From: Derek Small (Fuse) (dwsmall@xxxxxxxxxx)
Date: Tue Apr 18 2000 - 22:49:24 GMT-3
Actually the router does IPSec with triple DES also, if you get the right
feature set. There is a fourth model of the PIX due to be release in about
a month also, the PIX 535, which is rumored to have near gigabit
throughput!!!
John,
To answer your question about what is Stateful inspection,..
Stateful inspection means that the firewall looks at all packets and makes
forwarding (or blocking) decisions, based on the data that resides in the
packet at levels above level 3. Stateful inspection allows the PIX or
router with FireWall IOS, to examine traffic that is out bound, and allow
returning packets for that connection to come back in. most stateful
inspection firewalls, at a minimum keep track of the negotiated TCP or UDP
port number (the high number, the source on the outbound connection or the
destination on inbound ones) and even the sequence numbers on TCP transfers,
to make sure that inbound packets are valid responses to a specific outbound
data flow. Stateful inspection firewalls are also capable of more in-depth
packet snooping, like looking for unnamed Java scripts in HTTP transfers, or
illegal SMTP commands in SMTP connections. There are dozens, if not
hundreds of other that can be implemented. All stateful inspection
firewalls snoop for some of these types of attacks, it depends on the
quality of the firewall and engineer that wrote the code, as to how much
snooping is done.
The firewall IOS actually requires you to enable packet snooping and at what
level. You can simply tell the box to do general inspecting on all UDP and
TCP traffic, or you can get more granular.
Another benefit that the PIX has is hardware failover. You can do HSRP with
the routers but if you have to authenticate to a site or are in the middle
of useing a shopping cart when the primary router goes down, you will have
to log back into the site and start over. The PIX transfers you existing
translations to the backup box, so you never even know it goes down. Also
Cisco is adding load balancing to the PIX failover option in the next couple
of months, something you can't do with the routers, unless you have a
Local-Director.
Thank You
Derek Small
dwsmall@fatkid.com
----- Original Message -----
From: Richard Mott <richpmott@hotmail.com>
To: <jkconzone@home.com>; <ccielab@groupstudy.com>
Sent: Tuesday, April 18, 2000 8:56 PM
Subject: Re: PIX vs. router with access lists
>
> PIX has three models availible now.
>
> The PIX suports triple des encryption instead of the regular 56 bit for
> ipsec.
>
> Rich Mott
> CCIE #5234
> Network Engineer
> Jannon Solutions
>
> >From: "John Conzone" <jkconzone@home.com>
> >Reply-To: "John Conzone" <jkconzone@home.com>
> >To: "ccielab" <ccielab@groupstudy.com>
> >Subject: PIX vs. router with access lists
> >Date: Tue, 18 Apr 2000 18:45:28 -0400
> >
> > Hi all. I've configured a few PIX boxes with basic configs, inside
> >outside, etc. Not a PIX or security expert.
> > My question is what can a PIX do that a router with access lists
> >can't? To be honest, the PIX seems like a cryptic way to do what can be
> >done easier on a router with access list, at least to me.
> > I'm sure there is a good answer, so you PIX guys out there tell
me
> >what it can do that a router can't!.
> >
> >
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:14 GMT-3