You can go for IP, IP/FW or IP/FW + IPSec.
The first decision is: do you want / need IPSec. If so your decision is
made. The Cisco IPSec feature set is a little arcane to configure but
logically consistent with the rest of the IOS style - if you've done tricky
route-map stuff you'll have no problems and the documentation is good.
If you don't need IPSec then you could save a little by going with plain
IP/FW. Reflexive ACLs (In IP Only) and Context Based Access Control (In IP
Firewall) both do a much more stateful job of filtering that vanilla ACLs.
However, IP/FW offers better logging, Java blocking and also some degree of
intelligent inspection. It knows about some application level protocols like
FTP, SMTP etc. It can also do more stringent checking of TCP and UDP.
In short there _is_ an incremental security boost from IP only to IP/FW. My
_personal_ opinion is that it's worth it if the router is your only line of
defence but not if it's just a first level screen for another firewall (or
two).
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Jon Earle [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 16 March 2000 3:17 AM
> To: [EMAIL PROTECTED]
> Subject: SUMMARY: Cisco Access Lists
> In closing, we _do_ have plans to upgrade the IOS to v12.0.9.
> We're trying
> to decide whether to go with the $300 simple IOS upgrade, or
> the $3300
> IOS/FW + IPSEC upgrade. If anyone has any comments on this
> (specifically
> the value, capability, etc of the latter option), I'd love to
> hear from you.
>
> Cheers!
> Jon
> -----------------------------------------------------------------
> Jon Earle (613) 612-0946 (Cell)
> HUB Computer Consulting Inc. (613) 830-1499 (Office)
> http://www.hubcc.ca 1-888-353-7272 (Within Canada/US)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
