Dave,
> My company currently uses a RS/6000 running IBM Firewall for AIX as
> its main firewall to the internet. Our CCIE consultant that we had in
> suggested replacing it with a PIX box. I have set up PIX's before, but I
> was wondering what the general feeling was on using a PIX vs. a less black
> box solution as your main firewall. I like the flexibility of the IBM
> firewall, but I know PIX's have a reputation for being (almost)
> Impenetrable. Any suggestions?
Well, I've used both products and I'm fairly opinionated,
so here goes.
When I used the IBM firewall (admittedly not in the current
revision), two things bothered me. First, it had stability problems
on hardware that should have handled the load we put on it. Secondly,
and more importantly, it required that we configure it using a remote
GUI Java product, which in turn required X and Java code installed on
the firewall. In my philosophy, firewalls should be as simple as
practical, and requiring X and Java is, well, obscene.
The PIX is a fine firewall. They were doing NAT when NAT
wasn't cool (and, in fact, when PIX wasn't Cisco). And I've always
liked NAT for a lot of reasons.
Now, the hard part. Most top-notch firewalls sold today, if
properly configured, aren't going to be compromised from outside.
Your risks are far more sinister, and include (in no particular order):
1) Inadequate understanding of your security needs.
2) Inadequate definition of your security policy.
3) Client-side vulnerabilities. The worst of these is users
who double-click email attachments to see dancing babies.
Scarier still are new applications tunneling you-name-it
through HTTP. You won't be able to keep up with the
problems these present.
4) Demands on firewalls are nothing like they used to be.
They have to do more tasks, like VPN duties, which makes them
harder to secure. And we expect more from them in staving
off denial of service attacks.
So use what you know you can secure. The PIX is a fine tool;
but maybe the urent IBM E-Firewall is just as good... if you know it well
and you understand what you're protecting your users from.
By the way, my preferred approach is to build from scratch,
using your favorite open-source UNIX, using a combination of NAT/PAT
and proxies, laid out physically to minimize exposure. Then I'd spend
all my time setting (lowering) expectations for the firewall, because
_your_firewall_can't_secure_your_network_if_you_let_users_play_.
HTH.
> Dave
Cheers,
John Dorsey
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
