Much of my time is spent researching data sheets and release notes to determine the capabilities of a product and you can learn a lot about the capabilities of the product by reading these documents. However, the most important thing I’ve learned is how to read a document in such a way that you can determine what the product does not support. The vendors of course never tell you what isn’t supported, they tell you what is supported.
This I have found is the most challenging task in product research and without the skill you can find yourself in a difficult position after the product is already sold into the promises have been made. I don’t think this something you can teach but it is something you learn over time after being burned. Who pays for these mistakes? It is certainly not the vendors and it’s not the customer, it is the person responsible for the implementation.
Recently after discussing with a new customer requirements for a the firewall VPN URL filtering IPS device [all in wonder box] I did a little research and came up with a solution utilizing a Cisco IOS ISR router. I had thought I had done all my research, but during deployment we ran into some real snags!
First issue: not enough flash to run SSL VPN at IPS concurrently.
Second issue: URL filtering not supported using C B A C- must use zone-based configuration.
In reading through the data sheets for this router I read nothing about the flash limitations on the router that is sold to support SSL VPN and IPS concurrently. A flash upgrade was obviously required but this could not be determined until we had already ran into the issue. For the second issue, I have no one to blame but myself for I just assumed that URL filtering was supported using Cisco’s original IOS firewall technology. Had I done just a little more research I would’ve found the document to talk about URL filtering and how it’s configured in a zone-based firewall deployment. Nowhere does it say that URL filtering is not available using CBAC.
Live and learn as they say. I won’t be making that mistake again but at the rate that technology changes I probably wouldn’t have the opportunity to make that mistake again. I’m sure a new one is on the horizon but I’ll be sure to read all the documents so that I can determine what they have not told me.