Security Appliance against the following Unified Threat Management (UTM) security appliance competitors: Check Point VPN-1 Pro, Fortinet FortiGate 1000 and Juniper Networks NetScreen-208. Do you have an interesting story about how the Cisco ASA has had a dramatic impact on Cisco's fortunes in the firewall market? http://www.BradReese.Com

Read more

Hot Seat: Drillng down on application firewalls

Jason Meserve — Mon, 01 May 2006 17:32:18 -0400
You already have firewalls so why would you need an application-specific firewall? Tim Liesman of BorderWare takes the Network World Hot Seat to tell you what you're missing and how it may hurt you. Watch it now