RE: Replacing my old PIX Classic

Noonan, Wesley Thu, 02 May 2002 18:56:42 -0700

I don't think the PIX506 supports more than 2 interfaces. If you want to have multiple DMZ's, you will need to move to a PIX 515 or bigger (from what you describe, a PIX515 should be fine). From reading on the 506E (I agree, poor job by Cisco on defining the difference), it appears to be largely a matter of processing power to support more VPNs, IPSEC and VoIP IIRC (been a while since I looked at it).

Packet filtering, at it's simplest is just looking at the source/destination addy pair and port endpoints and permitting/blocking based on that. It's what the PIX does by default. For example, someone could send bogus data on a permitted port number, and the packet filtering firewall wont pick it up, since the addy pair/port is permitted. In theory, proxies are supposed to be able to exam the actual packet contents and say "hey, this claims to be data for port X, but the data is not formatted properly so I am going to drop it).

Blocking AIM or KAZAA can be either/or. If you filter the ports that they use, or the IP addresses that the servers run on, then you are most likely packet filtering.

Like I mentioned, FW1 is a decent firewall, and religious BS aside, so is ISA (if MS made it to run on Unix, no one would complain. Seriously, to my knowledge it has yet to be exploited. Neither the PIX or FW1 can claim that). Other stuff to look at would be Sonicwall (very PIX like) or GNATBox. Just to beat them too it, you could also use Linux with IPCHAINS/IPTABLES, but personally I wouldn't run it to protect my enterprise (learning curve is too steep unless you have that expertise on staff).

My opinion, since you already know the PIX, stick with what you know.

HTH

Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS

Senior QA Rep.

BMC Software, Inc.

(713) 918-2412

[EMAIL PROTECTED]

http://www.bmc.com

-----Original Message-----
From: Rink, Jesse [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 16, 2002 11:14
To: 'Noonan, Wesley'
Cc: '[EMAIL PROTECTED]'
Subject: RE: Replacing my old PIX Classic

I see what you mean about religious wars already after being in this group for a whole 5 minutes.

I guess right now I'm looking at the Cisco PIX 506 but that's mainly because of my familiarity with PIX. I'm still open to other product that are comparitive to the PIX 506. I just don't know what they are.

I'm not interested in having the firewall handling any proxy filtering. By that, I assume you mean web proxy filtering (urls that should be blocked, etc.). We already have a proxy product in place that we will be sticking with and have been 100% satisfied with. As for packet filtering, are you talking about specifically looking at the packet and blocking/allowing dependant on the type of packet itself? For instance, would packet filtering allow blocking any packet that shows up as someone trying to use AIM or KAZAA, etc. Or does that fall under the application filtering definition? Just trying to familiarize myself with the exact terms.

As for the sessions, no more than probably 700-2500 concurrent sessions. Although, my current PIX does have 4 interfaces. I need to make sure my new firewall can handle 4 interfaces, and the PIX 506, supposedly handles 2. Although I read something about the 506E, it doesn't list what the difference is between them.

-----Original Message-----
From: Noonan, Wesley [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 16, 2002 9:45 AM
To: 'Rink, Jesse'; '[EMAIL PROTECTED]'
Subject: RE: Replacing my old PIX Classic

All 3 are good firewalls. It depends on what you are looking for. Do you want a packet filtering firewall (tends to be faster), then the PIX is a good choice. Depending on the amount of users, you can go with a PIX 515 or above. Do you want more proxy/application filtering capabilities? Then both ISA and FW1 are good choices. Any debate between the two is likely a religious war (with lots of M$ thrown in, I suppose because they don't have anything credible against ISA...)

HTH