No one has asked what platform you are running FW-1 on. NT or Solaris. PIX
is not layered on top of another OS.
I have used both, I prefer FW-1 if you have a lot of VPN clients and need an
easy method for connecting. I like the PIX for everything else. I have
heard the next version of the PIX VPN client will be better.
The next version of PIX will be primarily ACL based, so if you are used to
using ACL's on routers, the PIX will be easy to use.
Jason Lewis
http://www.packetnexus.com
http://www.packetnexus.com/kb/greyarts/
It's not secure "Because they told me it was secure". The people at the
other end of the link know less about security than you do. And that's
scary.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Jean-Pierre Harvey
Sent: Tuesday, May 22, 2001 7:01 PM
To: '[EMAIL PROTECTED]'; Cor van Rijssel
Cc: '[EMAIL PROTECTED]'
Subject: RE: Differences between Cisco PIX and Nokia / Check Point
Black,
This is fairly old information and all of the below has been patched long
ago. If you are going to talk about the old versions of the PIX IOS then
compare it to FW-1 3.x or something, not to 4.1 SP3. The PIX also *does*
have a "fixup protocol" (packet inspection) for some of the mostly used
protocols, including HTTP, so it would be inaccurate to say that you can
tunnel anything through the PIX on port 80. What would be accurate would be
to say that you can tunnel anything through port 80 on the PIX that has an
HTTP header, which (and correct me if I am wrong) is exactly what FW-1 does.
The PIX also outperforms FW-1 for throughput.
Regards
JP
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 23, 2001 12:09 AM
To: Cor van Rijssel
The PIX has a couple shortcomings.
* it doesn't validate most streams, so you could, for example, create a
tunnel through port 80 and the PIX would never know it wasn't web traffic
* it has some FTP bugs which cause connections to be opened erroneously -
not sure if this is a huge security rish though
* it has a nasty vulnerability that allows spoofed IP RST messages to kill
any open connections - again this is because the pix doesn't go as far
into the upper layers in the packets.
winmail.dat
