Re: OT: Sort of..PIX v/s IOS Firewall [7:85368] posted 03/05/2004
- Subject: Re: OT: Sort of..PIX v/s IOS Firewall [7:85368]
- From: "Charles Cthulhu Riley" <ciscoriley@xxxxxxxxxxx>
- Date: Fri, 5 Mar 2004 03:38:10 GMT
PIX and IOS are also spelled differently...see below.
P I X and I O S...totally different. Has anyone ever eaten a Pixie Stix
sugar candy while configuring a Pix? I haven't, but it is supposed to cause
a hole in the firewall and your teeth.
Sorry, been a long, rainy week out here in the flatlands (Kansas)...this
thread triggered my mirth.
""Priscilla Oppenheimer"" wrote in message
> It's a difference in the philosophy with which the product was developed.
> PIX was designed to be a stateful firewall. It keeps track of sessions,
> fixes problematic protocols, translates addresses, etc. Depending on the
> software version, it can do some routing too, but it's not a real router.
> Cisco IOS was designed to do routing. It's optimized to forward traffic
> quickly and learn the routing topology quickly. Security and firewall
> capabilities were an after-thought.
> Out of the box, the PIX is so secure and such a pain to configure, that it
> forwards no traffic. You have to coax it to forward any traffic. It really
> is a firewall. With some tinkering you can use it as a router, but it was
> designed to be a firewall.
> A Cisco router isn't a firewall. It's a router. With some tinkering you
> use it as a firewall. Unlike the PIX, which will cause you to tear your
> out, Cisco routers will forward traffic with just a few easy steps. In
> with just a few steps, you'll be able to Telnet to your router, as will
> anyone else who can get to its address and figure out the password. You'll
> be able to configure it via HTTP and transfer configs and IOS image files
> and from it using FTP and HTTP, both infamous for their lack of security.
> Various features that security experts criticize are on by default, such
> Proxy ARP and CDP. But it routes really well.
> Unlike a router, the PIX has all sorts of security functionality for free
> (by default):
> * provides stateful firewall capabilities
> * providates stateful NAT
> * fixes up problematic protocols
> * VPN
> * encryption
> * Java and ActiveX filtering
> * Web content filtering (with help form Websense, Sentian)
> * DNS guard
> * IP fragmentation guard
> * SMTP guard
> * TCP sequence number randomization
> * TCP flood guard
> * TCP intercept
> The fact that the PIX can fix up problematic protocols is a biggie. For
> example, we all know that FTP is problematic because it opens two sessions
> and uses some not-well-kwown ports. But it's just one of many protocols
> open multiple sessions, don't use well-known port numbers, place IP
> addresses in the upper-layer headers, allow extra commands that have
> functionality but can be used in exploits, etc. etc. etc. All of the
> following protocols and applications are problematic with firewalls, but
> behave correctly through a PIX (with some coaxing perhaps)
> * FTP
> * TFTP
> * RSH
> * SMTP
> * RPC
> * NFS
> * RTP
> * Voice over IP protocols
> * Multimedia applications including Netshow and others
> * Internet Locator Service (ILS)
> Vish G wrote:
> > Hello Gurus,
> > I have a question about PIX and IOS Firewall. What is a
> > difference between the functionality of PIX firewall and IOS
> > based firewall?
> > In fact, why would a company go with a pricy PIX appliance if
> > it already has a high end device such as 6500 or 7500 series
> > router? If the company has, let us say a 7507 as a WAN router
> > with a lot of horse power then Wouldn't upgrading from standard
> > IOS to IOS FW be a lot cheaper option?
> > how would an IOS based firewall on this 7507 compare with a PIX
> > appliance such as 525?
> > I understand the points such as having a dedicated firewall for
> > doing it's job of firewalling and a router doing it's job of
> > routing etc.. but I am looking more from the functionality
> > point of view.
> > I tried to search on CCO but mostly it is a marketing material
> > that basically claims that the functionality provided is very
> > similar. That's where I got confused..
> > Hope I am not asking a complete dumb question..
> > Thanks in advance for guidance ..
> > Regards,
> > Vish
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> FAQ, list archives, and subscription info:
Message Posted at:
**Please support GroupStudy by purchasing from the GroupStudy Store:
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html