With the advent of turbo access-loist the performance is not degraded on a router, whne compared with a pix. The main reason to use the PIX is the logs. The pix gernertes much better logs than the routers. It is easier to track what is going on. Plus the PIX has some IDS code in it and dose match quite a few attacks. Also because of the way the PIX handles interfaces it forces you to seperate your subnetss into diffrent areas, and create trust relationships.
-----Original Message----- From: Dom Genzano [mailto:[EMAIL PROTECTED]] Sent: Monday, October 01, 2001 4:35 PM To: Phil Kramer; [EMAIL PROTECTED] Subject: RE: Hardware Firewall vs Software Firewall Are you comparing a PIX firewall to a router with ACLs?- wow.... not sure I can even start to help you out there.... One thing I can clear up is that the way router memory and processing deals with ACLs is very inefficient compared to most stateful inspection firewalls deal with their rule set- this is why the performance is 'generally' much better. Also, a proxy firewall, while inherently more secure, is not always all it's cracked up to be. Theoretically, a proxy firewall has the advantage of being able to recognize and determine 'legal' application calls, sequences, etc; thereby disallowing inappropriate activity. However, most proxy firewalls allow too much 'slack' in their application support because they either can't implement the specific application parameters or purposely don't because it's too difficult to pin down what is 'appropriate' in terms of an application (this is the reason that most IDS systems report so many false positives); performance comes into play as well in these tradeoffs. Also, by virtue of being an 'application-based' system, many of these proxy firewall systems are vulnerable themselves. We have found, through real-world experience, that the best combination for security and functionality is a stateful-inspection firewall system with the appropriate IDS systems inside it and a properly configured perimeter router implementation outside of it. Generally, we have found this to be the case, but we have done some specific implementations of proxy technology where it was appropriate to the specific application(s) being run. Saying that "all these stateful inspection/packet filter technologies work at too low a level" sounds like you may be missing the forest for the trees- these technologies are often effectively deployed in a comprehensive mult-layer solutions for enterprise security. -----Original Message----- From: Phil Kramer [mailto:[EMAIL PROTECTED]] Sent: Friday, September 28, 2001 11:23 PM To: [EMAIL PROTECTED] Subject: Re: Hardware Firewall vs Software Firewall My personal opinion is not hardware vs software, but what firewall is most secure. You can talk about PIX, CheckPoint, Linux with IPtables, IPchains and IPfilters but from a security point of view a pure application proxy is more secure. How many people can notice a 20 ms pause? If you want speed get a router with ACLS, that's what PIX is. All these stateful inspection/packet filter technolgies work at too low a level (layers 2-4) to provide enterprise security. For web servers, mail servers etc. you need layer 7 checking. Phil Kramer, SANS GSEC Systems Solutions Technologies, LLC Phone: 615-646-5766 email: [EMAIL PROTECTED]
