[fw-wiz] Firewall Throughput

Patrick Darden darden@armc.org
Mon, 11 Sep 2000 15:07:57 -0400 (EDT)


"they're putting too much into the IOS... CBAC feature set...."

The PIX does not run IOS, nor is it associated with CBAC in any way other
than they are both Cisco products.  Completely different product lines.

"Cisco push it along the lines of 'you don't want unix/windows on your
firewall because they're crashable'"

I would like to know where they state that.  It would be pretty
hypocritical as the PIX has a Unix based OS (Plan 9).

"You damn well don't want a router as a firewall"

I don't know of many firewalls that aren't routers as well, that includes
the IP Filter you seem to like so much and even the BSD-based NOKIA
running Checkpoint FW1.  Application-layer proxy based firewalls usually
aren't routers, but otherwise...

"I *refuse* to believe that Linux is a reliable/secure platform"

No offense, but I have Solaris, BSD, AIX, and Linux running here--and
all of them are stable and reliable.  I had one hard-used Linux server
running for almost 2 years before I recently took it down for some

--Patrick Darden                Internetworking Manager             
--                              706.354.3312    darden@armc.org
--                              Athens Regional Medical Center

On Mon, 11 Sep 2000, Darren Reed wrote:

> In some email I received from Darren Mackay, sie wrote:
> > Darren,
> > 
> > | What do you value more - throughput or security ?
> > |
> > | If you value security, the PIX isn't the answer,
> > | IMHO.
> > 
> > Are you saying PIX is not secure? Are you able to elaborate? I have
> > never had any problem with pix, and it certainly has not failed any
> > 'ethical attacks' that haven throwed against it (unlike other vendors,
> > which can be really esoteric in their configs to get around known
> > vulnerabilities).
> My problem with PIX is as follows.  Cisco push it along the lines of
> "you don't want unix/windows on your firewall because they're crashable"
> but at the same time try to sell it as a "router firewall".  You damn
> well don't want a router as a firewall either!  You can make a "firewall"
> out of any Cisco thing which will support the CBAC feature set so why
> does it need to be a PIX in particular ?  Where I'm now working, we use
> the CBAC feature set on the "outside" and IP Filter on the inside.  There
> have been packets which CBAC has let through that IP Filter won't (NOTE:
> I didn't build this firewall :).  That rings alarm bells, to me.  IMHO,
> they're putting too much into the IOS.  I also don't fancy the idea of
> the "firewall" booting up and one day wanting to tftp a boot image from
> whoever will answer...
> For me, if you have the time & money (that's a BIG if) as well as the
> backing and expertise, there's nothing better than a roll-your-own made
> from xBSD (I *refuse* to believe that Linux is a reliable/secure platform
> until they learn what the term "release engineering" means - and that
> goes all the way to the top of the linux tree).  You can strip them back,
> build completely static distributions, etc, and you can get 1U PC hardware
> now too.
> Darren
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards@nfr.net
> http://www.nfr.net/mailman/listinfo/firewall-wizards