[nsp] PIX ASA v. ACL

[fingers]

Hi

> That's just one example.  The PIX would watch state on the udp
> connection.  In addition, it knows more about DNS in that after the
> first reply is received, the state is closed.  This prevents DNS
> hijacking or receiving false information in any regualar routine.

FW featureset on IOS does this aswell. the tossup here is the cost (not
that a pix is cheap). It's still better than having to do your firewalling
and your routing on the same box. And even if you are paying a small
fortune for nothing more than decent shellcode on a packaged i386, in my
limited experience the pix performs pretty well considering it's hardware.
Then there's also the "security level" concepts which FW IOS doesn't
provide.

> Firewalls are your friend.  :)  Access-lists are cool too, but require
> much more administration (think through how FTP works and you'll see
> more evil), and open a LOT of things up for attack possibilities.  It's
> not as much a religious argument from ACL to FW (well, it is, but it
> doesn't have to be), but it's an argument that there are a LOT of smart
> people out there with too much time on their hands, and anything I can
> do to minimize exposure of anything on my network is a good thing.

agreed, anything that doesn't keep state is a waste of time in most
applications (as a "firewall").

Regards

--Rob