From: Graham on
Hi,

Would anyone mind helping us to make a decision about whether to use a PIX
firewall or ACLs on an 800 series router (861 or 871 I would guess) to
secure our small business broadband connection against nasties. We intend to
switch our consumer grade ADSL modem router into bridge mode only then
connect the security device behind that. We do not have either Cisco product
in house as yet.

We want to be in full control of how the firewall behaves. I have a
reasonable amount of experience with Linux IP Tables based firewalls where
we can decide if we DROP or REJECT for each rule violation.

Naturally we want to deny all first and poke small pinholes through the
firewall. Incoming will only be a couple of things like VNC to one internal
IP address.

We want provision for a DMZ so we can place a monitoring device in there
when under attack (we've had a SIP registration attack recently).

We also want to be able to block particular IP addresses and ranges if
required.

Outgoing is the usual blend of http, ftp, ssh, ftp, smtp, pop3/imap,
nntp/nnrp, sip, iax, and a few others I am not remembering right now.

Our IOS skills are **really* old, but lots of different CLI based products
have not been a problem to us. Our skills come from Novell network
engineering, through Linux server hosting and firewalling, and connecting
all sorts of Unix, VMS, and other foreign hosts to networks. So I don't
think we should base the decision on IOS skills, we can get them.

Thanks for any help or advise you can offer.

Graham


From: Doug McIntyre on
"Graham" <graham903(a)webenhanced.com.au> writes:
>Would anyone mind helping us to make a decision about whether to use a PIX
>firewall or ACLs on an 800 series router (861 or 871 I would guess) to ...

I guess I'd only target the hardware level of your query.


You do realize that the PIX 506E has been EOL'd for a couple years now?
And that I'd claim that cisco pretty much let the PIX's slide for
years before that. So, anything you've got with a PIX is going to be
most likely 3-5 years old to start with.. No new code updates, no
license changes, no maintenance.

If you do the PIX (or get some somewhat modern hardware with the ASA line)
I'd say that the main benefits are that its a stateful firewall, and
you don't have to deal with wonky protocols like FTP or H.323 too much
with workarounds on it, like you would have with ACL based stuff.

The Cisco IOS based hardware is newer. You say you just want ACLs, but
do you know that Cisco has at least 2 different full-stateful
inspection firewall systems inside IOS that are beyond what ACLs alone
can do? (Zones and CBAC). They get a more into the magic area though
than here's a packet, filter it or not.

Personally, I'd reject either and go with something like a Fortinet or
Juniper firewall product myself.