( don't ) use CiscoVMS to configure PIX firewalls.

Discussion in 'Cisco' started by ciscoham, Nov 10, 2005.

  1. ciscoham

    ciscoham Guest

    I've played around a bit with CiscoVMS but find it very disappointing.
    The system is not only slow, it is also very time-consuming to modify
    the configuration of a PIX, also the software doesn't recognize several
    command lines from the pixes that I've tried uploading in it.
    I find it a weak attempt from Cisco to create a Checkpoint GUI like
    interface for users that don't know how to use the CLI. I cannot
    imagine that someone who knows the CLI would start using CiscoVMS to
    manage his PIXES. Does anyone disagree on this ?
     
    ciscoham, Nov 10, 2005
    #1
    1. Advertisements

  2. :I've played around a bit with CiscoVMS but find it very disappointing.

    :I cannot
    :imagine that someone who knows the CLI would start using CiscoVMS to
    :manage his PIXES. Does anyone disagree on this ?

    I do not disagree about the slowness, or the number of operations
    required to enter that which would be simple to do via the CLI.
    CiscoVMS does, however, have its uses.

    a) CiscoVMS is able (or so it claims) to push a new configuration
    out to a remote active firewall. If you have ever tried using the
    CLI to configure the very VPN that you are accessing a remote
    firewall through, you will know that the process is painful:
    the moment you touch the ACL (or any object-group referenced
    therein) that defines the VPN tunnel, you have inconsistancies
    in your Security Associations (SA's) and may lose the connection.

    There are some things you can do to mitigate the inconsistant-SA
    problem, but they require essentially duplicating all objects
    and ACLs and crypto maps, then activating the new version. But
    even then you run into the problem that as soon as you enable
    the new crypto map complex on the interface, you have to clear the
    SA's in order to put it fully into effect (*strange* things happen
    otherwise)... and when you do that, you lose the VPN connection
    you are configuring over. This makes it impossible to reliably
    push a new configuration out via 'config net' (tftp).

    b) If you are working with multiple firewalls in an impure mesh
    (only some accesses are allowed between some of the pairs), then
    what might seem a simple change can end up requiring a
    number of changes which is exponential in the number of firewalls.
    For example, adding a udp flow all around to 5 firewalls requires
    ((2*2) * (4+3+2+1)) = 40 ACL updates. [The udp port as source
    + as destination, times incoming + outgoing ACL, times each of the
    mesh pairs.] It doesn't take very long at all before you really
    start needing a configuration generator, in which you specify
    the flows in a more compact form and have the ACL entries
    automatically generated for each of the firewalls. CiscoVMS gives
    you that kind of configuration generation potential. It has
    notable limitations, and you have to be disciplined to use it
    to best effect, but it's a *lot* better to update only four entries
    and have that propogate appropriately.

    c) I did up a home-brew configuration generator before I found
    CiscoVMS. It turned out that using CiscoVMS best requires
    the same kind of structuring that I used in my home-brew, but
    my generator was text-based so it was a wee bit faster to stick with
    it than to go for CiscoVMS. But I'm the -only- person who knows how
    my home-brew generator works... it is logical and extensible, but
    it isn't something that would be obvious (especially to someone
    who hasn't run into the problems that drove me to write the
    generator!) If I had done the work in CiscoVMS, I could at least
    have handed it over to someone else and they could have read
    the documentation and played with the pretty little {slow} GUI,
    and placed support calls on it. Technical superiority is not
    the only measure of success; it is often not even the most
    important measure.
     
    Walter Roberson, Nov 10, 2005
    #2
    1. Advertisements

  3. ciscoham

    ciscoham Guest

    Walter,

    Thank you for your detailed comments. Looking at all pro's and con's I
    think we will not use it. We manage a bunch of pixes for customers, all
    these pixes have little in common and we don't have the VPN problems
    you talked about.
    We'll stick with the good old CLI.

    Thanks

     
    ciscoham, Nov 15, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.