worried about cisco pix

Discussion in 'Cisco' started by douglas w scott, Nov 6, 2004.

  1. I read this week that Cisco had an employee steal and sell the source
    code to the pix firewalls on news.com dated nov 2.

    I am worried that my firewall might be at risk now. I am hoping that
    someone would be kind enough to email me the latest OS for the pix 501
    and the pix 520, as mine are the 6 series but out of date.

    Thanks, my email address is
     
    douglas w scott, Nov 6, 2004
    #1
    1. Advertising

  2. On 06.11.2004 17:54 douglas w scott wrote


    > I read this week that Cisco had an employee steal and sell the source
    > code to the pix firewalls on news.com dated nov 2.
    >
    > I am worried that my firewall might be at risk now.


    Why do you think so?

    > I am hoping that someone would be kind enough to email me the latest
    > OS for the pix 501 and the pix 520, as mine are the 6 series but out
    > of date.
    >


    Visit CCO and download the latest image.


    Arnold
    --
    Arnold Nipper, AN45
     
    Arnold Nipper, Nov 6, 2004
    #2
    1. Advertising

  3. In article <>,
    douglas w scott <> wrote:
    :I read this week that Cisco had an employee steal and sell the source
    :code to the pix firewalls on news.com dated nov 2.

    :I am worried that my firewall might be at risk now.

    According to the press, the PIX is the best selling firewall
    in the world. I think it unlikely that Cisco would make the
    mistake of relying on "Security through obscurity". The risks,
    if any, would likely come from buffer overflows and potential
    misparsing of packets.


    : I am hoping that
    :someone would be kind enough to email me the latest OS for the pix 501
    :and the pix 520, as mine are the 6 series but out of date.

    If you examine the details of the security advisories on the
    PIX Security Advisories page,
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_security_advisories_list.html
    you will have to go back to 26/Sep/2001
    "Cisco Security Advisory: Cisco Secure PIX Firewall SMTP Filtering
    Vulnerability" in order to find any mechanism that is not
    a denial of service attack, and that is remotely exploitable by
    someone who does not have access to sniff packets from the PIX.

    The affected software versions for that were 5.2(4), 5.2(5), and
    6.0(1), along with some interim engineering releases that were
    usually available to customers. The PIX 501 was not introduced
    until 6.1(1), which has the fix.

    The PIX 520 is older, but it was introduced at 4.2(4),
    so if you [legitimately] have a 6 series release, you would have had
    to have had a support contract on the 520, and it seems quite
    unlikely to me that that contract just -happened- to run out
    in the small time between 6.0(1) and 6.0(2).

    Cisco's policy is to provide free upgrades within the same subrelease
    whenever a security vulnerability is repaired, even if the
    vulnerability is a denial of service that is difficult to launch.
    If you do not have the latest release within your subrelease, then
    visit the page I cited above and read the newest couple of notices
    there for information on how to get your free upgrade.


    Now, I'm going to be a bit rude: I don't believe you. I think you are
    trying to get a free major release upgrade that you are not entitled
    to. If you were really concerned about potential vulnerabilities in
    your PIXen, you would already be as up-to-date as is possible within
    your subrelease [by availing yourself of the free updates], and you
    would be paying for software support to allow you access to the newest
    releases at will and access to the TAC to raise any security questions
    with. If you have a high-security environment that cannot afford the
    risk of getting exploited between the discovery of a vulnerability and
    Cisco's public release of the appropriate fix, then the cost of
    software support would be trivial compared to the costs of not having it.

    It's only $US73 for 8x5x4 support for the 501 ten-user license
    http://www.z-buy.com/product.asp?item=ET-CONEPIX50110

    8x5xNBD support for the 520 is only $US1300
    http://www.advmicronet.com/products/product_info.cfm?Product_ID=6431
    That might sound like a lot at first glance, but if you really are in
    a situation where you must have all security fixes ASAP then it's
    probably a trivial cost. For example, we figure that if our PIX conked
    out and half our users were unable to do their work, that it'd cost us
    about $US8000 for one day in lost salaries, which makes a $US4000
    support contract cheap if it saves us more than 3 1/2 hours downtime
    in one year.
    --
    "Infinity is like a stuffed walrus I can hold in the palm of my hand.
    Don't do anything with infinity you wouldn't do with a stuffed walrus."
    -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ.
     
    Walter Roberson, Nov 6, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. fitwell

    Re: Worried, constant blocks of PINGS on ZA.

    fitwell, Aug 22, 2003, in forum: Computer Support
    Replies:
    5
    Views:
    439
    Santiago Zawojski
    Sep 6, 2003
  2. °Mike°

    Re: Worried, constant blocks of PINGS on ZA.

    °Mike°, Aug 22, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    392
    longshotjohn7
    Aug 23, 2003
  3. GateKeeper

    Re: Worried, constant blocks of PINGS on ZA.

    GateKeeper, Aug 22, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    401
    GateKeeper
    Aug 22, 2003
  4. Grim×Peeper

    Re: Worried, constant blocks of PINGS on ZA.

    Grim×Peeper, Aug 23, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    404
    fitwell
    Aug 26, 2003
  5. vasancs
    Replies:
    8
    Views:
    427
    anthonyberet
    Nov 29, 2003
Loading...

Share This Page