Firewall Wizards mailing list archives
Re: Firewall Throughput
From: Carson Gaspar <carson () tla org>
Date: Mon, 11 Sep 2000 12:20:47 -0700
--On 09/11/00 08:33:36 PM +1100 Darren Reed <darrenr () reed wattle id au> wrote:
My problem with PIX is as follows. Cisco push it along the lines of "you don't want unix/windows on your firewall because they're crashable" but at the same time try to sell it as a "router firewall". You damn well don't want a router as a firewall either! You can make a "firewall" out of any Cisco thing which will support the CBAC feature set so why does it need to be a PIX in particular ? Where I'm now working, we use the CBAC feature set on the "outside" and IP Filter on the inside. There have been packets which CBAC has let through that IP Filter won't (NOTE: I didn't build this firewall :). That rings alarm bells, to me. IMHO, they're putting too much into the IOS. I also don't fancy the idea of the "firewall" booting up and one day wanting to tftp a boot image from whoever will answer...
Ummm... where are you getting your information from? PIX does _not_ run IOS. It is a "router" as opposed to a "bridge" (but then, so is ip-filter on most platforms :). It's main limitation right now is that it _doesn't_ act as a real router - it only listens to RIP v1 or v2, and can't even forward that properly. Static routes are about the only thing you can do with the things.
You're correct that CBAC isn't as restrictive as ip-filter. However, the PIX does not use the CBAC code, and ip-filter still, sadly, rejects valid traffic as it does not understand the advanced IP options used for "Long Fat Pipes". As I use ip-filter at home, I hope someone manages to fix that code Real Soon Now :)
-- Carson Gaspar Security Architect Certainty Solutions _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall Throughput, (continued)
- Re: Firewall Throughput Ryan Russell (Sep 14)
- RE: Firewall Throughput JVBrown (Sep 13)
- RE: Firewall Throughput Robert Purdy (Sep 13)
- Re: Firewall Throughput Darren Reed (Sep 13)
- RE: Firewall Throughput Aaron Turner (Sep 14)
- RE: Firewall Throughput Robert Purdy (Sep 16)
- RE: Firewall Throughput Chris Cappuccio (Sep 14)
- Re: Firewall Throughput Christopher Nielsen (Sep 13)
- Re: Firewall Throughput Patrick Darden (Sep 14)
- Plan9 (was Re: Firewall Throughput) Christopher Nielsen (Sep 16)
- Re: Firewall Throughput Carson Gaspar (Sep 12)
- Re: Firewall Throughput Andy Smith (Sep 12)
- Re: Firewall Throughput Patrick Darden (Sep 06)
- RE: Firewall Throughput Robert Purdy (Sep 08)