What's the need of PIX (when there's IOS FW)?

Hi, can any security experts here enlighten why is there a need to use PIX when routers with IOS FW provide firewall and VPN features (using a combination of ACLs, CBAC, and IPS)? Is PIX really 'better' and more secure / hardened than routers with IOS FW?

TIA

Reply to
Centaury
Loading thread data ...

In article , Centaury wrote: :can any security experts here enlighten why is there a need to use PIX when :routers with IOS FW provide firewall and VPN features (using a combination :of ACLs, CBAC, and IPS)? Is PIX really 'better' and more secure / hardened :than routers with IOS FW?

The PIX is designed to block packets that it cannot prove are acceptable. IOS FW is designed to pass packets that it cannot prove are unacceptable.

For example, there was a recent theoretical VPN security attack that affected IOS but most of it did not affect PIX 6 because of the PIX's "fail-closed" design.

There is a security maxim that it is better to separate security and routing: even if you end up using the exact same models of devices, use two devices anyhow, one in each of the roles. That reduces the possibility that a weakness in one aspect can be used to bypass a restriction in the other aspect.

If you look at the throughput speed of the PIX compared to the throughput speed of IOS routers, you will find that the PIXes are faster and less expensive -- you aren't paying for the "kitchen sink" of IOS features. To see what I mean, work out what the lowest end model of IOS router is that supports ACLs, CBAC, and IPS, and can saturate a 100 Mb/s line, and compare that to the price of a PIX 506E (the second lowest PIX model that is sold.)

Reply to
Walter Roberson

Moreover, perpahps I have limits in knowing router's IOS, how routers can decide whether a connection is opened from a side trusted. For me applying routers' ACLs is "like" apply UDP rules on PIX.

A part speed considerations and loads on the router, could you tell me whether my consideration are wrong or not and how to reproduce, eventually, PIX's behaviour.

Thanks,

Alex.

Reply to
AM

Thanks Walter. Some very points there, which might very well help me decide better.

Reply to
Centaury

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.