Firewall Wizards mailing list archives
Re: Firewall Throughput
From: Patrick Darden <darden () armc org>
Date: Mon, 11 Sep 2000 15:07:57 -0400 (EDT)
Darren, "they're putting too much into the IOS... CBAC feature set...." The PIX does not run IOS, nor is it associated with CBAC in any way other than they are both Cisco products. Completely different product lines. "Cisco push it along the lines of 'you don't want unix/windows on your firewall because they're crashable'" I would like to know where they state that. It would be pretty hypocritical as the PIX has a Unix based OS (Plan 9). "You damn well don't want a router as a firewall" I don't know of many firewalls that aren't routers as well, that includes the IP Filter you seem to like so much and even the BSD-based NOKIA running Checkpoint FW1. Application-layer proxy based firewalls usually aren't routers, but otherwise... "I *refuse* to believe that Linux is a reliable/secure platform" No offense, but I have Solaris, BSD, AIX, and Linux running here--and all of them are stable and reliable. I had one hard-used Linux server running for almost 2 years before I recently took it down for some upgrades. -- --Patrick Darden Internetworking Manager -- 706.354.3312 darden () armc org -- Athens Regional Medical Center On Mon, 11 Sep 2000, Darren Reed wrote:
In some email I received from Darren Mackay, sie wrote:Darren, | What do you value more - throughput or security ? | | If you value security, the PIX isn't the answer, | IMHO. Are you saying PIX is not secure? Are you able to elaborate? I have never had any problem with pix, and it certainly has not failed any 'ethical attacks' that haven throwed against it (unlike other vendors, which can be really esoteric in their configs to get around known vulnerabilities).My problem with PIX is as follows. Cisco push it along the lines of "you don't want unix/windows on your firewall because they're crashable" but at the same time try to sell it as a "router firewall". You damn well don't want a router as a firewall either! You can make a "firewall" out of any Cisco thing which will support the CBAC feature set so why does it need to be a PIX in particular ? Where I'm now working, we use the CBAC feature set on the "outside" and IP Filter on the inside. There have been packets which CBAC has let through that IP Filter won't (NOTE: I didn't build this firewall :). That rings alarm bells, to me. IMHO, they're putting too much into the IOS. I also don't fancy the idea of the "firewall" booting up and one day wanting to tftp a boot image from whoever will answer... For me, if you have the time & money (that's a BIG if) as well as the backing and expertise, there's nothing better than a roll-your-own made from xBSD (I *refuse* to believe that Linux is a reliable/secure platform until they learn what the term "release engineering" means - and that goes all the way to the top of the linux tree). You can strip them back, build completely static distributions, etc, and you can get 1U PC hardware now too. Darren _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
_______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Firewall Throughput Benson Hill (Sep 05)
- Re: Firewall Throughput Darren Reed (Sep 06)
- Lucent Managed Firewall Surapong Singshinsuk (Sep 07)
- Re: Lucent Managed Firewall Graham Allan (Sep 07)
- RE: Firewall Throughput Darren Mackay (Sep 12)
- Re: Firewall Throughput Darren Reed (Sep 12)
- RE: Firewall Throughput Darren Mackay (Sep 12)
- Re: Firewall Throughput Patrick Darden (Sep 12)
- Re: Firewall Throughput Darren Reed (Sep 12)
- Re: Firewall Throughput Patrick Darden (Sep 12)
- Re: Firewall Throughput Darren Reed (Sep 13)
- Vague Negative Blah Patrick Darden (Sep 14)
- Re: Firewall Throughput Ryan Russell (Sep 14)
- RE: Firewall Throughput JVBrown (Sep 13)
- Lucent Managed Firewall Surapong Singshinsuk (Sep 07)
- RE: Firewall Throughput Robert Purdy (Sep 13)
- Re: Firewall Throughput Darren Reed (Sep 13)
- RE: Firewall Throughput Aaron Turner (Sep 14)
- RE: Firewall Throughput Robert Purdy (Sep 16)
- Re: Firewall Throughput Darren Reed (Sep 06)