Comments imbedded:
In article <[EMAIL PROTECTED]>,
David B McGlumphy <[EMAIL PROTECTED]> wrote:
>>I like the flexibility of the IBM
>>firewall, but I know PIX's have a reputation for being (almost)
>>Impenetrable. Any suggestions?
>Impenetrable? As in, "PIXes have a really weird coonfiguration syntax
The configuration syntax is not all that bad once you've worked with
it, although to the unfamiliar it probably is a bit strange.
>and
>it's almost impossible to get them properly configured to allow protocols
>through,
Don't quite follow you there. It's very easy to let protocols through, you just use a conduit statement. If your talking about multi-channel protocols that use negotiated ports that the PIX doesn't understand, there's capability in 4.2 and above to handle this with the "established" command, but I would argue that those kinds of applications are difficult to handle through any kind of firewall.
>especially if you go to a dual-redundant system with failover"?
Again, I don't follow you. When the PIX is configured in a failover scenario, the second box is just a backup of the first, the configuration of the backup is automatically updated from the primary through a special cable, so I don't follow how configuration could be any more or less difficult whether you have a single PIX or a redundant configuration. Once you've got the primary configured, the secondary config will sync up automatically.
If your talking about not using the hot standby configuration of the PIX but using two or more active units doing load-sharing, I agree that this is nearly impossible to do with the PIX, but that is mostly due to it's limited routing capability. (Which is ironic considering its sold by the worlds best known routing company. Even though they didn't originally design the PIX, you'd think that 4 years would be long enough to include more robust routing)
>
>Well, yeh.
>
>Plus, it's like a dumb "port proxy". There's no application level
smarts
>involved... you will still have to have a bastion host for things
like mail.
That's not entirely true if your talking about current versions of the PIX IOS. Cisco had included limited functionality that enable the stateful inspection on the PIX to understand commands from some of the more common applications such as SMTP. For example, it will only allow certain SMTP commands through to your mail server, but will also answer with "OK" to non-allowed commands to confuse attackers attempting to use those commands. This feature is called Mail Guard and has been around for at least the last 3 revs of PIX IOS.
I think the poster who referred to the PIX being "impenatrable" was referring to the PIXes "black box" feature. Since the PIX itself runs very few services, it would be very difficult to compromise the box itself. This is a plus, but of dubious value since in most cases it's not the firewall itself that is compromised, its hosts on the inside that are compromised through an allowed application.
In any case, to the original poster: I would agree with others comments
that without specific reasons to switch firewalls, it doesn't make sense
to start swapping equipment. There are good and bad points to all
firewalls, you just have to pick the one that fits your individual needs
the best. I would press the recommender for specific reasons for
implementing the PIX over the current solution. (other than the fact that
his company sells the product)
HTH,
Kent
