[nsp] PIX ASA v. ACL

Scott Morris swm at emanon.com
Wed May 21 16:10:54 EDT 2003 

The PIX is actually software, not hardware.  But it's a small code set,
its own OS, so it's very efficient.  Pentium processors can be pretty
good!  Considering many routers run on the old Macintosh procesors, go
figure. :)

But you are correct, the IOS Firewall Feature set will also maintain
state information.  There are some differences between the two, but for
basic security implementations, it's likely people won't run into any
difficulties.  Then it becomes an argument of price point versus
efficiency of piling things on.  I assumed (perhaps wrongly) that the
comparison was between stateful (PIX) and non-stateful, generic,
all-purpose ACLs.

All being very important questions of security design though!

Scott

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of fingers
Sent: Wednesday, May 21, 2003 2:32 PM
To: cisco-nsp at puck.nether.net
Subject: RE: [nsp] PIX ASA v. ACL


Hi

> That's just one example.  The PIX would watch state on the udp 
> connection.  In addition, it knows more about DNS in that after the 
> first reply is received, the state is closed.  This prevents DNS 
> hijacking or receiving false information in any regualar routine.

FW featureset on IOS does this aswell. the tossup here is the cost (not
that a pix is cheap). It's still better than having to do your
firewalling and your routing on the same box. And even if you are paying
a small fortune for nothing more than decent shellcode on a packaged
i386, in my limited experience the pix performs pretty well considering
it's hardware. Then there's also the "security level" concepts which FW
IOS doesn't provide.

> Firewalls are your friend.  :)  Access-lists are cool too, but require

> much more administration (think through how FTP works and you'll see 
> more evil), and open a LOT of things up for attack possibilities.  
> It's not as much a religious argument from ACL to FW (well, it is, but

> it doesn't have to be), but it's an argument that there are a LOT of 
> smart people out there with too much time on their hands, and anything

> I can do to minimize exposure of anything on my network is a good 
> thing.

agreed, anything that doesn't keep state is a waste of time in most
applications (as a "firewall").

Regards

--Rob
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list