Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Firewall Throughput

From: "Darren Mackay" <darren.mackay () uq net au>
Date: Mon, 11 Sep 2000 20:21:54 +1000
Darren,


My problem with PIX is as follows.  Cisco push
it along the lines of "you don't want
unix/windows on your firewall because they're
crashable" but at the same time try to sell it
as a "router firewall".  You damn well don't
want a router as a firewall either!  You can
make a "firewall" out of any Cisco thing which
will support the CBAC feature set so why does
it need to be a PIX in particular ?  Where I'm
now working, we use the CBAC feature set on the
"outside" and IP Filter on the inside.  There
have been packets which CBAC has let through
that IP Filter won't (NOTE: I didn't build
this firewall :).  That rings alarm bells, to
me.  IMHO, they're putting too much into the
IOS.  I also don't fancy the idea of the
"firewall" booting up and one day wanting to
tftp a boot image from whoever will answer...


Thanks for you answer. Essentially I agree with you. Are you abel to
provide specific examples on what packets get through in what
circumstances? Management / suits always want consequent proof, and
unfortunately directing them to a website that is operated by techs in
their own time will never sway them from a commercial solution.
Perhaps we need ipfilter to protect our firewalls??

Darren


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: