Re: Firewall Throughput

[Carson Gaspar <carson () tla org>]

--On 09/11/00 08:33:36 PM +1100 Darren Reed <darrenr () reed wattle id au> 
wrote:

> My problem with PIX is as follows.  Cisco push it along the lines of
> "you don't want unix/windows on your firewall because they're crashable"
> but at the same time try to sell it as a "router firewall".  You damn
> well don't want a router as a firewall either!  You can make a "firewall"
> out of any Cisco thing which will support the CBAC feature set so why
> does it need to be a PIX in particular ?  Where I'm now working, we use
> the CBAC feature set on the "outside" and IP Filter on the inside.  There
> have been packets which CBAC has let through that IP Filter won't (NOTE:
> I didn't build this firewall :).  That rings alarm bells, to me.  IMHO,
> they're putting too much into the IOS.  I also don't fancy the idea of
> the "firewall" booting up and one day wanting to tftp a boot image from
> whoever will answer...

Ummm... where are you getting your information from? PIX does _not_ run 
IOS. It is a "router" as opposed to a "bridge" (but then, so is ip-filter 
on most platforms :). It's main limitation right now is that it _doesn't_ 
act as a real router - it only listens to RIP v1 or v2, and can't even 
forward that properly. Static routes are about the only thing you can do 
with the things.

You're correct that CBAC isn't as restrictive as ip-filter. However, the 
PIX does not use the CBAC code, and ip-filter still, sadly, rejects valid 
traffic as it does not understand the advanced IP options used for "Long 
Fat Pipes". As I use ip-filter at home, I hope someone manages to fix that 
code Real Soon Now :)

--
Carson Gaspar
Security Architect
Certainty Solutions




_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards