Re: PIX/AS Vs. Linux/IPtables

["HALL, NATHANIEL D." <halln () OTC EDU>]

I would disagree with your statements.  PIX/ASA devices still have an OS so they could be compromised just like a 
Netfilter host.  If the Netfilter firewall is standalone, just as the PIX/ASA, then you could easily secure it.

As for mistakes being made by the admin, that can happen with any system.  It is not limited to Netfilter.  It all 
depends on how you configure it.

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary 
Dobbins
Sent: Wednesday, September 30, 2009 5:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PIX/AS Vs. Linux/IPtables

Not offhand, but I can offer this advantage over iptables (presuming you mean in-host filtration, versus using Linux as 
a standalone external filter system):  The ASA being separate reduces the chances of a mistake by a sysadmin in 
adjusting the filter, or a compromised machine being able to adjust its own filter rules.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of ron 
behrang
Sent: Tuesday, September 29, 2009 10:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PIX/AS Vs. Linux/IPtables

Hello,

Does anyone know of a good paper on the merits of using PIX/ASA
instead using Linux/iptables?

Thanks
Ron