Security Basics mailing list archives
R: Hardware Firewall
From: "Vega - Brunello Ivan" <I.Brunello () vegaspa it>
Date: Wed, 19 Nov 2008 17:40:10 +0100
ASAs are quite better than PIXes in a couple of things: - SSL VPN (and even better, webvpn: you can create a custom clientless portal based on user policy), expecially on 8.x trail - content filter (quite good for basic L7 filtering if you remember that you're running basically on a non-disk system) - web interface (ASDM is not the best tool, but I find it far mooooore usable than PDM). - can make some basic traffic shaping Not used neither the anti-X nor the IPS. The only things I miss from IOS as an edge device is PBR, and policy nat. I've been playing w/ IOS zone-based firewall, but I find it really circonvoluted (even more than ASA content filter ;-) ). But I've been said that once you get aquainted with, it is a really good tool (even better than ASA, sometimes). My suggestion is: If you really need hard firewalling, or VPNs, on headquarter (they're not cheap) and need a good device, go for ASA. If you need a little, cheap and good general purpose device with some basic firewalling, take your time and learn IOS Zone-based-firewall on a samll 800 or 1800 device. b/R Ivan Brunello
-----Messaggio originale----- Da: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Per conto di Ale x Inviato: martedì 18 novembre 2008 9.42 A: security-basics () securityfocus com Oggetto: Re: Hardware Firewall Cisco router IOS does the same as an ASA firewall? I haven't actually used an ASA yet (except for trying to emulate one with Dynamips/cygwin) however I am sure there are many differences. For example the IPS/IDS, proxying, deep packet inspection, antivirus/antispam, etc.. Fair enough a router with IOS can do ACLs to block ports and protocols, PBR, SSL VPN connections, etc -- but it's certainly not a firewall. I remember reading about Ciscos IPS doing network traffic pattern recognition, to learn the normal behavoir of your network. Anything out of the ordinary will be treated as a potential threat. As always there is plenty of information on Cisco's website. Of course there are many other platforms that can perform similar functions, we have Watchguard Firebox's at work. They do the job, but I can't stand the management software. Nokia Checkpoint firewalls are always a nice option. Thanks, Alex (sorry didn't mean to double send) On Tue, Nov 18, 2008 at 8:40 AM, <h.carpentier () yahoo co uk> wrote:Hello all, I am going to upgrade in the near future a network security course.The course is looking at network security from a hardware point of view, using at the present time PIX firewalls and router IOS security features.I am very familiar with the PIX, and am aware that they will beunsupported soon (2012?). They are replaced with ASAs. Is there really many people using ASAs out there? The Cisco routers IOS seem to be able to fulfil most of the functions anyway.Do you know of other platform offering the same or similar functions? Cheers Hervé Carpentier
Current thread:
- Hardware Firewall h . carpentier (Nov 17)
- Re: Hardware Firewall Ale x (Nov 19)
- R: Hardware Firewall Vega - Brunello Ivan (Nov 19)
- RE: Hardware Firewall Rajaie Issaid (Nov 19)
- RE: Hardware Firewall David Crandell (Nov 19)
- Re: Hardware Firewall Kelly Keeton (Nov 19)
- Re: Hardware Firewall Ivan . (Nov 19)
- RE: Hardware Firewall Earl Ogden (Nov 19)
- Re: Hardware Firewall Craig Van Tassle (Nov 19)
- Re: Hardware Firewall Francois Yang (Nov 19)
- Re: Hardware Firewall Ale x (Nov 19)