Firewall Wizards mailing list archives
RE: Firewall Throughput
From: "Mills, Craig" <CMills () netbridge com au>
Date: Tue, 12 Sep 2000 15:32:42 +1100
I think you have the PIX and Cisco's IOS firewall feature set confused. They are not one and the same product. Cisco don't push the PIX as a router/firewall. It has only the bare routing functionality needed to function as a firewall should. It sounds like the perimeter firewall you are discussing is a router running IOS FW, since you're discussing CBAC which is a IOS FW feature. I agree that the IOS firewall is not suitable for enterprise protection, which is why Cisco offer the PIX as a firewall appliance. Regards, Craig Mills
-----Original Message----- From: Darren Reed [mailto:darrenr () reed wattle id au] Sent: Monday, 11 September 2000 7:34 PM To: darren.mackay () uq net au Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] Firewall Throughput In some email I received from Darren Mackay, sie wrote:Darren, | What do you value more - throughput or security ? | | If you value security, the PIX isn't the answer, | IMHO. Are you saying PIX is not secure? Are you able to elaborate? I have never had any problem with pix, and it certainly has not failed any 'ethical attacks' that haven throwed against it (unlikeother vendors,which can be really esoteric in their configs to get around known vulnerabilities).My problem with PIX is as follows. Cisco push it along the lines of "you don't want unix/windows on your firewall because they're crashable" but at the same time try to sell it as a "router firewall". You damn well don't want a router as a firewall either! You can make a "firewall" out of any Cisco thing which will support the CBAC feature set so why does it need to be a PIX in particular ? Where I'm now working, we use the CBAC feature set on the "outside" and IP Filter on the inside. There have been packets which CBAC has let through that IP Filter won't (NOTE: I didn't build this firewall :). That rings alarm bells, to me. IMHO, they're putting too much into the IOS. I also don't fancy the idea of the "firewall" booting up and one day wanting to tftp a boot image from whoever will answer... For me, if you have the time & money (that's a BIG if) as well as the backing and expertise, there's nothing better than a roll-your-own made from xBSD (I *refuse* to believe that Linux is a reliable/secure platform until they learn what the term "release engineering" means - and that goes all the way to the top of the linux tree). You can strip them back, build completely static distributions, etc, and you can get 1U PC hardware now too. Darren _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
********************************************************************** This email may be confidential and/or privileged. Only the intended recipient may access or use it. Any dissemination, distribution or copying of this email is strictly prohibited. If you are not the intended recipient please notify us immediately by return email and then erase the email. We use virus scanning software but exclude all liability for viruses or similar in any attachment ********************************************************************** _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall Throughput, (continued)
- Re: Firewall Throughput Christopher Nielsen (Sep 13)
- Re: Firewall Throughput Patrick Darden (Sep 14)
- Plan9 (was Re: Firewall Throughput) Christopher Nielsen (Sep 16)
- Re: Firewall Throughput Carson Gaspar (Sep 12)
- Re: Firewall Throughput Andy Smith (Sep 12)
- Re: Firewall Throughput Patrick Darden (Sep 06)
- RE: Firewall Throughput Robert Purdy (Sep 08)