David teaches Cisco's PIX, Intrusion Detection and VPN courses to students across the country. David holds a number of industry certifications including, CISSP, CCSI, CSS-1, CCNP, CCDP. He is the co-editor of "Cisco Secure PIX Firewalls."
How long have you been working with Cisco PIX Firewalls, and how did you get interested in them?
I have been working with PIX firewalls since 1999. In early 2000, I was a Senior Network Engineer with a local Cisco Gold Partner. I was selected to lead several Cisco "Smart Start" programs that were aimed at providing secure infrastructure components for the still burgeoning dot-com market. Customers had their Cisco routers, PIX firewall's, Catalyst switches, and LocalDirector load balancers shipped to my lab. I assisted customers with successful prototyping of their remote co-location networks including design assistance, configuration and product training. I began teaching the Cisco Secure PIX Firewalls course in October of 2000.
What are your favourite security tools and why?
I have MANY favorite security tools, but if I had to pick two, they would be my Network Associates Sniffer and a Syslog server.
Not very sexy, I'll admit, but with these two tools, I can quickly troubleshoot most network problems that arise.
For baseline vulnerability scanning, I am partial to the open source program Nessus. Number one, it's free and easily compiles on most Linux flavors. Secondly, the open source community does a fantastic job of keeping it up to date with new vulnerabilities.
How long did it take you to co-write "Cisco Secure PIX Firewalls"? Any major difficulties?
First, Andy and I "Edited" CSPF. We were given the complete text of the "Cisco Secure PIX Firewall Advanced 1.01" course student guide and were assigned the task of re-working the content to organize ideas and topics so that they flowed logically from point A to point B. We did add a great deal of value in the way of author's notes and tips. I wrote all of the Appendices from scratch to include material that was not in the CSPFA course at the time but I felt was needed.
Our greatest challenge on the project was learning how to properly format the content for submission to the reviewers and the Cisco Press Production Team. Fortunately, Cisco Press provided four exceptional Technical Editors and a top notch Development Editor. Andy and I would have turned out a much less complete book without their guidance and input.
Time and deadlines are also pretty stressful. Many nights in my hotel room, I would begrudge the two hours I demanded of myself working on the project. After a 12-hour day, the last thing I looked forward to was more work.
In your opinion, what can users do to choose a firewall that is right for their needs?
This is kind of a tough thing to answer in a short space. The first thing any organization (or individual) needs to consider is the value of the information assets they need to protect. It makes no sense to deploy a 50,000 firewall solution to protect a 10,000 asset. Can they get by with a stateful packet filter alone, or do they frequently deal with protocols such as http, Java, Active-X that need application level proxy to protect from malicious active code? These decisions bear careful consideration.
Which personal firewalls would you recommend?