|
Does anyone have any opinions on the use of access lists vs conduits on the PIX? Cisco seems to be pushing access lists in their newer pix os releases.
One thing I have noticed is with conduits, the pix will implicitely allow all traffic from a higher to lower security level. For example if I have a machine in my dmz, security50, that wants to browse the web on the the outside, security0, this is automatically allowed without the use of a conduit statement.
If I use access-list on my dmz interface, with holes from the outside to the dmz, or from the dmz to the inside, I will not be able to have this dmz machine browse the web unless I have an access list statement on the dmz allowing it through to the outside on port 80. There isn't the implicit allow all traffic from higher to lower security that the conduit has. Unless I'm missing something, access lists create more work.
Does anybody have any opinions on one or the other?
Thanks, Matt
|
- RE: PIX conduit vs access lists Matt Thoreson
- RE: PIX conduit vs access lists sn
- RE: PIX conduit vs access lists bob bobing
- RE: PIX conduit vs access lists Claussen, Ken
- Re: PIX conduit vs access lists Clifford Thurber
