R: Hardware Firewall

["Vega - Brunello Ivan" <I.Brunello () vegaspa it>]

ASAs are quite better than PIXes in a couple of things:
- SSL VPN (and even better, webvpn: you can create a custom clientless portal based on user policy), expecially on 8.x 
trail
- content filter (quite good for basic L7 filtering if you remember that you're running basically on a non-disk system)
- web interface (ASDM is not the best tool, but I find it far mooooore usable than PDM).
- can make some basic traffic shaping
Not used neither the anti-X nor the IPS.

The only things I miss from IOS as an edge device is PBR, and policy nat.

I've been playing w/ IOS zone-based firewall, but I find it really circonvoluted (even more than ASA content filter ;-) 
).
But I've been said that once you get aquainted with, it is a really good tool (even better than ASA, sometimes).

My suggestion is:
If you really need hard firewalling, or VPNs, on headquarter (they're not cheap) and need a good device, go for ASA.
If you need a little, cheap and good general purpose device with some basic firewalling, 
take your time and learn IOS Zone-based-firewall on a samll 800 or 1800 device.

b/R


Ivan Brunello

> -----Messaggio originale-----
> Da: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> Per conto di Ale x
> Inviato: martedì 18 novembre 2008 9.42
> A: security-basics () securityfocus com
> Oggetto: Re: Hardware Firewall
>
> Cisco router IOS does the same as an ASA firewall? I haven't actually
> used an ASA yet (except for trying to emulate one with
> Dynamips/cygwin) however I am sure there are many differences. For
> example the IPS/IDS, proxying, deep packet inspection,
> antivirus/antispam, etc.. Fair enough a router with IOS can do ACLs to
> block ports and protocols, PBR, SSL VPN connections, etc -- but it's
> certainly not a firewall.
>
> I remember reading about Ciscos IPS doing network traffic pattern
> recognition, to learn the normal behavoir of your network. Anything
> out of the ordinary will be treated as a potential threat. As always
> there is plenty of information on Cisco's website.
>
> Of course there are many other platforms that can perform similar
> functions, we have Watchguard Firebox's at work. They do the job, but
> I can't stand the management software. Nokia Checkpoint firewalls are
> always a nice option.
>
> Thanks,
> Alex
>
> (sorry didn't mean to double send)
>
> On Tue, Nov 18, 2008 at 8:40 AM,  <h.carpentier () yahoo co uk> wrote:
> > Hello all,
> >
> > I am going to upgrade in the near future a network security course.
> The course is looking at network security from a hardware point of
> view, using at the present time PIX firewalls and router IOS security
> features.
> > I am very familiar with the PIX, and am aware that they will be
> unsupported soon (2012?). They are replaced with ASAs. Is there really
> many people using ASAs out there? The Cisco routers IOS seem to be able
> to fulfil most of the functions anyway.
> > Do you know of other platform offering the same or similar functions?
> >
> > Cheers
> >
> > Hervé Carpentier