How long have you been working with Cisco PIX Firewalls, and how did you get interested in them?
I have been working with PIX firewalls since 1999. In early 2000, I was a Senior Network Engineer with a local Cisco Gold Partner. I was selected to lead several Cisco "Smart Start" programs that were aimed at providing secure infrastructure components for the still burgeoning dot-com market. Customers had their Cisco routers, PIX firewall's, Catalyst switches, and LocalDirector load balancers shipped to my lab. I assisted customers with successful prototyping of their remote co-location networks including design assistance, configuration and product training. I began teaching the Cisco Secure PIX Firewalls course in October of 2000.
What are your favorite security tools and why?
I have MANY favorite security tools, but if I had to pick two, they would be my Network Associates Sniffer and a Syslog server.
Not very sexy, I'll admit, but with these two tools, I can quickly troubleshoot most network problems that arise.
For baseline vulnerability scanning, I am partial to the open source program Nessus. Number one, it's free and easily compiles on most Linux flavors. Secondly, the open source community does a fantastic job of keeping it up to date with new vulnerabilities.
How long did it take you to co-write Cisco Secure PIX Firewalls? Any major difficulties?
First, Andy and I "edited" CSPF. We were given the complete text of the "Cisco Secure PIX Firewall Advanced 1.01" course student guide and were assigned the task of re-working the content to organize ideas and topics so that they flowed logically from point A to point B. We did add a great deal of value in the way of author's notes and tips. I wrote all of the Appendices from scratch to include material that was not in the CSPFA course at the time but I felt was needed.
Our greatest challenge on the project was learning how to properly format the content for submission to the reviewers and the Cisco Press Production Team. Fortunately, Cisco Press provided four exceptional Technical Editors and a top notch Development Editor. Andy and I would have turned out a much less complete book without their guidance and input.
Time and deadlines are also pretty stressful. Many nights in my hotel room, I would begrudge the two hours I demanded of myself working on the project. After a 12-hour day, the last thing I looked forward to was more work.
In your opinion, what can users do to choose a firewall that is right for their needs?
This is kind of a tough thing to answer in a short space. The first thing any organization (or individual) needs to consider is the value of the information assets they need to protect. It makes no sense to deploy a 50,000 firewall solution to protect a 10,000 asset. Can they get by with a stateful packet filter alone, or do they frequently deal with protocols such as http, Java, Active-X that need application level proxy to protect from malicious active code? These decisions bear careful consideration.
Which personal firewalls would you recommend?
I own both ISS BlackICE and Zone Lab's Zone Alarm Pro. While I believe they both provide great protection, I tend to run just BlackICE. Zone Alarm Pro interrupts me too often asking permission for this or that connection. BlackICE is less demanding of my attention. I scan my machines regularly for "pest" applications and potential covert channel apps such as SubSeven and Back Orifice, so I don't have the same level of need many other users have to alert them for potentially dangerous outbound traffic.
What are your future plans? Any exciting new projects?
In my immediate future, I am working towards spending more time consulting and less time waiting in airports on teaching assignments. 30 months of constant travel is wearing a tad thin.
On the project side, I am happy to announce that I have begun co-authoring Cisco Press' CCSP Practical Series: PIX Firewall title with fellow instructor and consultant Dave Garneau. Whereas the previous PIX title is geared towards engineers with little PIX experience, the new title is aimed at readers who want to learn by doing. The new CCSP book will be 15% tutorial and 85% hands-on lab exercises.
What is your vision for firewalls in the future?
I think of all of the firewall vendors, Cisco Systems vision of integrating firewalling right into the switching fabric of the network is going to mark the most significant development in firewall technology for the next few years to come. Their new Firewall Services Module for the Catalyst 6500 switch boasts 5Gb throughput. None of their competitors are even close to this level of integration and performance. Therefore, I have adopted Cisco's vision as my own in this regard.