Would anyone mind helping us to make a decision about whether to use a PIX firewall or ACLs on an 800 series router (861 or 871 I would guess) to secure our small business broadband connection against nasties. We intend to switch our consumer grade ADSL modem router into bridge mode only then connect the security device behind that. We do not have either Cisco product in house as yet.
We want to be in full control of how the firewall behaves. I have a reasonable amount of experience with Linux IP Tables based firewalls where we can decide if we DROP or REJECT for each rule violation.
Naturally we want to deny all first and poke small pinholes through the firewall. Incoming will only be a couple of things like VNC to one internal IP address.
We want provision for a DMZ so we can place a monitoring device in there when under attack (we've had a SIP registration attack recently).
We also want to be able to block particular IP addresses and ranges if required.
Outgoing is the usual blend of http, ftp, ssh, ftp, smtp, pop3/imap, nntp/nnrp, sip, iax, and a few others I am not remembering right now.
Our IOS skills are **really* old, but lots of different CLI based products have not been a problem to us. Our skills come from Novell network engineering, through Linux server hosting and firewalling, and connecting all sorts of Unix, VMS, and other foreign hosts to networks. So I don't think we should base the decision on IOS skills, we can get them.
Thanks for any help or advise you can offer.