Antwort: [nsp] Network Firewall

Hans-Peter Walter HAWA Hans-Peter.Walter at de.tds-global.com
Wed Jun 16 12:02:08 EDT 2004 

Hi Lawrence,
you always use NAT on the pix, until you turn it off what is not 
recommended.
This command uses the PIX for the spoofing process to know which networks 
are behind which interface.
You could turn it off if you have only the "connected" network in a DMZ.

static (inside,dmz) 10.20.30.0 10.20.30.0 netmask 255.255.255.0 100 50 <== 
no really NAT happens

The last 2 parameters are for DoS-attacks, right. The PIX answers the 
3-way-handshake to 
check whether a FIN is send or not.

I made same bad experiences with the PIX Device Manager, so I don't like 
that tool yet, but Cisco gets better....
Checkpoint is much better with his Smart Dashboard and so on.
Small PIX'es are much cheaper than Checkpoint and Secure Plattform, and 
the service contracts 
are about 15% from the Checkpoint service contracts!!
It depends on how many interfaces you need and  what you want to do (VPN, 
SmartDefense (a small IDS ;-)) )).

Have fun,
HP






Lawrence Wong <lawrencewong72 at yahoo.com>
Gesendet von: cisco-nsp-bounces at puck.nether.net
16.06.2004 15:56
 
        An:     cisco-nsp at puck.nether.net
        Kopie: 
        Thema:  [nsp] Network Firewall


Hi all,

I am currently looking for a firewall to install in
our corporate network. Our network mainly runs on
Cisco hardware which made me consider using Cisco
firewalls as well. We use public IPs hence no NAT is
required.

Does anyone have any experience to share on the Cisco
PIX firewalls? Or any other firewalls to recommend?

I noticed that compared to other vendors, Cisco PIX
seems to lack in the area of SYN/UDP DDoS flood
protection? The closest which I read from it's manual
for 6.3 is the usage of some paraments in the "static"
command to indirectly manage flooding, but static is
used in NAT mode.

TIA!


 
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list