You're right - the IOS Firewall product doesn't bear any particular
relationship to the PIX.
The IOS firewall product is okay. I don't have that much faith in the
control channel inspection stuff for FTP, SMTP, HTTP etc, but it's not
_worse_ than having nothing. The TCP inspection and fragmentation blocking
is nice and some of the anti-DOS features are good. The logging / audit
stuff is better than the standard IOS but still based on syslog and still
not amazing. It's more secure than properly configured ACLs, but not by a
great deal (and mainly in the fragmentation / TCP sanity checking
department).
On the plus side, it's cheap and probably close to as good as you're going
to get for a bulk-issue stateful packet filter.
Here's some flamebait:
I wouldn't use FW-1 for _free_.
Ah, Linux. The "friendly" OS. Why keep all the root fun to yourself when you
could share it with the world? Unless you know all about them and are
prepared to spend a day paring them down to nothing I'd use OpenBSD instead.
IPFilter seems to be pretty tight and it's certainly a bunch easier to work
with than Ipchains. Sadly I haven't played with IPTables yet.
MS ISA Firewall? Uh...yeah. Whatever. I have no philosophical objection to
running a firewall on NT4 but Win2K is too new for me. Let alone running a
firewall that's _written_ by M$ - gives me the shivers. NT4 needs about as
much work as Linux to get it "secure" from a remote perspective.
Of course for real security you need to think about multiple layers with as
many external services running through some sort of application level
gateway as possible (whether boxes in the DMZ to do mail relay, reverse web
proxy, DNS cache or whether a commercial ALG style firewall).
IOS/FW is "good enough" if you're a small organisation with no amazingly
valuable secrets to protect. It'll get most of the casual attackers off your
back. If someone's really out to get you then it's not going to be your
firewall that gets breached.
Go on. Flame away. ;)
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 29 August 2000 12:58 AM
To: [EMAIL PROTECTED]
Subject: Cisco IOS Firewall
Dear list,
I have recently been offered by our administration to have the
Cisco IOS firewall installed on a router to the internet as our firewall
instead of using a product like Firewall-1, FreeBSD, MS ISA Firewall or some
Linux based option. From what I can gather, this is not the PIX installed
on a router but a firewall implementation (session and application proxy) of
the Cisco IOS. Has anyone used this product? Does it meet the standards of
a secure firewall product? Do you know of any issues with this product I
should take into consideration before accepting the proposal?
Thanks for any assistance.
Lindsay Mieth
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
