1999-03-02-02:29:51 [EMAIL PROTECTED]:
> - How does the "Cisco Firewall Feature Set" compare with Firewall-1 for
> features, security & performance.
I don't know for sure, but I'm pretty sure that the answer is "not a good
comparison". Very roughly, there are three grades of firewall protection:
there's simple packet filtering, there's "stateful" packet filtering, and
there's application proxies. AFAIK, Cisco Firewall Feature Set is basically a
moderately-enhanced setup for doing basic packet filtering, a capability that
has been available in plain old IOS for some time. A Firewall-1 is a stateful
packet filter, like a Cisco PIX, which would be a much better comparison. A
stateful packet filter keeps a state table based on observations of previous
packets that it can use to help make filtering decisions; this allows it to
know about concepts like established TCP connections, rather than just looking
at the flags in each packet blindly with no memory of what went before. This
also allows a stateful packet filter to treat UDP with some knowlege of
specific applications, honoring application-specific notions of "sessions" in
UDP-based protocols (which a simple packet filter purely cannot do). None of
which are as thorough as an application proxy firewall, where all packets are
decoded on the bastion host's IP stack, the unwrapped content passed up to the
proxies, which can scrutinize and maybe rewrite, then passed back down,
wrapped in fresh new packet frames, and shoved back out.
For some applications routers (possibly with Firewall Feature Set) are the
best choice, as their filtering provides adequate protection, and they can
routinely deliver better performance and reliability for a given $$$
investment. For others, a bastion host running application proxies is the best
bet. And there are cases where a stateful packet filter like a Firewall-1 or a
Cisco PIX is the best choice. I remember one setting where a PHB refused to
consider an open-source firewall, preferring to have someone he thought he
could blame outside the company when he was burgled, over having better
security; he was convinced to allow an open-source firewall by replacing the
external screening router with a Cisco PIX, and deploying the open-source
firewall into the DMZ as an additional layer of protection for the gauntlet on
the inside.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
