I think it's safe to say that all systems/devices have vulnerabilities - i.e. there are no perfect system. Having said that, I know PIX to be a great firewall (and a ok VPN concentrator), but I've never setup openBSD/freeBSD+ipfilter. What I do know about openBSD/freeBSD+ipfilter is that I port-scanned a network that a friend manages upon his request and was a bit disturbed to find that it allowed my port scanner to report all the ports that were opened (whereas, most other firewalls are stealthy, including PIX) - and, the port scanner I was using wasn't even that good.
On a side note, firewall alone is not enough any more. If you run a web server (like IIS, for a web-site or OWA or NFuse), you can't get around opening up port 80 and this is where all the Code Red, nimda, etc, are exploiting. Therefore, for added security, you almost have to supplement the firewall with IDS - both Network IDS at the edge of your network, and Host IDS on all critical servers (and workstations). Randall -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lefkovics, William Sent: Monday, October 01, 2001 04:15 PM To: MSWinNT Discussions Subject: RE: Firewall product We use Exchange, so PIX has some issues with a few things, recent vulnerability notwithstanding. I'd also favour OpenBSD [1] over FreeBSD for the alternative. William [1] "Four years without a remote hole in the default install!" -----Original Message----- From: Erik Vesneski [mailto:[EMAIL PROTECTED]] Sent: Monday, October 01, 2001 4:13 PM To: MSWinNT Discussions Subject: RE: Firewall product Hi: A Pix is a great solution. Not only is Cisco the leading Network company but they have so many items for your network that the Pix is a great FW. Is it gonna be the perfect solution - perhaps not but will it work with the Cisco IDS? Yep, and it does a phenomial job. Did I mention VPN? It is to bad that politics are playing a part when you need a strong solution for your protection. Jut think about it. I am not a Cisco rep but it is so important to have good fw protection for your network. Thank you, Erik L. Vesneski Internal Network Manager Epicentric, Inc. -----Original Message----- From: Len Conrad [mailto:[EMAIL PROTECTED]] Sent: Monday, October 01, 2001 11:37 AM To: MSWinNT Discussions Subject: RE: Firewall product >Not a whole lot, We already spent all the money on PIX firewall, but it's >not configure yet because of the politics around here. I was told to get >something better than BlackIce in place for right now, I just want a >Filtering Firewall type, no Proxy. Too bad about the pix. FreeBSD 4.4 + ipfilter can do nearly all that pix can do, and in many ways, more than pix can do, and it's free. Len ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
