[c-nsp] Migration from IPFilter to IOS Firewall

Baek, Steven A (US SSA) steven.baek at baesystems.com
Fri Jun 8 13:08:25 EDT 2007


If you are familiar with ipfilter, looking at pf from openbsd would be
worth looking at. Downside is that it only runs on openbsd. Upside is
that you will get your high availability, built in traffic shaper, and,
clustering of multiple fw's using carp as a solid open source solution.

Steve

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ted Mittelstaedt
Sent: Friday, June 08, 2007 8:53 AM
To: Sridhar Ayengar; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Migration from IPFilter to IOS Firewall


Your going to be better off sticking with your ipfilter solution -
you do know you don't have to field it on a Sun, correct?

The power available in off-the-shelf PC hardware is an order of
magnitude greater than available in all but the most expensive
Cisco routers.  Most Cisco routers running IOS Firewall would
drown under a concerted DDoS attack that a modern PC wouldn't
even notice.

There's a lot of people that use routers for routing and PC's
for firewalls and thus get a best-of-breed solution.

NAT between the 2 systems is a wash - it's just not that intensive,
unless you get a virus-infected system behind the address translator,
and in that case it's better for the rest of us on the Internet if
your infected network overflows your NAT device and thereby takes
itself offline.

But firewalling is a different animal.  Particularly since your
very familiar with the ipfilter and not familiar with IOS Firewall
feature set.

Ted

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Sridhar Ayengar
> Sent: Wednesday, June 06, 2007 1:10 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Migration from IPFilter to IOS Firewall
> 
> 
> 
> I'm planning a migration for a single location from a Sun running 
> ipfilter (and ipnat) to a Cisco Router with IOS Firewall feature set.
I 
> am not particularly familiar with the IOS Firewall configuration.  I
am, 
> however, very familiar with the configuration of ipfilter/ipnat.  With

> the help of the IOS Firewall feature set docs, I'm muddling my way 
> towards a better understanding.
> 
> What I'm wondering is, is there any information about there regarding 
> translating configuration from the ipfilter idiom to the IOS idiom?
Or 
> even the reverse?  Could anyone point me in the right direction?
> 
> Thanks a bunch.
> 
> Peace...  Sridhar
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list