Firewall Wizards mailing list archives
RE: Firewall Throughput
From: Ben Nagy <bnagy () sa volante com au>
Date: Tue, 12 Sep 2000 15:18:08 +0930
-----Original Message----- From: Darren Reed [mailto:darrenr () reed wattle id au] Sent: Monday, 11 September 2000 7:04 PM To: darren.mackay () uq net au Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] Firewall Throughput
[snip]
Are you saying PIX is not secure? [snip]
My problem with PIX is as follows. Cisco push it along the lines of "you don't want unix/windows on your firewall because they're crashable" but at the same time try to sell it as a "router firewall".
How "Cisco push" things is almost certainly a product of your local sales force. I've never heard any Cisco people assert that the PIX is anything more than a decent firewall that runs on a "secure, non-UNIX, OS" (which is pure marketing drivel). Any attempt to sell the PIX as a "router firewall" would be doomed to failure, anyway, since the PIX makes a very, very poor router.
You damn well don't want a router as a firewall either! You can make a "firewall" out of any Cisco thing which will support the CBAC feature set so why does it need to be a PIX in particular ?
I don't trust IOS CBAC that much either. Do you have any evidence to suggest that the IOS CBAC stuff is as extensive as that on the PIX though? Ditto frag protection, etc etc... I alway thought that the PIX was _quite_ different under the hood to the IOS.
Where I'm now working, we use the CBAC feature set on the "outside" and IP Filter on the inside. There have been packets which CBAC has let through that IP Filter won't (NOTE: I didn't build this firewall :). That rings alarm bells, to me.
Be fair - CBAC on a router doesn't have much RAM to play with - nor a big processor. They probably had to make compromises that you can safely skip with ipfilter.
IMHO, they're putting too much into the IOS.
Yes. I'd like to see a "stripped" train of IOS releases, too. Any Cisco people listening?
I also don't fancy the idea of the "firewall" booting up and one day wanting to tftp a boot image from whoever will answer...
This is specious mud-slinging. Neither PIXes nor IOS routers will tftp boot images without being configured to do so. C'mon, Darren. Let's keep it real. ;)
For me, if you have the time & money (that's a BIG if) as well as the backing and expertise, there's nothing better than a roll-your-own made from xBSD (I *refuse* to believe that Linux is a reliable/secure platform until they learn what the term "release engineering" means - and that goes all the way to the top of the linux tree). You can strip them back, build completely static distributions, etc, and you can get 1U PC hardware now too.
I agree. A lot. Especially about the Linux bit. There are some things I'd like to see in the free gear though - enterprise management according to a security policy being one... One problem though - how does a random security guy know for sure that they have "enough expertise"? Or, to put it another way, how does a company accurately assess the risk that they are taking by allowing a single individual to roll-their-own border protection?
Darren
-- Ben Nagy Network Consultant, Volante Solutions PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall Throughput, (continued)
- Re: Firewall Throughput Carson Gaspar (Sep 12)
- Re: Firewall Throughput Andy Smith (Sep 12)
- Re: Firewall Throughput Rick Murphy (Sep 06)
- Re: Firewall Throughput Patrick Darden (Sep 06)
- Re: Firewall Throughput Andy W (Sep 06)
- Re: Firewall Throughput bsgupta (Sep 07)
- RE: Firewall Throughput Robert Purdy (Sep 08)
- RE: Firewall Throughput Mills, Craig (Sep 12)
- Re: Firewall Throughput Chris Calabrese (Sep 12)
- RE: Firewall Throughput Ben Nagy (Sep 12)
- RE: Firewall Throughput Ben Nagy (Sep 12)
- Re: Firewall Throughput Chris Calabrese (Sep 13)
- RE: Firewall Throughput LeGrow, Matt (Sep 14)
- Re: Firewall Throughput jan (Sep 16)