[fw-wiz] Firewall Throughput

Darren Mackay darren.mackay@uq.net.au
Mon, 11 Sep 2000 20:21:54 +1000


Darren,

> My problem with PIX is as follows.  Cisco push
> it along the lines of "you don't want
> unix/windows on your firewall because they're
> crashable" but at the same time try to sell it
> as a "router firewall".  You damn well don't
> want a router as a firewall either!  You can
> make a "firewall" out of any Cisco thing which
> will support the CBAC feature set so why does
> it need to be a PIX in particular ?  Where I'm
> now working, we use the CBAC feature set on the
> "outside" and IP Filter on the inside.  There
> have been packets which CBAC has let through
> that IP Filter won't (NOTE: I didn't build
> this firewall :).  That rings alarm bells, to
> me.  IMHO, they're putting too much into the
> IOS.  I also don't fancy the idea of the
> "firewall" booting up and one day wanting to
> tftp a boot image from whoever will answer...

Thanks for you answer. Essentially I agree with you. Are you abel to
provide specific examples on what packets get through in what
circumstances? Management / suits always want consequent proof, and
unfortunately directing them to a website that is operated by techs in
their own time will never sway them from a commercial solution.
Perhaps we need ipfilter to protect our firewalls??

Darren