PIX 506E vs 8x1 series router
in [Cisco]
|
Prev: CASH FOR CISCO - I BUY USED AND NEW EQUIPMENT & LOTS MORE
Next: CASH FOR CISCO - I BUY USED AND NEW EQUIPMENT & LOTS MORE - SOFTWARE - MICROSOFT OFFICE, WINDOWS, SERVER, ADOBE
From: Graham on 19 Jul 2010 02:37 Hi, Would anyone mind helping us to make a decision about whether to use a PIX firewall or ACLs on an 800 series router (861 or 871 I would guess) to secure our small business broadband connection against nasties. We intend to switch our consumer grade ADSL modem router into bridge mode only then connect the security device behind that. We do not have either Cisco product in house as yet. We want to be in full control of how the firewall behaves. I have a reasonable amount of experience with Linux IP Tables based firewalls where we can decide if we DROP or REJECT for each rule violation. Naturally we want to deny all first and poke small pinholes through the firewall. Incoming will only be a couple of things like VNC to one internal IP address. We want provision for a DMZ so we can place a monitoring device in there when under attack (we've had a SIP registration attack recently). We also want to be able to block particular IP addresses and ranges if required. Outgoing is the usual blend of http, ftp, ssh, ftp, smtp, pop3/imap, nntp/nnrp, sip, iax, and a few others I am not remembering right now. Our IOS skills are **really* old, but lots of different CLI based products have not been a problem to us. Our skills come from Novell network engineering, through Linux server hosting and firewalling, and connecting all sorts of Unix, VMS, and other foreign hosts to networks. So I don't think we should base the decision on IOS skills, we can get them. Thanks for any help or advise you can offer. Graham
From: Doug McIntyre on 19 Jul 2010 11:08
"Graham" <graham903(a)webenhanced.com.au> writes: >Would anyone mind helping us to make a decision about whether to use a PIX >firewall or ACLs on an 800 series router (861 or 871 I would guess) to ... I guess I'd only target the hardware level of your query. You do realize that the PIX 506E has been EOL'd for a couple years now? And that I'd claim that cisco pretty much let the PIX's slide for years before that. So, anything you've got with a PIX is going to be most likely 3-5 years old to start with.. No new code updates, no license changes, no maintenance. If you do the PIX (or get some somewhat modern hardware with the ASA line) I'd say that the main benefits are that its a stateful firewall, and you don't have to deal with wonky protocols like FTP or H.323 too much with workarounds on it, like you would have with ACL based stuff. The Cisco IOS based hardware is newer. You say you just want ACLs, but do you know that Cisco has at least 2 different full-stateful inspection firewall systems inside IOS that are beyond what ACLs alone can do? (Zones and CBAC). They get a more into the magic area though than here's a packet, filter it or not. Personally, I'd reject either and go with something like a Fortinet or Juniper firewall product myself. |