PIX 506E vs 8x1 series router


Would anyone mind helping us to make a decision about whether to use a PIX firewall or ACLs on an 800 series router (861 or 871 I would guess) to secure our small business broadband connection against nasties. We intend to switch our consumer grade ADSL modem router into bridge mode only then connect the security device behind that. We do not have either Cisco product in house as yet.

We want to be in full control of how the firewall behaves. I have a reasonable amount of experience with Linux IP Tables based firewalls where we can decide if we DROP or REJECT for each rule violation.

Naturally we want to deny all first and poke small pinholes through the firewall. Incoming will only be a couple of things like VNC to one internal IP address.

We want provision for a DMZ so we can place a monitoring device in there when under attack (we've had a SIP registration attack recently).

We also want to be able to block particular IP addresses and ranges if required.

Outgoing is the usual blend of http, ftp, ssh, ftp, smtp, pop3/imap, nntp/nnrp, sip, iax, and a few others I am not remembering right now.

Our IOS skills are **really* old, but lots of different CLI based products have not been a problem to us. Our skills come from Novell network engineering, through Linux server hosting and firewalling, and connecting all sorts of Unix, VMS, and other foreign hosts to networks. So I don't think we should base the decision on IOS skills, we can get them.

Thanks for any help or advise you can offer.


Reply to
Loading thread data ...

I guess I'd only target the hardware level of your query.

You do realize that the PIX 506E has been EOL'd for a couple years now? And that I'd claim that cisco pretty much let the PIX's slide for years before that. So, anything you've got with a PIX is going to be most likely 3-5 years old to start with.. No new code updates, no license changes, no maintenance.

If you do the PIX (or get some somewhat modern hardware with the ASA line) I'd say that the main benefits are that its a stateful firewall, and you don't have to deal with wonky protocols like FTP or H.323 too much with workarounds on it, like you would have with ACL based stuff.

The Cisco IOS based hardware is newer. You say you just want ACLs, but do you know that Cisco has at least 2 different full-stateful inspection firewall systems inside IOS that are beyond what ACLs alone can do? (Zones and CBAC). They get a more into the magic area though than here's a packet, filter it or not.

Personally, I'd reject either and go with something like a Fortinet or Juniper firewall product myself.

Reply to
Doug McIntyre

The ASA line also acts as a combination app and network firewall. But there are plenty to choose from at varying price points and service level agreements. But it sounds like you're most interested in something reasonably simple that includes both firewall and IDS functionality. Even the small business class ASA firewall from Cisco (5505) has an IDS option but the smaller WatchGuard XTM 500 series and FortiGate 30-80 series appliances do as well. q.v. the Wikipedia for more vendors to research;

formatting link


Reply to
Gary <garyd

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.