From: Chad Marsh (chad@xxxxxx)
Date: Thu Apr 20 2000 - 02:47:47 GMT-3
>From the Cisco Security Reseller Update:
PIX 506
The PIX 506 is still targeted for May/June. It is now listed on the PIX web
site at:
<http://www.cisco.com/warp/public/cc/cisco/mkt/security/pix/>
However it is not yet orderable. Price is set at $1995
Chad Marsh
----- Original Message -----
From: Derek Small (Fuse) <dwsmall@fatkid.com>
To: Chad Marsh <chad@wa.net>; <ccielab@groupstudy.com>
Sent: Wednesday, April 19, 2000 9:17 AM
Subject: Re: PIX vs. router with access lists
> I think that is new one that Rich was talking about, 520, 515 and the new
> 506. It is out by the way, though I still can't find pricing on it.
Anyone
> seen a real list price yet? The new VPN appliance boxes are out also
(3005,
> 3015, 3025?). They look awesome! Finally, a real competitor to the
Nortel
> Contivity.
>
> Anyone heard anything about a security CCIE? It can't be far off.
>
> Derek Small
> dwsmall@fatkid.com
>
>
> ----- Original Message -----
> From: Chad Marsh <chad@wa.net>
> To: <ccielab@groupstudy.com>
> Sent: Wednesday, April 19, 2000 10:29 AM
> Subject: Re: PIX vs. router with access lists
>
>
> > There is also a PIX 506 coming out for the small branch office, (2) 10Mb
> > interfaces only, they say 7Mb throughput using 3DES, I think it's only
> going
> > to be $2-3K
> >
> > Chad Marsh
> >
> > ----- Original Message -----
> > From: Derek Small (Fuse) <dwsmall@fatkid.com>
> > To: <ccielab@groupstudy.com>
> > Sent: Tuesday, April 18, 2000 6:49 PM
> > Subject: Re: PIX vs. router with access lists
> >
> >
> > > Actually the router does IPSec with triple DES also, if you get the
> right
> > > feature set. There is a fourth model of the PIX due to be release in
> > about
> > > a month also, the PIX 535, which is rumored to have near gigabit
> > > throughput!!!
> > >
> > > John,
> > > To answer your question about what is Stateful inspection,..
> > >
> > > Stateful inspection means that the firewall looks at all packets and
> makes
> > > forwarding (or blocking) decisions, based on the data that resides in
> the
> > > packet at levels above level 3. Stateful inspection allows the PIX or
> > > router with FireWall IOS, to examine traffic that is out bound, and
> allow
> > > returning packets for that connection to come back in. most stateful
> > > inspection firewalls, at a minimum keep track of the negotiated TCP or
> UDP
> > > port number (the high number, the source on the outbound connection or
> the
> > > destination on inbound ones) and even the sequence numbers on TCP
> > transfers,
> > > to make sure that inbound packets are valid responses to a specific
> > outbound
> > > data flow. Stateful inspection firewalls are also capable of more
> > in-depth
> > > packet snooping, like looking for unnamed Java scripts in HTTP
> transfers,
> > or
> > > illegal SMTP commands in SMTP connections. There are dozens, if not
> > > hundreds of other that can be implemented. All stateful inspection
> > > firewalls snoop for some of these types of attacks, it depends on the
> > > quality of the firewall and engineer that wrote the code, as to how
much
> > > snooping is done.
> > >
> > > The firewall IOS actually requires you to enable packet snooping and
at
> > what
> > > level. You can simply tell the box to do general inspecting on all
UDP
> > and
> > > TCP traffic, or you can get more granular.
> > >
> > > Another benefit that the PIX has is hardware failover. You can do
HSRP
> > with
> > > the routers but if you have to authenticate to a site or are in the
> middle
> > > of useing a shopping cart when the primary router goes down, you will
> have
> > > to log back into the site and start over. The PIX transfers you
> existing
> > > translations to the backup box, so you never even know it goes down.
> Also
> > > Cisco is adding load balancing to the PIX failover option in the next
> > couple
> > > of months, something you can't do with the routers, unless you have a
> > > Local-Director.
> > >
> > >
> > > Thank You
> > >
> > > Derek Small
> > > dwsmall@fatkid.com
> > >
> > >
> > > ----- Original Message -----
> > > From: Richard Mott <richpmott@hotmail.com>
> > > To: <jkconzone@home.com>; <ccielab@groupstudy.com>
> > > Sent: Tuesday, April 18, 2000 8:56 PM
> > > Subject: Re: PIX vs. router with access lists
> > >
> > >
> > > >
> > > > PIX has three models availible now.
> > > >
> > > > The PIX suports triple des encryption instead of the regular 56 bit
> for
> > > > ipsec.
> > > >
> > > > Rich Mott
> > > > CCIE #5234
> > > > Network Engineer
> > > > Jannon Solutions
> > > >
> > > > >From: "John Conzone" <jkconzone@home.com>
> > > > >Reply-To: "John Conzone" <jkconzone@home.com>
> > > > >To: "ccielab" <ccielab@groupstudy.com>
> > > > >Subject: PIX vs. router with access lists
> > > > >Date: Tue, 18 Apr 2000 18:45:28 -0400
> > > > >
> > > > > Hi all. I've configured a few PIX boxes with basic configs,
> inside
> > > > >outside, etc. Not a PIX or security expert.
> > > > > My question is what can a PIX do that a router with access
> lists
> > > > >can't? To be honest, the PIX seems like a cryptic way to do what
can
> be
> > > > >done easier on a router with access list, at least to me.
> > > > > I'm sure there is a good answer, so you PIX guys out there
> tell
> > > me
> > > > >what it can do that a router can't!.
> > > > >
> > > > >
> > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:14 GMT-3