Home page logo

basics logo Security Basics mailing list archives

R: Hardware Firewall
From: "Vega - Brunello Ivan" <I.Brunello () vegaspa it>
Date: Wed, 19 Nov 2008 17:40:10 +0100

ASAs are quite better than PIXes in a couple of things:
- SSL VPN (and even better, webvpn: you can create a custom clientless portal based on user policy), expecially on 8.x 
- content filter (quite good for basic L7 filtering if you remember that you're running basically on a non-disk system)
- web interface (ASDM is not the best tool, but I find it far mooooore usable than PDM).
- can make some basic traffic shaping
Not used neither the anti-X nor the IPS.

The only things I miss from IOS as an edge device is PBR, and policy nat.

I've been playing w/ IOS zone-based firewall, but I find it really circonvoluted (even more than ASA content filter ;-) 
But I've been said that once you get aquainted with, it is a really good tool (even better than ASA, sometimes).

My suggestion is:
If you really need hard firewalling, or VPNs, on headquarter (they're not cheap) and need a good device, go for ASA.
If you need a little, cheap and good general purpose device with some basic firewalling, 
take your time and learn IOS Zone-based-firewall on a samll 800 or 1800 device.


Ivan Brunello

-----Messaggio originale-----
Da: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
Per conto di Ale x
Inviato: martedì 18 novembre 2008 9.42
A: security-basics () securityfocus com
Oggetto: Re: Hardware Firewall

Cisco router IOS does the same as an ASA firewall? I haven't actually
used an ASA yet (except for trying to emulate one with
Dynamips/cygwin) however I am sure there are many differences. For
example the IPS/IDS, proxying, deep packet inspection,
antivirus/antispam, etc.. Fair enough a router with IOS can do ACLs to
block ports and protocols, PBR, SSL VPN connections, etc -- but it's
certainly not a firewall.

I remember reading about Ciscos IPS doing network traffic pattern
recognition, to learn the normal behavoir of your network. Anything
out of the ordinary will be treated as a potential threat. As always
there is plenty of information on Cisco's website.

Of course there are many other platforms that can perform similar
functions, we have Watchguard Firebox's at work. They do the job, but
I can't stand the management software. Nokia Checkpoint firewalls are
always a nice option.


(sorry didn't mean to double send)

On Tue, Nov 18, 2008 at 8:40 AM,  <h.carpentier () yahoo co uk> wrote:
Hello all,

I am going to upgrade in the near future a network security course.
The course is looking at network security from a hardware point of
view, using at the present time PIX firewalls and router IOS security
I am very familiar with the PIX, and am aware that they will be
unsupported soon (2012?). They are replaced with ASAs. Is there really
many people using ASAs out there? The Cisco routers IOS seem to be able
to fulfil most of the functions anyway.
Do you know of other platform offering the same or similar functions?


Hervé Carpentier

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]