>
Mikael Olsson wrote:
> Both flavours are conceptually quite capable of analyzing app data
> to your heart's content.
> The PIX is able to do app level inspection on a variety of protocols,
> exactly which ones I won't expand on since I haven't used it enough.
> I won't expand on the app inspection capabilities of sidewinder or
> cyberguard, since I haven't used them at all.
I can expand on the PIX somewhat, as I administer a pair of these things.
The PIX's application layer capabilities are very limited. It can relay SMTP
mail at the application layer, and it can do things like strip java out of
HTTP, and that's about it. It understands enough about tricky protocols like
FTP, SQLNET, and RPC to allow sessions in those protocols to open up the
necessary extra ports, and it can throttle SYN flood attacks, so its
somewhat smarter than most routers.
On the upside, it's pretty simple to administer, it can be set up as a fault
tolerant failover pair (if you can afford two of them), and it's fast. Cisco
claim up to 150 Mb/s, depending on how many interfaces it has.
Jim Eckford
Miller Freeman, Inc
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
