[c-nsp] Migration from IPFilter to IOS Firewall

Ted Mittelstaedt tedm at toybox.placo.com
Fri Jun 8 11:53:24 EDT 2007 

Your going to be better off sticking with your ipfilter solution -
you do know you don't have to field it on a Sun, correct?

The power available in off-the-shelf PC hardware is an order of
magnitude greater than available in all but the most expensive
Cisco routers.  Most Cisco routers running IOS Firewall would
drown under a concerted DDoS attack that a modern PC wouldn't
even notice.

There's a lot of people that use routers for routing and PC's
for firewalls and thus get a best-of-breed solution.

NAT between the 2 systems is a wash - it's just not that intensive,
unless you get a virus-infected system behind the address translator,
and in that case it's better for the rest of us on the Internet if
your infected network overflows your NAT device and thereby takes
itself offline.

But firewalling is a different animal.  Particularly since your
very familiar with the ipfilter and not familiar with IOS Firewall
feature set.

Ted

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Sridhar Ayengar
> Sent: Wednesday, June 06, 2007 1:10 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Migration from IPFilter to IOS Firewall
> 
> 
> 
> I'm planning a migration for a single location from a Sun running 
> ipfilter (and ipnat) to a Cisco Router with IOS Firewall feature set.  I 
> am not particularly familiar with the IOS Firewall configuration.  I am, 
> however, very familiar with the configuration of ipfilter/ipnat.  With 
> the help of the IOS Firewall feature set docs, I'm muddling my way 
> towards a better understanding.
> 
> What I'm wondering is, is there any information about there regarding 
> translating configuration from the ipfilter idiom to the IOS idiom?  Or 
> even the reverse?  Could anyone point me in the right direction?
> 
> Thanks a bunch.
> 
> Peace...  Sridhar
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list