Re: Firewall Throughput

[Chris Calabrese <christopher_calabrese () merck com>]

Umm, Darren... PIX isn't a router running CBAC/FFS.  It's a whole other
beast based on Solaris x86 and the WheelGroup's old firewall code.
This, of course, mutes Cisco's point about not wanting to run your
firewall on a Unix box, but that's only a problem if you try to match vendor
statements with reality.

> From what I've seen (which admittedly isn't that much), PIX seems
decent, though certainly not groundbreaking.

IMO, the real problem with PIX is that Cisco is following a dual
firewall strategy of pushing both PIX and the IOS Firewall
Feature Set (or whatever they call it this week), instead of
putting all their wood behind one arrow (or whatever cliché
you prefer).

Darren Reed wrote:

> In some email I received from Darren Mackay, sie wrote:
> > Darren,
> >
> > | What do you value more - throughput or security ?
> > |
> > | If you value security, the PIX isn't the answer,
> > | IMHO.
> >
> > Are you saying PIX is not secure? Are you able to elaborate? I have
> > never had any problem with pix, and it certainly has not failed any
> > 'ethical attacks' that haven throwed against it (unlike other vendors,
> > which can be really esoteric in their configs to get around known
> > vulnerabilities).
>
> My problem with PIX is as follows.  Cisco push it along the lines of
> "you don't want unix/windows on your firewall because they're crashable"
> but at the same time try to sell it as a "router firewall".  You damn
> well don't want a router as a firewall either!  You can make a "firewall"
> out of any Cisco thing which will support the CBAC feature set so why
> does it need to be a PIX in particular ?  Where I'm now working, we use
> the CBAC feature set on the "outside" and IP Filter on the inside.  There
> have been packets which CBAC has let through that IP Filter won't (NOTE:
> I didn't build this firewall :).  That rings alarm bells, to me.  IMHO,
> they're putting too much into the IOS.  I also don't fancy the idea of
> the "firewall" booting up and one day wanting to tftp a boot image from
> whoever will answer...
>
> For me, if you have the time & money (that's a BIG if) as well as the
> backing and expertise, there's nothing better than a roll-your-own made
> from xBSD (I *refuse* to believe that Linux is a reliable/secure platform
> until they learn what the term "release engineering" means - and that
> goes all the way to the top of the linux tree).  You can strip them back,
> build completely static distributions, etc, and you can get 1U PC hardware
> now too.
>
> Darren
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards () nfr net
> http://www.nfr.net/mailman/listinfo/firewall-wizards

Attachment: christopher_calabrese.vcf
Description: Card for Chris Calabrese