RE: Firewall Throughput

["Mills, Craig" <CMills () netbridge com au>]

I think you have the PIX and Cisco's IOS firewall feature set confused.
They are not one and the same product. Cisco don't push the PIX as a
router/firewall. It has only the bare routing functionality needed to
function as a firewall should.

It sounds like the perimeter firewall you are discussing is a router
running IOS FW, since you're discussing CBAC which is a IOS FW feature.

I agree that the IOS firewall is not suitable for enterprise protection,
which is why Cisco offer the PIX as a firewall appliance.

Regards,
Craig Mills

> -----Original Message-----
> From: Darren Reed [mailto:darrenr () reed wattle id au]
> Sent: Monday, 11 September 2000 7:34 PM
> To: darren.mackay () uq net au
> Cc: firewall-wizards () nfr net
> Subject: Re: [fw-wiz] Firewall Throughput
>
>
> In some email I received from Darren Mackay, sie wrote:
> > Darren,
> >
> > | What do you value more - throughput or security ?
> > |
> > | If you value security, the PIX isn't the answer,
> > | IMHO.
> >
> > Are you saying PIX is not secure? Are you able to elaborate? I have
> > never had any problem with pix, and it certainly has not failed any
> > 'ethical attacks' that haven throwed against it (unlike 
> other vendors,
> > which can be really esoteric in their configs to get around known
> > vulnerabilities).
>
> My problem with PIX is as follows.  Cisco push it along the lines of
> "you don't want unix/windows on your firewall because they're 
> crashable"
> but at the same time try to sell it as a "router firewall".  You damn
> well don't want a router as a firewall either!  You can make 
> a "firewall"
> out of any Cisco thing which will support the CBAC feature set so why
> does it need to be a PIX in particular ?  Where I'm now 
> working, we use
> the CBAC feature set on the "outside" and IP Filter on the 
> inside.  There
> have been packets which CBAC has let through that IP Filter 
> won't (NOTE:
> I didn't build this firewall :).  That rings alarm bells, to 
> me.  IMHO,
> they're putting too much into the IOS.  I also don't fancy the idea of
> the "firewall" booting up and one day wanting to tftp a boot 
> image from
> whoever will answer...
>
> For me, if you have the time & money (that's a BIG if) as well as the
> backing and expertise, there's nothing better than a 
> roll-your-own made
> from xBSD (I *refuse* to believe that Linux is a 
> reliable/secure platform
> until they learn what the term "release engineering" means - and that
> goes all the way to the top of the linux tree).  You can 
> strip them back,
> build completely static distributions, etc, and you can get 
> 1U PC hardware
> now too.
>
> Darren
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards () nfr net
> http://www.nfr.net/mailman/listinfo/firewall-wizards


**********************************************************************
This email may be confidential and/or privileged. Only the intended recipient
may access or use it. Any dissemination, distribution or copying of this email
is strictly prohibited. If you are not the intended recipient please notify us 
immediately by return email and then erase the email.

We use virus scanning software but exclude all liability for viruses 
or similar in any attachment
**********************************************************************

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards