[c-nsp] firewall ios

Ted Mittelstaedt tedm at toybox.placo.com
Sun May 27 05:33:32 EDT 2007 

take the IOS firewall feature set.  The PIX interface is annoying.
It is NOT ios.  Among annoyances you cannot telnet from the PIX to
another device.  Thus if you have a PIX buried in the enterprise
behind multiple routers, and a route gets screwed beyond it, you
cannot reach the remote router by hopscotching.  The PIX also don't
speak many routing protocols.  Cisco is also slow
as a slug to release new PIX images.  Most PIXen out there are the
506 and 506E's and Cisco has turned it's back on them because
PIXos 7 requires a ram update.  I took delivery of 2 new 506E's 4 months
ago and they came out of the box, still with inadequate ram, and
2 year old PIX os on them.

I have also seen multiple PIX hardware failures on the original
non-E models.  The PIX boxes get temp sensitive and lock up, power
cycling gets them going again.  This will continue repeating itself
for months.  Or the power supplies fry.  And
Cisco no longer sells the power supplies for the original non 506
models.  So far, knock on wood, the E models we have seen deployed
haven't done this.  They also run hot as Hades.  You can almost
fry an egg on one of them that has been on for a while.

Keep in mind the PIX was a product Cisco bought from someone else,
they didn't design it.  Cisco has said for years that customers
shouldn't buy them.  The usual line is "we are in process of taking
the technology from the PIX and using it in our other products"
Which is big marketing bullcrap intended to reinforce the bogus
image of superiority that the original dyed-in-the-wool PIX owners
had of their devices.  IOS is actually more advanced, and PIX didn't
have dynamic VPN support when Cisco bought the product.  Over the
years more technology has flowed from Cisco into the PIX than they
ever got out of it.  The PIX purchase was a buy market share purchase
not a technology purchase.  Totally opposite from for example the
Combinet purchase where Combinet had far better ISDN technology
than Cisco.  The PIX originally was a hacked up PC motherboard
based product and the original versions (pre Cisco) ran on a 
hacked up dos/windows OS.

The PIX is popular IMHO because it's cheaper than IOS Firewall Feature
set + a decent Cisco router, and it has the moniker Cisco on it.  Logic
would tell Cisco to kill the product, but they are afraid of doing
that because they are afraid of losing customers.  Frankly, the Linksys
RV042 works just as good as a PIX for most applications you would use
a PIX in and is a hell of a lot cheaper.  Plus it has Cisco on the box.
Unfortuantely, the RV042 doesen't get the attention it should because
so much of the Linksys product line has been total garbage.

Ted

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Dan
> Sent: Saturday, May 26, 2007 9:02 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] firewall ios
> 
> 
> Hello,
> 
> I was wondering if there is any difference between a pix firewall and 
> the firewall ios.  I have a 2801 router that I would like to buy the 
> firewall ios for instead of putting in a pix firewall.  Does the 
> firewall ios have all of the features of the pix box?  I'm currently 
> using the router for nbar inspection, route-mapping and natting a few 
> internet connections.  Will this all still work on the firewall ios?
> 
> Thanks,
> Dan.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list