> >
> > So, what's the big differentiation between a Cisco router with Firewall
> > Feature Set and a Cisco PIX?
>
> I have never worked with PIX, so I really don't know. IOS does have
> inspection, NAT, VPN, lock-and-key (access-lists activated by user
> authentication), etc. But it is kind of hard to setup...
> Maybe PIX is a little easier. I recollect hearing about a "cryptography
> board" for the PIX platform, which could be one of the differences, as IOS
> does crypto by software.
>
A few months back, someone asked for a PIX review (to base against FW-1).
FWIW, here's what I said (which still holds mostly true):
Hardware wise, it's basically an Intel box - so, you're immediately gonna
have problems if you require 4+ NIC's; (PIX only supports 4 regardless of
many you can physically install). You can have 2 PIX's together to provide
HA; haven't played with this, but the doco is there and they certainly seem
to support failover.
Configuring PIX is a pain in the backside. The command line interface is
just as shitty as configuring a Cisco router. Don't believe the marketing
crap that says, "if you know Cisco IOS, then you can easily pick up PIX".
Bullshit. There is very little similarity.
As an afterthought, Cisco clobbered together the PIX Firewall Manager (PFM).
This requires a NT box that runs PFM as a service. You connect to PFM via a
browser, PFM in turn talks to PIX. The comms b/w PFM and PIX is encrypted.
Comms b/w your browser and PFM are NOT, so be careful. This gives you a nice
enough GUI, but there's still other shitty things about the product. There
have been vulnerabilities with PFM - but they're supposedly fixed in the
current versions.
The one big thing about PIX that really shits me: making changes. You
basically have to reload (reboot) PIX for most changes - this is really bad
if you must have 120% uptime! I'm not talking about major changes, even
small changes to the packet filtering rules. Packet filtering rules work
like most other firewalls: first match wins. With PIX, you can only add new
rules to the end of the list. To add something anywhere else essentially
requires all rules to be deleted and then re-entered with the new rule in
the correct place. Wow! That's shit! Sound like Cisco IOS? Yeah, you now
know what I mean.
Most surveys I see shiw FW1 has the clear market share. PIX is usually
second - a distant second. I wouldn't be surprised if Cisco is doing deals
to get the product out - it certainly isn't going to sell on product alone.
Logging. It relies on syslog. syslog is unreliable under heavy loads. The
PIX sends its syslog entries to PFM, which can then alert/alarm based on
certain events. No built in paging capability. Usual SNMP and SNMPtrap
capabilities. It only logs by exception - ie. packets denied, interfaces
down, etc. Doesnt log anything about stuff that was permitted.
Authentication. Usual Cisco IOS access: user level password and privileged
password. No disctinction made as to who actually entered the password, so
very difficult (impossible) to audit exactly who did what, where and when.
PFM allows you define users (with proper name/passwords under NT). these
user can also be given read-only or full access. All means shit if someone
can still get to the console (or telnet) to PIX.
VPN. Still in BETA. Cisco have OEM'ed Redcreeks RAVLIN solution. This uses a
PCI card to handle the encrytpion. Apparently very fast - but, still in BETA
and still having trouble getting it to work. We're current'y bashing our
heads trying to get VPN authentocation with OTP passwords against a Radius
server to work. Big problems. Local support (Australia) is pretty crap.
YMMV.
UPDATE!!! Cisco have discontinued their relationship with Redcreek - the
RAVLIN card is no longer an option.
It's scary reading the release notes. Particularly the list of things fixed
in each new revision. You should read the Release Notes for some amusement.
Phew, that's my $0.02 worth,
./edy
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
