I've searched and I just have not found a simple answer to this question:
Is the PIX safe to use as a router?
Let me explain the small network I have before I'm told "The PIX is not a router"
I have 20 users behind the PIX. Everything is working great. I just need the PIX to block all incoming from the WAN and only allow the outgoing ports I have defined. That's it, nothing else. So is it safe to use it as a simple router? I've followed three guides on locking it down and I feel that it's secure but I just want someone to tell me "Hey Jason, it sounds like your okay to use it in the way you have it setup"
Sounds like you require a firewall more than a router, since you've not indicated any requirement for dynamic routing protocols.
Your primary question was - "is it safe". The PIX is a security device, and it is used by many in this capacity every day.
You like it, you're familiar with it, it works, and you've taken some initiative to secure it. As long as you feel it provides enough flexibility for future changes in infrastructure, use it.
The administrator's initiative and competence in securing the device and the network it protects, is often more relevant than the choice of device (given reasonable limits of course).
You cannot configure the PIX as described, except by physically cutting some wires. Configuring it as described would be of little value anyhow, as you *need* the responses coming from the WAN unless all you have is some unicast (e.g., UDP) traffic that never needs even a single packet of response.
What most people find of value is to configure the PIX to allow incoming packets that are responses to outgoing packets (a different situation than blocking all incoming from the WAN.) PIX 506E do -fairly- well in such configurations, but since PIX 7 is not officially supported on PIX 506E models, you are limited to the facilities in PIX 6.5, which is a little weak (from a human point of view) in determining which ICMP packets are really responses to something that was outgoing, vs unsolicitate ICMP packets that you would want to discard. A substantial difficulty in this matter is that several types of ICMP packets are inherently "unsolicited" but of major importance, such as ICMP "network unreachable" packets, which can come from -any- machine along the line. PIX 7 does a bit better in making these determinations (which are not easy to mechanically make.)
However, configuring a PIX to use as a router would mean that you want to turn off all intelligence about whether any particular packet was solicited or unsolicited and instead just pass packets through (possibly translating addresses along the way.) That's what a router *does*, passes packets from source to destination without context of whether it is the "right" packet for the situation. A router does not, for example, care what the PORT number was on the outgoing FTP GET request: it just sees that a connection request is coming in for a particular TCP port and IP, and it passes the connection request to the destination, not caring whether the IP addresses of the incoming request is the "expected" IP address (and there are some legitimate cases where they would differ, which a router handles fine but a PIX needs dangerous pre-configuration to handle.)
A PIX is a firewall. A firewall -is- a layer 3 device, in that it joins multiple layer 2 domains, but a PIX does too much filtering that cannot be turned off for it to be considered a "router".
For example, if you *want* 1500 byte ICMP Echo packets to get through, then you cannot do it in PIX 6.2 or 6.3: they are hard-coded to block large ICMP packets. A *router* wouldn't care and would just pass the packets through.
So, No, a PIX 506E cannot safely be used as a router. It -can- (relatively) safely be used as a layer 3 firewall. It isn't perfect as a firewall, but it is quite good.
I'm not challenging your facts, just the literal interpretation of his post.
Given that such a scenario "would be of little value", isn't it most likely that he meant that he wanted to block "connection initiation" from the WAN, and that his choice of wording didn't meet with your exacting expectations?
He's not mentioned any other device between the users and the WAN. Some would use a router with an integrated firewall.
Is it not likely that he is trying to reconcile having been told that a router is what he's supposed to use, and other's telling him a PIX is not a router?
Perhaps his real question is, if I'm implementing a single device between my users and the WAN, is a PIX suitable?
Clearly, he's indicated the desire to control traffic at the edge, which is beyond the core functionality of a router, as you have so eloquently described.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.