Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Hardware

Build a Cisco PIX for 800 Australian Dollars 402

tallguy_wt writes: "Why fork out thousands of dollars to learn Cisco's PIX firewalling product when you can build your own for under 800 Australian Dollars, as shown in this article by Routermonkey."
This discussion has been archived. No new comments can be posted.

Build a Cisco PIX for 800 Australian Dollars

Comments Filter:
  • by leoaloha ( 90485 )
    and to think I just spent 84000$ for two pix535's. Your tax dollars at work!
    • Yes but you did it the legal way. This device is no way, no how legal. You are pirating Cisco's software to make it, that is illegal. Not to mention it's not supported, if something happens Cisco will not come to your aid.

      Now with real 535s you are both legal and fully supported.
      • Re:lo cost pix?? (Score:2, Interesting)

        by Dogcow ( 7944 )
        What got pirated, and where?

        People with CCO access can test any of the software there.

        Routermonkey provided no link to download any of the binaries mentioned (with the exception of the highly illegal rawrite.exe).

        Mod yourself up a clue, slashflunky.
        • I'll give you the benefit of the doubt and assume you don't have CCO access. If you ever get software access you'll have to aggree to the license each time you download anything. The license reads in applicable part:

          Unless otherwise expressly provided in the documentation, Customer shall use the Software solely as embedded in, for execution on, or (where the applicable documentation permits installation on non-Cisco equipment) for communication with Cisco equipment owned or leased by Customer;


          NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT: (1) CUSTOMER HAS NO LICENSE OR RIGHT TO USE ANY SUCH ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID THE APPLICABLE FEE FOR THE UPGRADE; (2) USE OF UPGRADES IS LIMITED TO CISCO EQUIPMENT FOR WHICH CUSTOMER IS THE ORIGINAL END USER PURCHASER OR LESSEE OR WHO OTHERWISE HOLDS A VALID LICENSE TO USE THE SOFTWARE WHICH IS BEING UPGRADED; AND (3) USE OF ADDITIONAL COPIES IS LIMITED TO BACKUP PURPOSES ONLY.



          In other words you can only install PIX software on PIX hardware. And you can only install the version of PIX software you have a lecense for. No free upgrades and the license in non-transferable so if you sell the hardware the new owner needs to get a new license.

          Don't argue with me about whether or not this license is legal because I don't care. That's just the way it is.

  • It is illegal (Score:5, Insightful)

    by af_robot ( 553885 ) on Friday August 30, 2002 @03:53AM (#4168594)
    Why fork out thousands of dollars to learn Cisco's PIX firewalling product when you can build your own for under 800 Australian Dollars?

    Because it is illegal and you will go to jail for stealing CISCO's intellectual property.
    • Re:It is illegal (Score:3, Informative)

      by Des Herriott ( 6508 )
      Indeed.

      If you've ever ordered a PIX from Cisco (or a reseller), you'll notice that the software license costs considerably more than the hardware. While building a hardware clone of a PIX perfectly legal, taking a free copy of the software to run on your clone most certainly isn't.
    • Theft. (Score:2, Redundant)

      by nyet ( 19118 )
      \Theft\, n. [OE. thefte, AS. [thorn]i['e]f[eth]e, [thorn][=y]f[eth]e, [thorn]e['o]f[eth]e. See Thief.]

      1. (Law) The act of stealing; specifically, the felonious taking and removing of personal property, with an intent to deprive the rightful owner of the same; larceny.

      Note: To constitute theft there must be a taking without the owner's consent, and it must be unlawful or felonious; every part of the property stolen must be removed, however slightly, from its former position ; and it must be, at least momentarily, in the complete possession of the thief. See Larceny, and the Note under Robbery.

      -Dictionary.com [dictionary.com]
      • Re:Theft. (Score:2, Funny)

        by edhall ( 10025 )

        Dictionaries don't have legal force. The common-law definition of "theft" (which the dictionary describes) was superceded long, long ago, first by espionage laws and later by trade secret laws. The principles involved were well established before computer programs even existed.

        -Ed
    • Because it is illegal and you will go to jail for stealing CISCO's intellectual property.
      And what if I already own a real CISCO router? I can copy the software onto my hacked-up workalike, legally. Sure the "licence agreement" might tell me that it's illegal, but I don't accept that. Unless I signed a contract with CISCO, I can copy the software for personal use. IMO.
      • Comment removed based on user account deletion
        • By your logic, if I have not agreed to a Microsoft license and have not signed a contract with them, I would have a legal right to pirate their software.
          If by "pirate" you mean "download from a warez site", then no. If you have legally acquired a copy, then you have the right to use it yourself in whatever manner you see fit. This is not piracy. If I buy a book, I can make personal copies of any pages within that book, even up to the extent of copying the entire book for personal use. I can even read the original, and refer to the copied pages simultaneously. The same law applies to software - unless you live in a UCITA state in the US, that is.

          BTW:

          Copyright
          n. Abbr. c. or cop.
          The legal right granted to an author, composer, playwright, publisher, or distributor to exclusive publication, production, sale, or distribution of a literary, musical, dramatic, or artistic work.
          I think "production" is used in the context of "production of a musical".
      • Re:It is illegal (Score:4, Insightful)

        by Pii ( 1955 ) <jedi AT lightsaber DOT org> on Friday August 30, 2002 @10:14AM (#4169965) Journal
        If you have ever downloaded Cisco code from CCO, then you know that once you select the software that you want, you are presented with a page detailing the licensing agreement. At the bottom of the page, there are two hyperlinks.

        The first hyperlink says "ACCEPT," and clicking through will present you with the download page for the software that you want.

        The second hyperlink says "DECLINE," and clicking through will present send you back to the previous page.

        The agreement states:

        • Unless otherwise expressly provided in the documentation, Customer shall use the Software solely as embedded in, for execution on, or (where the applicable documentation permits installation on non-Cisco equipment) for communication with Cisco equipment owned or leased by Customer

        That's pretty clear.

        It's also pretty clear that because you need a CCO account to even get to the Software Download page, that you're having clicked on the "ACCEPT" link means that you are indeed accepting the terms of the license.

        I don't care what you do, but if you're stealing, or failing to adhere to an agreement that you made, don't take offense when someone calls you a criminal because that is in fact what you are.

    • I clicked on the link expecting to find a list of
      • off-the-shelf components and
      • mix of Open Source (or perhaps cheap to legally license) software,
      • instructions on building and configuring and
      • benchmarks against a Cisco-branded product.
      Instead I found what you decried: an article which basically says only CISCO can develop this firewall, you'll have to "score" the pieces. "Props", indeed.

      A worthless, insulting article this one is.

    • Comment removed based on user account deletion
    • '/. News for Nerds. Stuff that matters'

      Timmy posts an intersting _tchnical_ article and all the pseudo lawyers and politicans jump in with the illegal angle. The second post for christ sake points out it's illegal.

      How about some insight into the tech? I know this is becomming a real novelty for /.
  • by youngerpants ( 255314 ) on Friday August 30, 2002 @03:54AM (#4168595)
    Well, one reason why I buy Cisco is for the maintenance agreements, the support packs and the like you know all the expensive stuff that gives me peace of mind. When that firewall blows, who's neck is on the line?

    Oh and the fact that the entire Cisco site runs on MySQL should be enough reason to give them all your employers hard earnt money
  • So? (Score:3, Interesting)

    by leviramsey ( 248057 ) on Friday August 30, 2002 @03:55AM (#4168596) Journal

    How much better is Cisco than the same system running Linux or *BSD?

    • Re:So? (Score:3, Insightful)

      by LWolenczak ( 10527 )
      If comparing ipchains vs. pix, Pix wins no problems. But comparing iptables vs. pix, pix looses and runs away.

      Iptables is much more kick ass then pix in my experence. Most of the time, people just buy it because of the brand name... Cisco PIX.
    • I don't know much about PIX, but i've used a dozen of 1000,1500,1600, 2500, 2600 cisco routers and access servers.

      Cisco's networking setup is MUCH better, logical and *documented* (show me GOOD iptables documentation, anyone?!) that linux or *bsd.

      It took me several hours to implement very simple ip policy routing in linux, and it is still looks like more a hack..i did the same task on cisco router in 10 minutes.
      Setting traffic shapers, queue priorities and so on just a matter of minutes. And you have more networking features which linux have not got yet even with the cheap 500$ used 1005 cisco router.

      However, sometimes there are nasty bugs in cisco's IOS, but you can almost avoid it by using latest stable IOS release.
      • Unfortunately, PIX is very dissimilar to IOS. I personally detest the PIX syntax and the philosophy of "interface security levels".

        I must admit though, that I've never setup policy routing or other QoS features on a Pix.
  • by GodEater ( 7709 ) on Friday August 30, 2002 @04:00AM (#4168607) Homepage
    ...posting links to a story which encourages you sourcing stuff from a warez site ?
  • 800 AUS (Score:2, Informative)

    by red5 ( 51324 )
    800 AUS = 441.36 USD.

    Watson still has a few tricks on Sherlock. :)
  • by jukal ( 523582 ) on Friday August 30, 2002 @04:03AM (#4168617) Journal
    I quess those who want to buy a Cisco PIX have already made the decision to not make the judgement based on price.

    If you want to build your own one, you could as well do the same using things available under open source so that visitors from Cisco do not have to call Yevgeni and Boris to teach beat you up. ;)

    Well, I can understand that learning the PIX in detail might be a good and interesting reason to build it up, instead of spending $15 000 or more in it.

    • > Well, I can understand that learning the PIX in detail might be a good and
      > interesting reason to build it up, instead of spending $15 000 or more in it.

      I forgot to say that kids should think twice before deciding to use this learning method. AFAIK, It is heavily criminal and using a pirate version of PIX OS, is a crime which money value is high-enough to get you prosecuted and heavily punished. Playing a pirate GTA is bad, but this is seriously bad and can get you in serious trouble. I just hope everyone understands it, many teen-h4x0rs probably don't

      Or am I missing something, has someone published a mimick PIX OS under open source or something?

  • by Komrade S. ( 604620 ) on Friday August 30, 2002 @04:03AM (#4168618) Homepage
    ACTON, Mass.--August 30, 2002--OSDN today announced it has rethought it's company direction and expanded into the lucrative market of publically breaking the DMCA. "Cisco can't do shyat," cited Slashdot General Manager CmdrTaco, "We give props to our box0r hacking homeys" OSDN stock rose to a 2 cent high on the pinksheets following the announcement.
  • by (outer-limits) ( 309835 ) on Friday August 30, 2002 @04:06AM (#4168621)
    Within 1 hour.
  • Cisco 806 (Score:2, Informative)

    by JPriest ( 547211 )
    Or you could just buy an 806 with the SPI firewall package for around $500.
  • whats up /. (Score:3, Insightful)

    by tanveer1979 ( 530624 ) on Friday August 30, 2002 @04:13AM (#4168642) Homepage Journal
    yea you could call it a troll, but i have to say this isnt really like slashdot.
    Posting a warez link on front pafe
    A couple of days back you posted a zip file for crashing windows
    What the routermonkey guy is suggestiong will definately land you up in jail no joking here.
    Currently slashdot is kind justyfying priracy and stealing in names of rights and all bull shit.
    This is not done. Free software and open source DO NOT EQUATE with piracy.
    Slashdot is the domain of geeks, technologists who are sensible people and do not want warez and cracks.
    If I wanted warez and cracks i would go to some warez site and get plenty.

    And in case you are not really convinced, lemme tell ya.. getting hold of flash for cisco is illegal. "Difficult to procure" thats what the article says. Well its plain illegal. So atleast post a warning about this so that some poor dumb ass dosent really try this and land up in jail.
    And could you please aviod such things in future?
    • The oage doesn't have anything about IOS/boot helper downloads. Well if you manage to get hold of the code legally, running the code on a non-CISCO platform is kind of interesting as an academic exercise.

      On of the original principles established back when IBM was king is that if you built a workalike, they still must sell you the software. This is not Warez, Crackz or anything else, this getting fair use, as long as you legally source PIX.

    • This guy will likely NOT end up in jail.

      Reason being, it appears to me that he built a PIX, for the purpose of studying the Cisco PIX IOS. Not mass reproduction and sales. I know several other people who have done the same thing for the purpose of having a Cisco lab at home to design and test a work related project, or to study for Cisco certification exams.

      I do NOT know anyone who has built one of these and deployed it for production use. It doesn't make sense. You would be unable to get support for either software or hardware faults.

      So maybe you should lighten up and consider that this guy is probably studying to get the Cisco security cert.

  • enough... (Score:5, Insightful)

    by sluggie ( 85265 ) on Friday August 30, 2002 @04:20AM (#4168655)
    Well, I think it's good to do some hardware hacking, like TiVo modding and whatnot.
    Using opensource software instead of using their expensive counterparts is also a nice thing to do.

    But, excuse me, what is this fucking thing about?

    This puts the whole community into a bad light.
    This whole "hack" or "tutorial" or whatever you might call it is nothing but two things:

    Take some standart hardware and install stolen software. Wow.

    Would you call this an intelligent hack? Maybe the folks over at something like scriptslashkiddiedot.org would...

  • by dr.Flake ( 601029 ) on Friday August 30, 2002 @04:22AM (#4168659)
    Go to www.freesco.org or any other single floppy OSS based distro, get an old pc and two NIC's and go. $100 max.

    The reason to use CISCO is ultimate durability, stability, service, configurability, speed etc etc.

    hacking this thing together is gonna give none of the above!

    In what setting am i gonna need a cheap ripoff of a professional router?
    Those places that need the real thing usualy also deserve the real thing !
    • I did it with an old Pentium 75 (free from an aunt who'd upgraded and wanted rid of the old box), a couple $5 bargain bin ISA NICs and a copy of IPCop [ipcop.org]. So, including the cd I burned the ISO onto, less than $11 Canadian. It worked so well I built another one with an old P100 at work to share out a DSL line. So, yeah...no need to illegally obtain software when, for what 99.9% of us need it for, the free stuff is perfect. And if you actually *need* a router worth that kind of coin, you should have no problem getting the money. So what else, besides freesco and ipcop is everyone using for routers? (free/legal options only ;)
    • Hmm...well, as long as we're on a tirade against hacking, let's tramslate "Cisco" to "Unix"

      Go to the local consumer electronics store or any other computer place, get a copy of MS-DOS. $100 max.

      The reason to use UNIX is ultimate durability, stability, service, configurability, speed etc etc.

      hacking this thing together is gonna give none of the above!

      In what setting am i gonna need a cheap ripoff of a professional Unix distribution?
      Those places that need the real thing usualy also deserve the real thing !
    • The reason to use CISCO is ultimate durability, stability, service, configurability, speed etc etc.

      I don't think that PIX is the king of all firewalls. Sure, the Cisco logo will be sufficient reason for some people to buy them, but I don't think that PIX is the most secure or reputable commercial firewall product out there.
  • Fair use? (Score:3, Funny)

    by snake_dad ( 311844 ) on Friday August 30, 2002 @04:32AM (#4168671) Homepage Journal
    Would it be fair use if you build these beast to store your backup of PIX OS on? It could be considered a very advanced backup medium, with a built-in functionality test ;)
    • No one would buy that argument. You don't NEED to backup your PIX OS because you can get it form Cisco. If you buy lots of Cisco hardware (like the university I work for does), you get a CCO login and you can just go download the software as needed. They trust that you are using it for liscenced purposes.

      This is just illegal unless you own a liscence for the software, but if you did you'd own the hardware too. In the case of firewalls and the like it isn't the hardware that's expensive, it's probably $1000-$1500 at most for the big-daddy stuff, it's the software. When you buy one of their firewalls the price includes both.

      Even on their switches and blades a fair amount of the cost is software. There is more hardware cost as it is specialised ASICs and such, but you still pay a fair bit for software rights.

      Welcome to the world of high-end networking, cheap-skates need not apply.
  • by MjDascombe ( 549226 ) on Friday August 30, 2002 @04:32AM (#4168672) Journal
    Thanks to this insightful article, I've realised the true money-saving potenial of stealing.
  • by amorsen ( 7485 ) <benny+slashdot@amorsen.dk> on Friday August 30, 2002 @04:56AM (#4168703)
    One of the arguments I have heard for choosing PIX is that it is a "hardware firewall" and therefore presumably more reliable, faster, and less likely to break. Perhaps this will make more people realize that the PIX is just a piece of software running on a PC -- just like almost all other firewalls in the market.
  • by _ganja_ ( 179968 ) on Friday August 30, 2002 @05:02AM (#4168711) Homepage
    Everybody in the Cisco gig knows that the PIXs are nothing more than basic PCs, complete with floppy drive for software upgrades, this really is no revelation.

    This guy just comes across as some network wanna be. Learning the commands is the simple bit, RTFM, (or just reverse normal IOS commands for a PIX) know when to use these commands and exactly what they do and how this will affect the enterprise is the bit that makes you CCIE material.

    No doubt Cisco will get there own back when he does the CCIE lab.

  • "Today your slashdot moderators have been replaced with Frys employees...let's see if anybody notices..." First "How to test a T1" and now this...

    What jackass would want to waste time and money recreating a POS firewall like a PIX? When's the article coming showing me how to clone a watchguard?

    I predict Cisco won't claim DMCA against this, they'll see it, fall out of their chair at how completely stupid some people are, and continue their business.
  • Pull the story (Score:5, Insightful)

    by balloonhead ( 589759 ) <doncuan@ya[ ].com ['hoo' in gap]> on Friday August 30, 2002 @05:08AM (#4168722)
    Having this story on the front page (or indeed, at all) is an insult to most of the people who read it.


    For all the column inches devoted to how the DMCA/RIAA/whoever is immoral, you go and put a link to someone advocating theft. This isn't far from advertising warez... even if the server can handle the traffic, the slashdot effect still allows a lot of eyeballs to see that site.


    I disagree with software piracy, and stealing music online; I occasionally do download MP3s, I won't deny it; just as I drank alcohol when I was under 18 (UK), but I would consider myself only a 'minor' user - these files are never on my HDD for too long (I think the record is about a week)


    But this is qualitatively and quantatively very different from /. virtually advocating pirating software worth several thousand pounds. In the same way that my underage drinking (which almost everyone does) is very different from advertising and promoting underage drinking.


    How can any movement to safeguard our rights be taken seriously with this sort of lunacy? Valenti et al will be rubbing their hands in glee. This is another victory for them - if one of the most popular advocates of free software is advertising piracy, then that reflects very badly on the community as a whole.


    And yes, I do consider my MP3 use to be wrong - I'll buy these songs if they release the single but I don't want an album of pricey crap because there's one song ion it I like - I can't wait for services where a comprehensive list of songs can be bought at a reasonable pprice, individually...

    • This has nothing to do with the DCMA or anything else, it's copyright infringement pure and simple. Cisco's code is NOT free, it is liscenced and the cost of that is included in the price of a firewall (in fact it is a lot more than the hardware). To download the software without a liscence is copyright infringiment no matter how you cut it.
  • The last Cisco PIX I had to open to install a new NIC was a model 1500 IIRC, and it was just a low-end PC board (Intel BX) with a P166 and 32 or 64 Mb o Ram. And a PCMCIA card slot. This handled a T1 with about 1,000 users and had no downtime in over 5 years. The Cisco software was excellent.

    There is nothing stopping anyone from downloading a image from Cisco's site if they so choose. Licencing is another matter. That would be against the law if I read the Cisco licence correctly.

    This story does not link to a source for the files mentioned. That does not make this story OK. It is not OK that routermonkey has the filenames listed, as that makes it trivial to find using P2P networks.

    That being said, you could just goto Cisco's web site and read up on their PIX products and read the docs to "learn how to configure it". But why, if the like Freesco, The LRP, and BSD are around. These will do anything the PIX can do and are quite simalar to the Cisco product. The reason the most businesses want a Cisco firewall is that the CFO/CIO don't want to get nailed by auditors for running a "freeware" firewall. They want a big name to cover their asses. The Freesco/BSD/IPtables combos will do just fine for your educational purposes.

    • Legal arguments aside, this could be done with upgrade kits for Watchguard Fireboxes back in the day when you could hardware upgrade a Firebox. The upgrade kit was primarily a flash memory drive that plugged into the IDE port. Grab a like motherboard, same model ethernet cards, plug in the flash IDE and you had a firebox.

      I haven't used the newer products (we moved to PIX), but I'd be real surprised if the new hardware didn't work the same way, although maybe they've decided to put some queer data in the BIOS flash that the firewall software checks.

      I think there's money in it for a firewall companies to market a "firewall kit" of software and optional flash drives for use on whatever boxes are handy.

      I'm sure they'd argue that it'd be too hard to support and would threaten the security by running on non-audited hardware (and it would kill off the high-margin hardware they sell, which would be the secret argument), but for a company willing to take a risk it might help them clean up in the low-end or large volume markets. It might be the perfect application for a purpose built BSD firewall distro. Yes, I know you can roll your own now, but there's significant advantages to buying pre-rolled kits.
  • by knick ( 19201 ) on Friday August 30, 2002 @05:58AM (#4168818) Homepage
    Details on how to do this surfaced on some cisco study boards 12-18 months ago. Most of the people on the board were interested in this to be able to add a Pix to thier home study lab. Groupstudy had a very long thread on this. They were dubbed the 'FrankenPix'

    Cisco is very well represented on the board, and they never said a word to anybody about not doing this, and sort of allowed it to happen.

    On the other hand, when FrankenPix's started appearing on eBay, they cracked down, hard and quick. But, to this day, they still haven't said anything during the discussions o the cisco study boards.

    My view on this is they really don't care if people build FrankenPix's for home study, after all, that's just going to help sell more Pix in the long run. (Checkpoint, afterall, will gladly give you 30-day trail licenses for FireWall-1 for home study) But, if you try to build and sell these, they WILL get you. (And honestly, if you want to use these boxes in a professional enviorment for day-to-day usage, you are asking for trouble.)

    --dirt
  • Stupid question ... (Score:5, Interesting)

    by AftanGustur ( 7715 ) on Friday August 30, 2002 @06:00AM (#4168820) Homepage


    I guess there is a lot of people who have been playing with ipfw, iptables, ipchains etc ...
    And would realy, sincerely, like to know:

    What can I do with a Cisco PIX that I can't do with Linux and IPTables ?

    • by rob_from_ca ( 118788 ) on Friday August 30, 2002 @09:35AM (#4169701)
      1. You can't get familiar with a PIX by using a free firewall, so it has some educational benefit (although if you "get" what firewalls do, the rest is mostly just syntax).

      2. Stateful failover. I don't think any of the free options support this. With the PIX, you can plug two in via a serial cable in a master/slave configuration, and the master constantly sends it's state to the slave. If the master dies, the slave takes over and no TCP sessions are dropped. Only you can decide if this feature is important to you.
    • What can I do with a Cisco PIX that I can't do with Linux and IPTables ?
      Brag?
  • The other way to learn the PIX OS for close to the same price is to pick up a PIX 501. These little boxes run for $400-$600 depending on where you find them and they run the full PIX OS. You're limited to 2 interfaces (no playing with a DMZ) but there really is a lot of stuff you can learn and do with these things.
  • Open Source variant (Score:3, Informative)

    by DreamerFi ( 78710 ) <.moc.ruetnis. .ta. .nhoj.> on Friday August 30, 2002 @06:22AM (#4168867) Homepage
    I see a lot of "stealing" comments. So, instead, go the Open Source route and build your own firewall with the NetBSD/i386 Firewall Project [dubbele.com]

    Yes, yes, I know, blatant plug

    -John
  • by deek ( 22697 ) on Friday August 30, 2002 @06:22AM (#4168868) Homepage Journal

    Look, there's plenty of reasons why a company would want to purchase a PIX from Cisco. Many have been outlined in postings already ... support, service, quality guarantuee, etc. Cisco have the best support of any company I know, bar none!

    A student wishing to practice configuring a PIX would benefit greatly from this information. They obviously wouldn't be able to afford a full PIX, so putting together a test box is their only choice.

    As far as I'm concerned, this info can only benefit Cisco, as they get a whole bunch of people that know their product inside out. That then tips over into increased sales, as these people recommend using a PIX to their boss.

    DeeK
  • found one (Score:2, Informative)

    by djweis ( 4792 )
    I found one on ebay here [ebay.com] .
  • Okay, the first ten posts are crying about how illegal this is and how it shouldn't be on Slashdot. I'd just like to say STFU, it's interesting, compared to most of the crap that gets posted here. Most people can buy a cheap PIX from Ebay anyway, so the article is more interesting from a technical standpoint than anything else.
  • Ok, so this is illegal, no question about it. It's copyright infringement, pure and simple. Now, as many have pointed out, there are plenty of free alternatives that are basically just as good. After all, you don't get any support for this, so why not keep it legal.

    Now I looked at the links provided and I didn't see any firewall that has a feature I really want (the PIX doesn't ether yet): Layer-3 invisibility. Basically I want a firewall that appears invisible to devices on the network, and just filters traffic as it goes through.

    Does anyone know of a GPL firewall that does this? I'm mainly interested because I can't use NAT (I have servers), but I don't have enough IP addressess to break apart my network into an inside/outside config.
  • Stupid!!!! (Score:5, Informative)

    by FreeLinux ( 555387 ) on Friday August 30, 2002 @08:18AM (#4169241)
    As stated before, this "hack" is piracy and therefore illegal. Furthermore it is a stupid waste of money.

    Why spend $800 for a amateurish, rigged up, pirated Pix when you can have the real thing for less. If what you really want is to learn about the Pix and its configuration simply hop on to eBay and buy the real thing. On eBay Pix 501s and 520s can be had for $400 and $500 respectively.

  • by Malor ( 3658 ) on Friday August 30, 2002 @09:24AM (#4169622) Journal
    This has been mentioned above, but not very clearly. As far as I know, the PIX software also requires an activation key, which costs money. You might be able to get one from a warez utility, but it is an extra step, and it is illegal. Also note that Cisco charges extra for the ability to just secure shell into your firewall(!). Unless you cough up a whole bunch of extra money, you have to use TELNET to configure a FIREWALL. This is really lame.

    Further, the PIX just isn't a very good firewall.

    The hardware is well-built but incredibly underpowered. The one we have at work is only 200mhz. I don't know how far that will scale, but, personally, I don't think I'd want to be putting more than about 5 megabits through it. And Cisco charges about 12,000 dollars for the PIX.(!)

    The command syntax is really hard to figure out. It just makes no sense at all. The documentation on Cisco's site is excellent, but I always have to resort to cookbook examples, because I don't use it every day.

    The default configuration is 'allow all outbound traffic and all inbound replies'. It is very hard to change this. If you want a fairly secure network, you shouldn't allow direct outbound connections, but rather only through a proxy device of some kind. If your security policy requires outbound connection restrictions, this is really awkward to implement with the PIX.

    The PIX isn't a very good router, either. It doesn't support most of the 'real' IOS commands. You can do some routing with it, but it's not very flexible.

    I've worked with a lot of firewalls and have done a lot of firewalling, and in my opinion, Linux with iptables is about the best thing going. You will have to spend significant learning time to figure it out, as the documentation is not very good, but once you do, you can do pretty much anything with it. Linux has always been a great router, and with the introduction of iptables, became a great firewall too. If you don't want to build rules by hand, there's a program called 'fwbuilder' that gives you a Checkpoint-like GUI. FWBuilder also speaks OpenBSD's pf and I *think* Checkpoint's firewall language, but I'm not sure about that last.

    OpenBSD has a good reputation as a firewall. I used it at home for a couple years, but I have moved to Linux since then. The PF language is very clean and easy to read, and if you're just starting with firewalling, it can be a good first opensource firewall. However, there were big performance problems with OpenBSD's bridging firewall code in 3.0; it choked hard over about 25K connections, and past about 30 megabits it just froze up for random periods of time. Very frustrating. Linux on the same hardware (with the iptables bridging patch) handles over 60 megabits flawlessly. And going over 30k connections is trivial; you simply echo a large number into a variable in the /proc filesystem. I searched and searched and could NOT find any way to do this on BSD. It may exist, but I couldn't find it.

    They may have fixed the performance problems in more recent revs of OpenBSD. 3.0 was the first release of pf, and I threw it into a monster production environment based on the OpenBSD team's reputation. The later revs may be much better, but as of 3.0, Linux absolutely destroys OpenBSD as a firewall.

    There's one cool thing the PIX does that I haven't figured out how to duplicate manually. It has an 'established' command, which allows you to say: "If I open a command on port X, allow a return connection on port Y for a short period of time." This is useful, for example, for IRC, where you connect on port 6667 and an ident connection comes back in on port 113.

    I asked about this feature on the OpenBSD newsgroups, and got scoffed at... according to them, it's more secure to leave the port open all the time to everyone than just to allow return connections from a host to which you have connected and only for a short period of time. Frankly, I think that's just stupid. It's the typical apologist reaction... "that's a dumb feature to ask for because it's hard to do". They'll say it's stupid until someone takes the time to implement it, and then suddenly that's the only way to go and any system that doesn't do that is obviously broken.

    I haven't found that capability in the Linux iptables stuff either, FWIW. As far as I know, only the PIX does this, and I consider it a very useful feature. (you can sort of simulate it with some of the kernel modules for different protocols, but I haven't found a way to do an arbitrary set of ports).

    If you can live without the 'established' command, though, I'd probably, overall, recommend the Linux/FWBuilder combo. If you want to learn more about firewalling, OpenBSD's pf language is a nice simple way to start.

    And if you really want to spend money on a firewall, Checkpoint is a much better solution than the PIX. It has many enterprise-class features that the free alternatives lack, like good VPN support and great support for managing clusters of firewalls. The Nokia Checkpoint boxes are *really* cool; they are based on a custom BSD-derived kernel. They cost more than the PIX, but in my opinion are wildly better and well worth the extra. (when I last looked, the prices on the Nokia boxes were in the 20K+ range. They may have dropped since the dotcom blowup.) The administration is easy, you get the power of BSD, and the hardware is really well-built. Very, very cool boxes.

    • The PIX OS requires no activation key. You do need to purchase a key to enable 3DES for VPN. The DES functionality is free.

      You're right. It does allow direct connections. Why? Because it's a packet filter firewall, not a proxy server. Want a proxy server? Buy one. Don't buy the PIX.

      Correct again. The PIX is not a router. It's a firewall. I don't want my firewall to be a real smart router. It shouldn't. It should block packets like a good little firewall.

      As for speed, the different PIX models have different speeds. They have also rev'd up the speed. Sure, you bought a 200MHz model a while back, but my 515E is a 433MHz model. One of them does not cost $12K, I think we paid close to that for both of them to set up a failover cluster with the 3DES VPN accelerator and full 24x7x4 3-year warranty.

      The PIX is actually a very good firewall. It's not exactly like IOS, but it's close enough. It handles our site-to-site VPNs very well and the cluster support is VERY good.
      • "The PIX OS requires no activation key. You do need to purchase a key to enable 3DES for VPN. The DES functionality is free."

        You are partially correct. PIX, however, do require activation keys for all their functionality.

        The activation key (non-DES/3DES) comes preset in the 16Mb Flash card that you need to build this clone.

        Incidentally, you may be able to get some support as a purchase of a replacement flash card gives you a new Cisco S/N for your PIX (when purchased as an upgrade to an old 520 for instance).

        And last time I checked Cisco were issuing DES activation keys for free as long as you gave them a Cisco S/N, which you have on your 16Mb Flash Card.

  • This article never mentions pirating the Cisco IOS. Anyone who has ever purchased a Cisco product gets a login that gives them access to *any* piece of Cisco hardware's flash/boot software. Cisco makes it available. Granted, if you don't have the access then it becomes piracy.

    Secondly, the article never actually mentions stealing a PIX flash card. Someone that legitimately owns an older PIX could, after the warranty/support/etc had expired, remove the flash card from their PIX and "upgrade" the hardware for a little nicer firewall. If you acquire the flash card through illegal means, however, then that would be stealing. Cisco might even sell them! (doubtful, but I don't have time to check it out)

    As far as intellectual property goes...you aren't reverse engineering anything. Everyone knows the Cisco PIX is just a PC with a floppy drive and some flash memory. It even tells you that when you boot a real PIX.
    All you are doing is constructing your own.
    • I work at cisco, I promise you they don't want you to download software that you haven't paid for. I'll admit that our systems let you do that. That's because they care more about customer sastisfaction than the money they lost from downloads. (Besides, companys don't pirate as badly as individuals.)

      Anyway, the information you're spreading is incorrect. Just because you can download it doesn't mean you're entitled to it.

      Vanguard
  • by vanguard ( 102038 ) on Friday August 30, 2002 @10:55AM (#4170245)
    I work at Cisco, things are tough right now. The company is making money but did you know that they haven't given raises to their employees in two years? Did you know that plan on going at least one more before they give out a raise?

    Did you know that they have cut promotions to 3% per year? I'll do that math for you. As a Cisco employee you can expect a promotion every 33 years. Not that it matters because if you do get promoted all you get are stock options with no raise.

    Did you know that they have their "active management" guns blaring at full speed? This means that the managers are forced to cut 5% of their staff every quarter. (In fairness, they seem to actually cut less than that). However, they have certainly reduced their staff by over 20% in the past two years. There aren't any slackers left at the company.

    Thank you for handing out information regarding how to steal our products.

    Vanguard
    --------------------

    I understand that some of have it even worse. Some of you are not employed at all. I feel for you.
  • Maybe I'm missing something but I don't understand what all the ranting about piracy is about. Could someone explain, nice and simple for those of us who are slow on the uptake, exactly what is getting pirated here? If the answer is "Cisco software", exactly where is it coming from and precisely where does the infringement take place?

    I read the linked page as how to build a PIX-like firewall by slapping some PC parts together and adding a legally-acquired Cisco flash card containing the software. Am I confused about the nature of the flash card? I saw it as something like noticing you could buy Macintosh roms out of an Apple repair parts catalog, and then writing a page saying "Build your own Macintosh clone by putting some standard hardware together and adding Mac roms that you buy from Apple". Sure, you've possibly annoyed Apple by avoiding paying a lot more for a real Mac, but as long as you get the roms legally, where is the piracy? You're not copying the roms, you're getting legitimate ones. They're even still legitimate if you get them on a secondary market like from a trashed motherboard.

    If all you want to do is run an OS from a flash disk on a PC, you can get a 16 MB CF card for under $20 and a CF to IDE adapter for another $20 or so. So I figured that the $400 for the PIX flash card has to mostly be going towards acquiring the software legally. Am I misreading the article?

  • by lanner ( 107308 ) on Friday August 30, 2002 @11:43AM (#4170657)

    I own a PIX 506 box and have worked on the 515 and 525 as well.

    Both the PIX 506 and 515 use an Intel socket 7 200Mhz MMX processor without a cooling fan, they just have a heat sink. The system board is just an Intel, nothing special there. PIX expansion slots are PCI slots. The Ethernet interfaces use Intel eepro i82557 (or was it i82559?) chips, just like your Intel NIC in your desktop. Everything is really standard, except for the software that runs on the box.

    For people who know Cisco hardware, they seem to recognize that the PIX series of firewalls are far faster than say a 3600 series router, or any of the older Cisco hardware. The PIX firewalls were acquired by Cisco when they bought Network Translation. Reference;
    http://www.cisco.com/warp/public/146/p ressroom/199 5/oct95/242.html

    So when you are buying that $4000 3640 with 128MB of RAM to handle the 100K or so of Internet BGP routes, you are buying something with the processing power of an Pentium computer or less.

    Here are some facts on the Cisco 3600 series;

    3620 64MB RAM maximum, 80Mhz RISC processor
    3640 128MB RAM maximum, 100Mhz RISC processor
    3660 256MB RAM maximum, 225Mhz RISC processor

    One of the major considerations for Cisco is that their equipment has to be really stable and heat tolerant. People love to treat Cisco hardware like old telco hardware and keep it out in a barn and stuff, in the damp air, with a bunch of dust, whatever. We should all know how Intel processors are in regards to heat. But even an old 200Mhz Intel MMX processor can run without a cooling fan.

    Cisco router hardware, in general, is really slow and sucks for processor speed. Juniper has mopped Cisco all over the floor in the core Internet market in the last few years because of port density, processing speed, and packet forwarding latency. In comparison, you look at a Juniper M40 versus a Cisco 12012, and the 12012 looks like a huge POS, and I don't mean packet over Sonet.

    One of the things about the Juniper routers is that they use Intel processors and SDRAM -- not much special there. The hardware is all completely custom, but they choose to ditch the Motorola and IBM processors for Intel. Packet forwarding processors are totally different than the core processors that we are talking about here, so I will leave them out for the most part. Still, Cisco uses a lot of off the shelf stuff in their routers and companies like Juniper have manufactured their own or applied existing stuff better to get the wire speed forwarding rates on all interfaces, with a backplane speed that is greater than the sum of all possible interfaces on a router.

    Cisco does not really see themselves as a hardware manufacture, but instead as a software company. However, if they do not shape up and start making some really good hardware, they are going to get kicked out by Juniper as they start to climb down the ladder and come out with smaller more affordable boxes and spread out from their core and big-box offerings (think M-5).

    Lately Cisco has released a few good new hardware. The 10000 series aggregation boxes can mux Sonet down to fractional DS1s, which is pretty hot, but these boxes are really hard to use these days because of the serious downturn in the market and the fact that a lot of DS1 customers have gone away. Old 7513s that ISPs have in stock with fractional PA-2T3s work fine.

    In switches, Cisco has come out with the 3500XL and 3550XL switches, which are really great.

    But most people out there have 2600s and 3600s. There are a lot of 2500s still in use too. Some things are starting to hurt Cisco though. It can take a minute or two for all of those BGP routes to get filtered out when interfaces flap. Cisco does not even offer any kind of SSH2 capability with ANY of their routers (to my knowledge), they only support SSH1 on special IOS versions and platforms. I really wonder if these routers, with their slow processors, can handle new stuff.

    I wonder how this will effect an IP6 roll out. I remember working on some 3600s and IP6 some time back. They had issues, but I understand that Cisco has worked a lot of those out.

    Oh well.

    The moral of the story is that Cisco hardware is kind of slow and it shows. On the other hand, it usually gets the job done.

    I need to go back to finding myself a job. Posting on Slashdot ain't paying the rent.

    Anyone out there have a Juniper Olive image? I would not mind having one of those in my lab.

Where there's a will, there's an Inheritance Tax.

Working...