I agree with your statements below, however to get in a router configured in the same performance 'league' as a pix with ACLs (and potentially the firewall feature set to do stateful inspection), you need to get a fully loaded 7200 VXR series (or equivelent from a vendor other than Cisco) which will drive the price to the point where the PIX is more cost effective.
I don't know that the logging is much better or more intuitive on a PIX than on a router ACL unless you're using the CSPM (Cisco Secure Policy Manager), which doesn't change the information produced by the logging, but does make it easier to analyze. As far as the IDS code, are you referring to the IDS module available as an add-on, or are you referring to the 'fixup protocol' feature for certain applications?- the IDS module available for the PIX is very limited compared with the 'external' solutions offered by Cisco and others. Regarding your last statement- the PIX uses security levels to identify what is 'allowed' for default transmission. However, you have to specify the address translation parameters for communication to take place from a high-security interface to a low-security interface; you have to configure the ingress ACL to deny access for defined translations. For transmission from a low-security interface to a high-security interface you need to specify permissions as well as define an ingress ACL to permit access for defined translations. I'll concede that this is a little bit of a different approach than most stateful-inspection firewalls, but when you get the hang of it, it's actually a very effective way to make a firewall implementation match your policy. (Keep in mind that these statements don't necessarily apply to the 'legacy' configuration for the PIX which uses the "conduit" statement to configure permissioning). I didn't want to get too much into focus on the PIX- the point of my previous reply was that focusing too much on going 'best-of-breed' on a particular component of an enterprise security solution is a 'rookie mistake'. Stick to the policy, go with a layered approach, and select 'appropriate' technology for each layer that meets the requirements stated in the policy. I don't jump into these discussions very often- I just saw this one going in the wrong direction and was trying to help- I hope I have. My intention was not to stir up a discussion on the details and opinions of any particular platform. Best Regards, Dom Genzano -----Original Message----- From: d'Ambly, Jeff [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 02, 2001 1:24 PM To: 'Dom Genzano'; '[EMAIL PROTECTED]' Subject: RE: Hardware Firewall vs Software Firewall With the advent of turbo access-loist the performance is not degraded on a router, whne compared with a pix. The main reason to use the PIX is the logs. The pix gernertes much better logs than the routers. It is easier to track what is going on. Plus the PIX has some IDS code in it and dose match quite a few attacks. Also because of the way the PIX handles interfaces it forces you to seperate your subnetss into diffrent areas, and create trust relationships. -----Original Message----- From: Dom Genzano [mailto:[EMAIL PROTECTED]] Sent: Monday, October 01, 2001 4:35 PM To: Phil Kramer; [EMAIL PROTECTED] Subject: RE: Hardware Firewall vs Software Firewall Are you comparing a PIX firewall to a router with ACLs?- wow.... not sure I can even start to help you out there.... One thing I can clear up is that the way router memory and processing deals with ACLs is very inefficient compared to most stateful inspection firewalls deal with their rule set- this is why the performance is 'generally' much better. Also, a proxy firewall, while inherently more secure, is not always all it's cracked up to be. Theoretically, a proxy firewall has the advantage of being able to recognize and determine 'legal' application calls, sequences, etc; thereby disallowing inappropriate activity. However, most proxy firewalls allow too much 'slack' in their application support because they either can't implement the specific application parameters or purposely don't because it's too difficult to pin down what is 'appropriate' in terms of an application (this is the reason that most IDS systems report so many false positives); performance comes into play as well in these tradeoffs. Also, by virtue of being an 'application-based' system, many of these proxy firewall systems are vulnerable themselves. We have found, through real-world experience, that the best combination for security and functionality is a stateful-inspection firewall system with the appropriate IDS systems inside it and a properly configured perimeter router implementation outside of it. Generally, we have found this to be the case, but we have done some specific implementations of proxy technology where it was appropriate to the specific application(s) being run. Saying that "all these stateful inspection/packet filter technologies work at too low a level" sounds like you may be missing the forest for the trees- these technologies are often effectively deployed in a comprehensive mult-layer solutions for enterprise security. -----Original Message----- From: Phil Kramer [mailto:[EMAIL PROTECTED]] Sent: Friday, September 28, 2001 11:23 PM To: [EMAIL PROTECTED] Subject: Re: Hardware Firewall vs Software Firewall My personal opinion is not hardware vs software, but what firewall is most secure. You can talk about PIX, CheckPoint, Linux with IPtables, IPchains and IPfilters but from a security point of view a pure application proxy is more secure. How many people can notice a 20 ms pause? If you want speed get a router with ACLS, that's what PIX is. All these stateful inspection/packet filter technolgies work at too low a level (layers 2-4) to provide enterprise security. For web servers, mail servers etc. you need layer 7 checking. Phil Kramer, SANS GSEC Systems Solutions Technologies, LLC Phone: 615-646-5766 email: [EMAIL PROTECTED]
