> -----Original Message-----
> From: Fabio Pietrosanti (naif) [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 13 October 2000 5:39 PM
> To: Bell, Mitch
> Cc: Firewalls (E-mail)
> Subject: Re: Cisco CBAC vs PIX
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Mitch,
> I manage many PIX, and yesterday i've tested a 3600 with IOS 12.1.4
> IP/FW/IDS with CBAC.
>
> I think that cisco "fixup" was derived from IOS "ip inspect" .
Interesting theory - do you have any evidence for it?
I always thought that since the PIX predates IOS/FW it was more likely to be
the other way around...
Also, based on the stuff I've seen the inspection agents don't behave
exactly the same - the SMTP fixup for instance anonymises mail agent banners
- CBAC doesn't. SMTP fixup tries to block certain 'evil' commands - CBAC
doesn't. CBAC does seem to do some telnet protection - fixup doesn't.
> About performance, PIX it's better, because cisco doesn't
> have dedicaded
> card to do statefull inspection, instead core cpu it's used.
The current PIXen use normal x86 CPUs. It was a 486 in the last one I
cracked open. A 486 may be faster than the processor in a 25xx but not a
75xx. I think that there are probably other architecture reasons why the PIX
outperforms routers with CBAC. Note that in the current PIX 515 there are no
dedicated cards for anything - it's basically a 1RU PC.
Having said that, I heard that IOS/FW is now available for the RSM/MSFC
cards in 55xx and 6XXX switches. If that's the case I would expect them to
fly.
> But PIX doesn't like multicast, doesn't have some inspection rule like
> TFTP.
And the PIX is a terrible, terrible router. 8)
>
> fixup of PIX it's more secure than CBAC, because the first was well
> hardened .
Again, I'd like to actually see some evidence of that. It's kind of my gut
feel as well, so don't consider this to be a flame - I just don't like
seeing assertions with no supporting evidence.
[snip]
>
> Pietrosanti Fabio I.NET SpA, High Quality Access to
> the Internet
> e-mail: [EMAIL PROTECTED] ( Direzione Tecnica, Gruppo Firewall )
> [EMAIL PROTECTED]
> PGP Key (DSS) http://naif.itapac.net/naif.asc
[snip]
> On Thu, 12 Oct 2000, Bell, Mitch wrote:
>
> > Can anyone tell me what is the main difference between a
> Cisco high end
> > router (7140) running CBAC and a dedicated PIX firewall.
> > Aside from the increased performance with the PIX is it
> more secure than
> > CBAC???
> >
> > Thanks,
> >
> > > T. Mitchell Bell
> > System/Security Admin
> > > { =o=}====>
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
