From: Chad Marsh (chad@xxxxxx)
Date: Wed Apr 19 2000 - 11:29:35 GMT-3
There is also a PIX 506 coming out for the small branch office, (2) 10Mb
interfaces only, they say 7Mb throughput using 3DES, I think it's only going
to be $2-3K
Chad Marsh
----- Original Message -----
From: Derek Small (Fuse) <dwsmall@fatkid.com>
To: <ccielab@groupstudy.com>
Sent: Tuesday, April 18, 2000 6:49 PM
Subject: Re: PIX vs. router with access lists
> Actually the router does IPSec with triple DES also, if you get the right
> feature set. There is a fourth model of the PIX due to be release in
about
> a month also, the PIX 535, which is rumored to have near gigabit
> throughput!!!
>
> John,
> To answer your question about what is Stateful inspection,..
>
> Stateful inspection means that the firewall looks at all packets and makes
> forwarding (or blocking) decisions, based on the data that resides in the
> packet at levels above level 3. Stateful inspection allows the PIX or
> router with FireWall IOS, to examine traffic that is out bound, and allow
> returning packets for that connection to come back in. most stateful
> inspection firewalls, at a minimum keep track of the negotiated TCP or UDP
> port number (the high number, the source on the outbound connection or the
> destination on inbound ones) and even the sequence numbers on TCP
transfers,
> to make sure that inbound packets are valid responses to a specific
outbound
> data flow. Stateful inspection firewalls are also capable of more
in-depth
> packet snooping, like looking for unnamed Java scripts in HTTP transfers,
or
> illegal SMTP commands in SMTP connections. There are dozens, if not
> hundreds of other that can be implemented. All stateful inspection
> firewalls snoop for some of these types of attacks, it depends on the
> quality of the firewall and engineer that wrote the code, as to how much
> snooping is done.
>
> The firewall IOS actually requires you to enable packet snooping and at
what
> level. You can simply tell the box to do general inspecting on all UDP
and
> TCP traffic, or you can get more granular.
>
> Another benefit that the PIX has is hardware failover. You can do HSRP
with
> the routers but if you have to authenticate to a site or are in the middle
> of useing a shopping cart when the primary router goes down, you will have
> to log back into the site and start over. The PIX transfers you existing
> translations to the backup box, so you never even know it goes down. Also
> Cisco is adding load balancing to the PIX failover option in the next
couple
> of months, something you can't do with the routers, unless you have a
> Local-Director.
>
>
> Thank You
>
> Derek Small
> dwsmall@fatkid.com
>
>
> ----- Original Message -----
> From: Richard Mott <richpmott@hotmail.com>
> To: <jkconzone@home.com>; <ccielab@groupstudy.com>
> Sent: Tuesday, April 18, 2000 8:56 PM
> Subject: Re: PIX vs. router with access lists
>
>
> >
> > PIX has three models availible now.
> >
> > The PIX suports triple des encryption instead of the regular 56 bit for
> > ipsec.
> >
> > Rich Mott
> > CCIE #5234
> > Network Engineer
> > Jannon Solutions
> >
> > >From: "John Conzone" <jkconzone@home.com>
> > >Reply-To: "John Conzone" <jkconzone@home.com>
> > >To: "ccielab" <ccielab@groupstudy.com>
> > >Subject: PIX vs. router with access lists
> > >Date: Tue, 18 Apr 2000 18:45:28 -0400
> > >
> > > Hi all. I've configured a few PIX boxes with basic configs, inside
> > >outside, etc. Not a PIX or security expert.
> > > My question is what can a PIX do that a router with access lists
> > >can't? To be honest, the PIX seems like a cryptic way to do what can be
> > >done easier on a router with access list, at least to me.
> > > I'm sure there is a good answer, so you PIX guys out there tell
> me
> > >what it can do that a router can't!.
> > >
> > >
> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:14 GMT-3