Do you have adblock enabled?
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(eBay)   Anyone need a firewall/IPS? How about Fark's old one? Guaranteed free of beer/bourbon stains   (cgi.ebay.com ) divider line
    More: Plug, des, serial numbers, University of Coimbra  
•       •       •

8654 clicks; posted to Main » on 09 Aug 2013 at 11:52 PM (2 years ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



137 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | 3 | » | Last | Show all
 
gja
2013-08-10 08:55:20 AM  
Pfffft. No WONDER Fark.com loads slow sometime.
C'mon Mike old boy.
Get some real-deal throughput.

a248.e.akamai.net
 
2013-08-10 09:16:25 AM  

Fista-Phobia: ...


^ this.
 
2013-08-10 09:30:21 AM  

gja: Pfffft. No WONDER Fark.com loads slow sometime.
C'mon Mike old boy.
Get some real-deal throughput.

[a248.e.akamai.net image 500x255]


Does Fark actually need that kind of throughput though?  Sure every once in a while it's traffic goes through the roof (9/11, some other disaster) but doesn't seem worth going out of your way to cater to a statistical anomaly in your usage.
 
2013-08-10 09:34:18 AM  
So, vodak stains then?
 
2013-08-10 09:38:31 AM  

SpaceBison: [img.fark.net image 640x480]


That's why I'm only offering a months TF subscription and a cat-ass picture.  When Fark goes down we get a text that says quite clearly "We spilt beer on the server again" the important word here is AGAIN, when you combine that knowledge with this picture of one of the Fark staff clearly passed out on a floor (it doesn't look like the flooring of any data centre I've been in, more like a kitchen) surrounded by booze AND the imminent liquid ingress in to the machines chassis... well...

I think I'll reduce my offer to just the slightly soiled cat ass picture as frankly we can already tell for certain that the item in question:

1) Hasn't been kept in a climate controlled environment.
2) Hasn't been properly maintained.
3) Potentially has liquid damage.
4) Is being sold by an obvious alcoholic which means it's unlikely to ever arrive as all the money will be spent on booze not shipping.

I honestly don't think he's going to get a better deal than the cat ass picture when you consider how beaten up this piece of kit may be.
 
2013-08-10 09:44:03 AM  
So what did you bump up to?  ASA5520?  the 5540 or 5580?  If it's the 5580 it's pretty overkill, but if you're willing to verify a few parts inside, you can possibly beef that farker up beyond reason.
 
gja
2013-08-10 09:48:18 AM  

Vaneshi: gja: Pfffft. No WONDER Fark.com loads slow sometime.
C'mon Mike old boy.
Get some real-deal throughput.

[a248.e.akamai.net image 500x255]

Does Fark actually need that kind of throughput though?  Sure every once in a while it's traffic goes through the roof (9/11, some other disaster) but doesn't seem worth going out of your way to cater to a statistical anomaly in your usage.


Web farm with mirrors, FTW.
Also, you don't buy the ISG series for just the thoughtput, it's for the reliability and ability to deal with single component failures w/o going offline.
 
2013-08-10 10:50:46 AM  

Cubansaltyballs: Landis: Vlad_the_Inaner: minimum bid $1,250.00?

$900 used on amazon.com

I suppose someone might consider the historical value

The Security Plus license adds a good $250 to it at least.  Not sure if you'd need 20+ vLANs, let alone the ability to route among them, but there you go.

\Set up a lot of 5505s and 5510s in my day.
\\Mostly deal with Cisco and Fortinet.
\\\Now, if that was a 2960s or a 39xx I'd probably buy it...

The VLANs come in handy if you're:

A) Using VRFs or VRF-Lite on a small network and want your inter-VRF routing to be filtered or done on a firewall instead screwing around with route-leaking across VRFs. If you set up 5 VLANs on your ASA and map each of those VLANs on your switch to an SVI bound to a VRF, you configure OSPF/EIGRP for each address family to connect to your ASA. The ASA has all the route tables from all your VRFs, and thusly can route between them.

B) You are using your ASA in multicontext mode and/or combined with scenario A. You can burn through VLANs really fast with bridge groups for transparent contexts, or if you're adding lots of sub-interfaces to a routed context.

C) You have a single physical DMZ, but want to create logical zones to separate different types of servers and have their inter-zone traffic arbitrated by a stateful firewall.

D) You have no need for any of the above secure separations and you're using it as a router-on-a-stick... In which case you should be dragged into the town square and publicly executed in front of all the villagers to shame your family for not murdering you in your sleep when you first showed signs of retardation, as well as sacrificing you to the gods of good networking so your death may be: a) used as a warning to others to not be stupid, and b) to have the world's networking sins washed away with the blood of a retard.


This is all very true, and 'D' made my morning.  Most of my clients aren't large enough to need more than 5 vLANs, though I've had a couple in the 11-12 range.  Even then, some of those are for NFS and iSCSI traffic, so they never reach the firewall; they just kind of stop at the switch.  Which then brings us to the question of why wouldn't you just let the firewall be a firewall and move your routing to a nice, hefty layer 3 switch instead?

CSB time:
We once (about three years ago) had a client who managed to used 20 vLANs internally.  Some were for VPLs, some were storage, most were regular old traffic segmented by functional group and/or department, and, of course, the 1 public-facing vLAN.  It was all very secure at first; different security levels, limited routing between the vLANs, and strict ACLs.  The customer then gets acquired one day and proceeds to demand that we set the security level on all of the vLANs (except public) to 75 and configure them to cross-talk freely.  I looked at him in a meeting and asked why he even bothered with vLANs and multiple subnets when it was obvious what he wanted was a /16 in a single broadcast domain.
/CSB

\Off to research F5 firewalls...  I thought they mostly made load-balancers.
 
2013-08-10 11:08:32 AM  
gja:
Web farm with mirrors, FTW.
Also, you don't buy the ISG series for just the thoughtput, it's for the reliability and ability to deal with single component failures w/o going offline.


All things being equal I think a hot standby for the database machine would serve them better.
 
2013-08-10 11:28:53 AM  
Guaranteed free of beer/bourbon stains

No beer or bourbon, but smells like farts.

/they kept the one that smelled like pussy.
 
2013-08-10 11:35:53 AM  

Cubansaltyballs: eCurmudgeon: .../work for a network-security reseller...

You sound like a firewall noob: Someone that thinks a pretty UI means it's a better firewall.


Youse kids!  In MY day we wrote our firewall rules by hand at the command line and got all of our latest technical information from the firewalls majordomo email list.

//Get offa my LAN!
 
2013-08-10 11:57:27 AM  

sharphead: So uh.... how do I connect it to my computer?

Does it come with a remote and free lifetime technical support?


Is it PC compatible?

Does it have HDMI?
 
2013-08-10 12:39:44 PM  
I think there's a network person in this thread that has an over-inflated sense of importance.

I have the F5 LTMs and several 5500 series Cisco appliances. They both work well. Don't know much about the F5 FW offering. The Juniper gear seems solid too, though I must admit my knowledge of the NetScreen and the MX series switches is rather limited.

The CheckPoint FWs I exposed to 15 or so years ago, they were not very good. They tended to have some very ugly exploits that would spit back quite a bit of juicy information. Since then I've never looked at them again.

I use the Cisco stuff primarily because of two reasons. 1) I'm extremely familiar with the CLI and can be very productive with it and 2) because there is an arse-ton of information about the devices out there if I need help. Which is good because Cisco's TAC can be spotty (that's being nice) at times.
 
gja
2013-08-10 12:51:08 PM  

Thorazine: Cisco's TAC can be spotty (that's being nice) at times


NICE? You are a frikking diplomat of global proportions. TAC is a portal-O-pain in many instances.
My only reason for putting up the ISG pic is its ability to have critical stuff hot-swapped w/o going offline or into 'limp-along' mode.
Also, the IDS/IDP proc's are awesome and very easy to back-end to 3rd party s/w products.
 
2013-08-10 01:01:01 PM  
Anyone who goes for an SRX needs their head examining. We're Juniper partners and have been selling them since they came out. Our sales guys sold them on the throughput/price combo, and customers lapped then up, then returned them in droves. There's a reason why juniper stopped selling them as firewalls for a period and was selling them as secure routers. Awful pieces of crap. I'm Checkpoint and F5 all the way, though I'm not a fan of this new "do everything in one box". Let firewalls firewall, proxies proxy and IPS's IPS. I've done a lot of projects lately where I've had to convert bluecoat proxy policies to Checkpoint URL filtering, then having to explain to clients why it won't do exactly the same as a device designed as a proxy. /don't even get me started on McAfee Sidewinder//multi vendor, multi skin is the way to go (and not just because it means more consultancy for me)
 
2013-08-10 01:07:30 PM  
If it works as well as your moderators, can you tell me what the difference is between it and a cat5 bridge cable?
 
2013-08-10 01:20:55 PM  

Day_Old_Dutchie: Geez. We have a geek-dick-waving contest.


Well yeah, but I kinda expected that.
 
2013-08-10 01:32:10 PM  

Day_Old_Dutchie: Geez. We have a geek-dick-waving contest.

:My FW's better than your FW.


Waving?

/showing, maybe
 
2013-08-10 01:54:57 PM  
Meh.  I've always hated the ASA line of products.  They're way too complicated to set up.  I'm not a Cisco guy, but I have taken a couple CCNA classes and can fumble around the command line.  The ASA has a GUI that works for about 1/2 of the stuff.  The other 1/2 just doesn't work like it's supposed to.  A call to Cisco support usually ended in "oh, that doesn't work in the GUI.  you gotta do the command line".  Um, how about if you fix your GUI?  Seemingly simple stuff I could never get working.  Stuff that would take about 10 seconds to do on a cheap crappy Linksys router.  I have had support calls last 6+ hours, and got transferred to techs in other time zones to keep the call going.  We also had to reboot that crappy ASA at least once a week when random shiat stopped working.  I have had extremely good luck with the Checkpoint Safe@Office line.  It's a web-based GUI that actually works.  It does everything most places would ever want to do, and does have a command line if you need to get really crazy with a workaround.  It also never ever ever ever needs a reboot.  As easy as a Linksys to configure.  Easier than Sonicwall by far.
 
2013-08-10 03:01:59 PM  

Thorazine: I think there's a network person in this thread that has an over-inflated sense of importance.


Think maybe he's hanging out here because he got tired of people kicking sand in his face over at Slashdot?
 
2013-08-10 03:02:39 PM  

Mr. Eugenides: Folks should read this before bidding.


Is that a technical requirement (product will not function without it) in addition to a licensing requirement or just a licensing requirement?
 
2013-08-10 03:11:42 PM  
Does it have slats?
 
2013-08-10 03:19:50 PM  

HoratioGates: Does it have slats?


Dozens along the front edge.  With very thin gaps between. Do not use an ASA as a chair, you will need help soonish.
 
2013-08-10 03:33:05 PM  
I also guarantee I've never sat on it or had anything stuck in it, or mistaken it for a street light.
 
2013-08-10 03:38:52 PM  
(I can also guarantee it handled IPv6 quite well for years.  Like it or not, that does matter.)
 
2013-08-10 04:03:50 PM  

Mike: (I can also guarantee it handled IPv6 quite well for years.  Like it or not, that does matter.)


Did you add more memory to make it ASA v.9.x capable?
 
2013-08-10 04:22:10 PM  

Cubansaltyballs: Did you add more memory to make it ASA v.9.x capable?


Yeah, "show version" output is in the auction listing.
 
2013-08-10 04:33:36 PM  

Mike: Cubansaltyballs: Did you add more memory to make it ASA v.9.x capable?

Yeah, "show version" output is in the auction listing.


TLDR
 
2013-08-10 05:05:03 PM  

tenpoundsofcheese: honestly disclose the operating environment this thing was in


Here ya go
 
2013-08-10 05:58:25 PM  

deeeznutz: Cisco>Juniper>Checkpoint....Anything else is non enterprise crap that is only good for basic functions like NAT and Access-lists


Snort
 
2013-08-10 06:02:09 PM  
0 bidders?

You'll get over it.
 
2013-08-10 07:50:56 PM  

dirtyeffinhippie: Meh.  I've always hated the ASA line of products.  They're way too complicated to set up.  I'm not a Cisco guy, but I have taken a couple CCNA classes and can fumble around the command line.  The ASA has a GUI that works for about 1/2 of the stuff.  The other 1/2 just doesn't work like it's supposed to.  A call to Cisco support usually ended in "oh, that doesn't work in the GUI.  you gotta do the command line".  Um, how about if you fix your GUI?  Seemingly simple stuff I could never get working.  Stuff that would take about 10 seconds to do on a cheap crappy Linksys router.  I have had support calls last 6+ hours, and got transferred to techs in other time zones to keep the call going.  We also had to reboot that crappy ASA at least once a week when random shiat stopped working.  I have had extremely good luck with the Checkpoint Safe@Office line.  It's a web-based GUI that actually works.  It does everything most places would ever want to do, and does have a command line if you need to get really crazy with a workaround.  It also never ever ever ever needs a reboot.  As easy as a Linksys to configure.  Easier than Sonicwall by far.


The ASA GUI was developped by the marketing dept. To cater to IT directors who don't understand technology.

As you said, not everything works via the GUI, and once you start adding stuff via the CLI, you run the risk of having the GUI not understand and ignore it, or worse, overwrite it.

Learn the CLI for configuration, and if you have the uncontrollable urge to use the GUI, only do so to view the performance stats.
 
2013-08-10 08:00:41 PM  

Landis: Cubansaltyballs: Landis: Vlad_the_Inaner: minimum bid $1,250.00?

$900 used on amazon.com

I suppose someone might consider the historical value

The Security Plus license adds a good $250 to it at least.  Not sure if you'd need 20+ vLANs, let alone the ability to route among them, but there you go.

\Set up a lot of 5505s and 5510s in my day.
\\Mostly deal with Cisco and Fortinet.
\\\Now, if that was a 2960s or a 39xx I'd probably buy it...

The VLANs come in handy if you're:

A) Using VRFs or VRF-Lite on a small network and want your inter-VRF routing to be filtered or done on a firewall instead screwing around with route-leaking across VRFs. If you set up 5 VLANs on your ASA and map each of those VLANs on your switch to an SVI bound to a VRF, you configure OSPF/EIGRP for each address family to connect to your ASA. The ASA has all the route tables from all your VRFs, and thusly can route between them.

B) You are using your ASA in multicontext mode and/or combined with scenario A. You can burn through VLANs really fast with bridge groups for transparent contexts, or if you're adding lots of sub-interfaces to a routed context.

C) You have a single physical DMZ, but want to create logical zones to separate different types of servers and have their inter-zone traffic arbitrated by a stateful firewall.

D) You have no need for any of the above secure separations and you're using it as a router-on-a-stick... In which case you should be dragged into the town square and publicly executed in front of all the villagers to shame your family for not murdering you in your sleep when you first showed signs of retardation, as well as sacrificing you to the gods of good networking so your death may be: a) used as a warning to others to not be stupid, and b) to have the world's networking sins washed away with the blood of a retard.

This is all very true, and 'D' made my morning.  Most of my clients aren't large enough to need more than 5 vLANs, though I've had a couple in the 11-12 range.  Even then, some of those are for NFS and iSCSI traffic, so they never reach the firewall; they just kind of stop at the switch.  Which then brings us to the question of why wouldn't you just let the firewall be a firewall and move your routing to a nice, hefty layer 3 switch instead?

CSB time:
We once (about three years ago) had a client who managed to used 20 vLANs internally.  Some were for VPLs, some were storage, most were regular old traffic segmented by functional group and/or department, and, of course, the 1 public-facing vLAN.  It was all very secure at first; different security levels, limited routing between the vLANs, and strict ACLs.  The customer then gets acquired one day and proceeds to demand that we set the security level on all of the vLANs (except public) to 75 and configure them to cross-talk freely.  I looked at him in a meeting and asked why he even bothered with vLANs and multiple subnets when it was obvious what he wanted was a /16 in a single broadcast domain.
/CSB

\Off to research F5 firewalls...  I thought they mostly made load-balancers.


Mobile Fark sucks as far as quoting goes, so I'm really answering this:

"Which then brings us to the question of why wouldn't you just let the firewall be a firewall and move your routing to a nice, hefty layer 3 switch instead?"

Because he needs to filter between the various vlans. For example, various 3rd party networks that you want to isolate from each other.
 
2013-08-10 11:45:33 PM  
I am no eBay expert, but if you have the kind of exposure that other sellers would kill for, why not start low and let the market do its magic? The risk of it selling for substantially less than market value should have been very manageable.
 
2013-08-11 01:12:43 AM  

deeeznutz: Cisco>Juniper>Checkpoint


Junos > CiscoIOS.

/ftfy
 
2013-08-11 01:15:04 AM  

Myria: Wow, the Plug tag used for its original purpose =)


Literally AND figuratively!
 
2013-08-11 02:02:24 AM  

etherknot: Myria: Wow, the Plug tag used for its original purpose =)

Literally AND figuratively!


That's just how I roll, mang.
 
Displayed 37 of 137 comments

First | « | 1 | 2 | 3 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
On Twitter






In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report