In article , Centaury wrote: :can any security experts here enlighten why is there a need to use PIX when :routers with IOS FW provide firewall and VPN features (using a combination :of ACLs, CBAC, and IPS)? Is PIX really 'better' and more secure / hardened :than routers with IOS FW?
The PIX is designed to block packets that it cannot prove are acceptable. IOS FW is designed to pass packets that it cannot prove are unacceptable.
For example, there was a recent theoretical VPN security attack that affected IOS but most of it did not affect PIX 6 because of the PIX's "fail-closed" design.
There is a security maxim that it is better to separate security and routing: even if you end up using the exact same models of devices, use two devices anyhow, one in each of the roles. That reduces the possibility that a weakness in one aspect can be used to bypass a restriction in the other aspect.
If you look at the throughput speed of the PIX compared to the throughput speed of IOS routers, you will find that the PIXes are faster and less expensive -- you aren't paying for the "kitchen sink" of IOS features. To see what I mean, work out what the lowest end model of IOS router is that supports ACLs, CBAC, and IPS, and can saturate a 100 Mb/s line, and compare that to the price of a PIX 506E (the second lowest PIX model that is sold.)