Cisco - the business model

Some time ago I bought two SG560 firewalls from SecureComputing/SnapGear. These two inexpensive boxes could do almost everything, VPN, NAT, Routing, DNS Proxy, multiple IP addresses, etc., etc. But alas - SecureComputing was acquired by their competitor McAfee. After one firmware upgrade they announced that the products would be discontinued.

Now, I still had two boxes - but one of them turned bad and started dropping packets and freezing every now and then. The other box was traded away for a good coffee machine a few years back so I had to invest in a new firewall for the office.

Everyone at the office were getting more and more used to having a VPN connection and the semi-defect SG560 had over a period made it very clear that stability was very important. For this reason the choice was rather easy - I would do something I never do... I would go for the "Cover my ass solution". If you buy something from Cisco - no one can blame you if the damn thing doesn't work. I decided that the ASA5500 was a good choice.

The price was around 3500DKK - it was the one with a limit on 10 VPN users which was sufficient for now. And if the business should grow beyond that we could just give Cisco an additional 3000DKK and the box would suddenly be able to handle 10 more VPN users. Coming from an open source world this license lock-down was a strange encounter - but ... I had a "Cover my ass" decision to focus on so I disregarded that for now.

The box arrived and it did not look like much - but it carried a nice logo representing the cover of my ass: "Cisco". Now everything would work out and everyone in the office would nod politely - indicating that they knew I "saved their day".

Now, I have setup more than 20 different routers, firewalls, etc. to enable local networks access to the Internet, get redundant connections, VPNs, Port forwarding, routing, etc. etc. So when I saw the box I thought "no problem, this was a very expensive unit - it must be even better than anything I have ever seen".

But alas, this was not the case. Rather than getting a great firewall with all the configurations we needed including VPN etc. I found the missing piece for a puzzle I have not been able to solve for a very long time: Why the hell have I seen so many "Cisco"-certifications in potential employees CVs.

Now, having been able to configure almost all the routers, firewall, etc. I have ever encountered I simply could not figure out why a certification from Cisco would ever be necessary. But struggling with this ASA5500 it all became clear, here are my findings:

1) Instead of having a HTML based interface to configure the ASA5500 it had a java webstart based configuration client called ASDM. This in it self is not a bad thing, but it does seem like overkill considering that this box can only do networking related things. It also takes away the option of using tabs to have multiple configuration pages open at the same time which often proves valuable when some part of the configuration depend on an other.

2) When ever I wanted to do something simple (like add a port forwarding rule) I was met with a dialog where nothing was named the way I expected. First of all they have some strange concepts about everything being reversed. Who would have thought that the "source" and "destination" of a NAT rule would be reversed? It took me well over an hour before the office could access the Internet again.

3) We also have a guest network - this is normally very simple you just create an other LAN on some of the switch-ports and setup some security parameters. No, no, no it does not work this way with Cisco. First of all getting the switch ports free was done in some other place. And when I finally got them released I found out that even though 10 VPN users was enough - the damn thing came with 8 switch ports, but could only create one WAN, one DMZ, and one LAN. Actually I was able to create an other LAN but then it was not allowed any traffic in or out which would make our guest network quite a joke.

4) The box is capable of doing 3 kinds of VPN: IPSec, Clientless SSL, and Easy VPN. The only one which would satisfy our needs was the IPSec and even though there was a nice wizard it was not possible to setup a working IPSec. After spending lots of hours spanning multiple days I gave up. I managed to get the connection established between client and ASA5500 but could not grasp the concepts of how the security was to be setup such that I could get access to the LAN. Now, I understand I have limitations so maybe it was just me. I appointed our systems administrator who has quite a lot of experience in setting all kind of strange and exotic network structures up, and teamed him up with our technical supporter. Those two wasted a few hours struggling with all 3 kinds of VPN and were not even able to get a working connection to the box.

5) So, why did we not just read the documentation! Let me tell you why, on almost all of the dialogs and wizards we could find within this ASDM software there was a help button. When I first pressed one of those I thought "Excellent, now I just need to read a little and I will understand" but here is how the documentation is structured. First of all: the pages correspond to the configuration structure one-to-one, so if I cant find a particular configuration in the ASDM I cannot find it in the documentation. Second: each page of the documentation contains from top to bottom explanations of the dialog that it describes in this form: "Put the source IP in the source IP input field", "Put the source service in the source service input field", and so on. WTF! now I can never write RTFM to anyone.

6) Okay, I did manage to get Internet access working so I could just search and find! But no, no one as much as mentions this ASDM application anywhere. All the help I could find was commands that I should fire at the damn thing from a command line. Now I don't mind that at all, but most all of these examples did not work because they were for the ASAXXXX where XXXX != 5500. And when I finally found some examples they were deprecated because the firmware had been updated.

7) And then in my quite evening time writing this I found that my CPU was under 100% load... writing on my blog? No the ASDM had found a way of turning on the fan in my laptop. It was resting quietly on a configuration page but using 100% CPU.

You might already have guessed it. By having a "Cover your ass"-brand you can persuade CIO's and CTO's all over the world to buy your stupid products. But that is not enough, you can also make those products so impossible to work with that the poor employees of the ass-covering C(I|T)O will need some very extensive education - and Cisco can help them with that, for a small monetary contribution. Now, not only will the poor employee have his brains twisted to cope with the oddities of those ridiculous products he will also get a certificate that he can put in his CV. And without knowing it he is marketing the damn thing to all the potential employers (ass-covering C(I|T)O's) so when they need new hardware they cannot help themselves - their choice will be Cisco.

Here is the model that most other vendors use: Make an inexpensive, good product and keep it self-explanatory for the most part.

Now the later just isn't very cunning - but one of these products is being packed and shipped to our office while I am writing this. And even though the ASA5500 was twice as expensive I am going to remove it from my ass, place it with the rest of the garbage, and get my office back on track.