Joe,
A properly hardened Cisco router in conjunction with the FFS provides
what I would classify as a medium level of security. It doesn't give
you things like proxies, virus scanning or sophisticated content
scanning, but it does give you stateful inspection for the most common
applications.
If you configure things right like denying inbound bogus IP addresses,
blocking directed broadcasts and using TCP intercept to block SYN
attacks you'll be in pretty good shape, at least compared to sites that
don't use stateful inspection. As someone else pointed out, one of the
weaknesses of the FFS compared to other firewall products is that the
logging is somewhat sparse, although it can give you most of what you
need if you know what your looking for. You can also use 3rd party
products like those from telemate to help enhance the info harvested
from the logging.
As far as IPSec, I've done some of my own IPSec testing and can tell you
that Cisco router IPSec works well with Windows IRE client and Linux
FreeS/WAN. I have been told by a trusted friend that it works with FW-1
as well. Here's a link to the ISCA's IPSec certification labs results.
Note that just because a product is certified that does not necessarily
mean that 2 vendors products will play together out of the box, but
there should be a way to configure them so that they do work with a bit
of effort:
<http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml>
HTH,
Kent
>Hi,
>
>I wondered if anyone has had much experience of the Cisco IOS Firewall
>Feature set, and what they think of it, especially in comparison to a
>purpose-built firewall ?
>
>I also wondered if anyone is aware of any shortcomings in IPSec
>interoperability, particularly between products such as Cisco IOS,
>Firewall-1 and IBM SecureWay/ENetwork/whatever firewall ?
>
>Thanks,
>Joe
S/MIME Cryptographic Signature
