This might help....
Cisco PIX: The PIX is physically more akin to a router than a computer. It
runs on Cisco hardware, using Cisco's proprietary operating system (I
believe it's a modified version of the IOS used in Cisco routers), and the
only options are how big a PIX box you want. There are various model
numbers such as PIX 515, PIX 520, PIX 525, PIX 530 etc., which basically
provide more throughput and/or additional interfaces as they grow.
The key advantages of the PIX are that it's very fast (100 Mbps +), since
it uses custom routing hardware and software, and considered very secure.
Later versions have grown beyond simple packet filtering and do provide
proxying/profiling support for specific protocols, such as HTTP, FTP and
SQLnet.
The major disadvantage with the PIX is that it's a pain to administer and
log, in my opinion. Like routers, configuration is almost always done from
a command line via the console port, which is both inconvenient and
user-unfriendly. While a properly configured PIX should be very secure,
we've run across many that were inexpertly configured and had pretty
significant security holes in some cases.
A nice feature of the PIX is that if you want a highly-available
configuration, the second PIX only costs about ~20% of the price of the
first one. The downside is that it support failover clustering only -- you
can't loadshare across two PIXes. (Of course, they're fast enough that you
shouldn't need to.) Heartbeats between the two firewalls are carried over a
special serial cable, so you can't build geographically dispersed clusters;
both PIXes have to be in the same room. (By contrast, we once built a
Firewall-1 cluster over two sites 4km apart).
Border Manager: BM is something of a niche player in the enterprise
firewall market and frankly we've never seen it outside of dedicated Novell
shops. It's a proxying firewall, which can theoretically be more secure
than packet filtering or stateful-inspection type firewalls but is
considerably slower. (Also, if you want to run an application for which no
proxy is available, you're out of luck.) On a technical level, BM version
2 apparently had many flaws but BM v3.5 and above are considered quite
secure. The key advantage of BM would be that it's easy to tie it into your
Novell directory and enforce user-level authentication and security
policies.
If the client isn't using NDS, I don't really see the point. It's running
on Windows NT, which we usually advise against for reasons of reliability
and security vs. Unix solutions. An NT server can be hardened, but that
takes several hours and should be done by someone who knows what they're
doing. The Word document talks about tying the firewall into NT domains,
which is a very bad idea: a firewall should always be a stand alone server.
(Cross-authenticating a high security server with a low security server
provides obvious opportunities for side-channel attacks).
That said, if they already have NDS client machines and Novell skills
in-house, a properly-installed BM solution may be appropriate.
The firewall we usually recommend for high-security environments is
Checkpoint Firewall-1, on Sun Solaris or a Nokia network appliance. It's
fast (not as fast as a PIX, but we've never had a client with a fat enough
Internet pipe for that to become a problem), has good stateful-inspection
technology and the ability to proxy protocols when desired, and has a great
GUI-based adminstration and logging facility. It's particularly good for
enterprise deployments where a number of firewalls and/or firewall clusters
can log to a single management station.
Fundamentally the choice comes down to the client requirements. Are they
looking for high-speed connections and they already have plenty of Cisco
expertise? Get a PIX. Do all their client desktops authenticate through
NDS? Use Border Manager. Are they looking at a large-scale enterprise wide
deployment? FW-1 is probably the best choice. It's not really possible to
make a conclusive recommendation without more information on their business
drivers and existing environment, but hopefully the above quick&dirty
summary will be of some use.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13083&t=13067
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
