Hi, >From my experiance with the Pix's... They are wonderfull firewalls to work with.
First thing that did annoy me a bit, is the tendancy of the remote SSH sessions "freezing" while altering access-lists which was in use via VPN connections. I am however sure that this was due to a configuration issue, and not a cisco issue - so it's my fault. In regards to its packet inspection / logging... It monitors and logs all HTTP requests made. So effectively, you can see where ppl are surfing to inside a DMZ configuration, or where the internal NAT / PAT leg of your firewall is surfing out to (yes, it works both ways - which is very cewl indeed). It also filters out some security issues within Java applets (although, this is only to my understanding). The PIX also intercepts and monitors SMTP, allowing only certain RFC specified SMTP commands to be issued to mailservers on either side of the firewall, aswell as allot of content filtering solutions, but these do require additional software and hardware packages to be integrated within your PIX. As to how the physical firewalling works within the PIX, I am not sure. I can however tell you that I administrated two 515R one 515UR, and one 525... AND THEY RULE!!!! Truly, the best firewall I personally have worked with before in my life, and I'd seriously recommend it to anyone who is serious about security. These babies delivers, in more way than one. Regards, Chris Knipe (083) 430 8151 ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: 14 November 2001 22:34 Subject: Cisco PIX 515 Firewall > Anyone out there have some experience using the Cisco PIX firewalls for > Corporate/Production networks? I'd like to try one of these little buggers > out, but I'd like to get some do's and dont's from other admins with Cisco > PIX experiences. As I understand, these things don't just filter packets > based on addresses/ports but actually look at packet content like a proxy or > IDS. Is this true? I've also heard that it will only scan content of the > first packet when a new connection/session begins, and then it uses > keep-state tables to auto-pass the rest of the packets in the session. I > remember the ipf package taking that approach as well and having security > problems with that because you can confuse the state table cache. Any > comments would be helpful. > > Miles Stevenson > QuickHire Network Support Specialist > > > >
