Educause Security Discussion mailing list archives

Re: PIX/AS Vs. Linux/IPtables

From: Joe Vieira <jvieira () CLARKU EDU>
Date: Wed, 30 Sep 2009 11:58:31 -0400

The thing to consider is that it's always good to have multiple layers.
So if you're securing hosts (prolly a lot of Linux hosts) behind a
dedicated firewall (Linux or ASA) it's not a bad idea to have a
different OS / device in the mix.  Right so if there is some HUGE
misconfiguration in your 'standard' Linux firewall, or some HUGE bug in
IPTABLES.  Having a different device will reduce your risk.  While ASA's
run Linux it's a different set up with a lot of different configurations
on it than a normal IPTABLEs setup.

-Joe

Justin Azoff wrote:

On Wed, Sep 30, 2009 at 10:33:55AM -0500, HALL, NATHANIEL D. wrote:

I would disagree with your statements.  PIX/ASA devices still have an OS so
they could be compromised just like a Netfilter host.  If the Netfilter
firewall is standalone, just as the PIX/ASA, then you could easily secure it.


And the ASA is actually just a linux box, so you're really comparing apples to.. apples :-)

Current thread:

PIX/AS Vs. Linux/IPtables ron behrang (Sep 29)
- <Possible follow-ups>
- Re: PIX/AS Vs. Linux/IPtables Gary Dobbins (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables HALL, NATHANIEL D. (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables Justin Azoff (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables Joe Vieira (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables Gary Dobbins (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables John Ladwig (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables David Gillett (Sep 30)