Henrik,
PIX interfaces have a numerical value ("security level") ranging from
0-100. The "inside" interface is preconfigured with a value of 100, the
"outside" interface is preconfigured with a value of 0.
By default, new sessions can be initiated from a higher value to a lower
value, but not the reverse.
So... you need a method of "blocking" sessions from going "downhill" ->
hence the Access Control List
and... you need a method of "allowing" sessions to go "uphill" -> hence
the Conduit
However, AFAIK, there is no difference in "security" regardless of
whether or not the session is implicitly allowed using the security
levels on the interfaces, or if it's explicitly allowed using Conduits.
Anyone else have any information?
Best,
-davidC
> Hi!
> I have a question. is access-lists more secure than conduits on PIX
> firewalls (a cisco trainer did that statement)? Do ACL's filter the packets
> better (lower level)?
>
>
> /Henrik!
>
-------------------------
David J. Cavuto, CISSP
http://www.lucent.com/security
c a v u t o (at) l u c e n t (dot) c o m
PGP Key ID: 0x17E24E2B
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
