Re: firewall ... Cisco
On Tue, Jun 18, 2002 at 01:44:28PM +0200, Martin Berg wrote:
> >
> >
> >hi,
> >could you tell me what could we do with a firewall and not with a cisco
> >cause i know a cisco can filter on ip on any protocol so
> >where are the real advantages ...
> >
> I think the Cisco IOS firewall-release knows about some protocols, like
> ftp and such bastards, I've never seen it IRL)
IOS firewall is a good product and suite most of the small company running a small
router to access the internet, i reckon this is the target. Technically, it is
an connection tracking firewall and is based on the standard IOS ACL mechnism
except that it opens 'dynamic holes' in.
The PIX is , well personally, a kind of strange product; based on a NAT box, it
is weird to understand, but stays a very secure choice as outlined.
However, between a cisco router +ACL and HSRP, i'd definitively go for a linux iptables
+ vrrpd, heaps more secure and powerfull.
JeF
>
> A "real" firewall is suitable when you need to filter RPC services (like
> NFS for example, it runs via portmap and high udp ports)
> and for FTP. It also keeps state for tcp by itself, it's not just
> looking for the tcp-established flag.
>
> My _personal_ opinion is that Cisco ACL works real fine and with good
> throughput. It's easy to build a fail-over environment with HSRP. (Cisco
> PIX is a interesting product if it fits in your environment with it's
> default settings, but it could be a pain to administer otherwise)
> Computer based firewalls is like computers in common: the OS gets old,
> buffer overruns, you get nervous each time you about to shut it down or
> reboot.
>
> Best regards
>
> Martin
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
--
-> Jean-Francois Dive
--> jef@linuxbe.org
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: