RE: Router with security features

From: leon (leon@inyc.com)
Date: 10/16/01 

From: "leon" <leon@inyc.com>
To: "'d'Ambly, Jeff'" <jdambly@monster.com>, "'Brumariu, Radu'" <radu@missouri.edu>
Subject: RE: Router with security features
Date: Tue, 16 Oct 2001 12:48:14 -0400
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA+8DoZCJ8SEaYk5pn4rrIf8KAAAAQAAAA4XG6+Ia97E22hpGvVGJbOgEAAAAA@inyc.com>

Cisco makes an even cheaper and smaller pix firewall. I believe it is
the 505. It is geared to soho and it has the same feature set as the
Pix 520's it just does not come with more powerful hardware. One
question you might want to ask yourself (and this applies to anyone
designing any part of a network) is how (or if) you will address the
issue of scalability. This thread has been going on for a little while
so I have forgotten if the original poster said that his network will
ever / never grow.

HTH,

Leon

PS: I have set up a few of the 505 for offices with up to 35 nodes and
there have been no problems with them over running the abilities /
resources of the pix.

-----Original Message-----
From: d'Ambly, Jeff [mailto:jdambly@monster.com]
Sent: Thursday, October 11, 2001 1:36 PM
To: 'Brumariu, Radu'
Cc: 'security-basics@securityfocus.com'
Subject: RE: Router with security features

Well when looking at firewalls you have to understand that a PIX is a PC
with an ISA flash card. So if you buy a PIX it is because you can't live
without there feature set. When comparing a linux running iptables you
have
the possibility if out doing a PIX. With PIX to upgrade the CPU you have
to
buy a whole new unit, with a linux box you just need to buy a bigger
CPU.
This is more cost effective. If iptables suits your needs then I would
say
to use that. I have used iptables, but I like the NAY engine on the PIX
better. This is just my personal preference. In you case you are only
using
5-6 machines, how much traffic could this site take, my guess is not
much. A
PIX 520 will nock over at about 60MBs, 5-6 machines probably will never
hit
that limit. I would suggest a 515 (they are a bit cheaper).

They main reason I like the PIX is that I have not yet found a way to
Port
Address Translate with iptables. With iptables you have to use
masquerading,
this concept can be a bit confusing. Regardless in your case it does not
really matter what Product you go with because you most likely reach the
limits of any hardware. With this in mind you should focus on the
feature
set, what are you needs? Do you even need PAT, will masquerading work
for
you? This is what you need to ask yourself. If it was me I would get
515,
but that is because I like them, but a linux box running iptables would
work
just as well.

 -----Original Message-----
From: Brumariu, Radu [mailto:radu@missouri.edu]
Sent: Wednesday, October 10, 2001 2:54 PM
To: security-basics@securityfocus.com
Subject: RE: Router with security features

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks all you guys for the input.
Most of you seem to opt for the Cisco solution. However, I feel that
i need to be more specific on my question.
Basically, I have a small set of servers (5-6) which I would like to
be protected via a firewall( or a set of them).
Most of the network traffic is going among these servers. some mail,
web and ssh are supposed to go outside this small network. Now, to
clarify my question : would a pc box running linux (bastille linux
for example ) be as good ( read fast and reliable ) as a
Cisco/3com/nortel/other product ? Would buying a cisco & co product
prove to be just an unecessary expenditure?

Once again thank all of you who contributed.

Radu

- -----Original Message-----
From: dwhoward@cableaz.com [mailto:dwhoward@cableaz.com]
Sent: Wednesday, October 10, 2001 1:32 PM
To: ""Brumariu" <"Brumariu>; radu@missouri.edu;
security-basics@securityfocus.com
Subject: Re: Router with security features

Radu,

If you want the firewall to work well, I don't think you'll find
convenient.

Someone else mentioned a 2600...I think that may be a good idea. Not
sure how the total price will ring up, but you can also get a T1 Wan
Interface Card with an integrated CSU/DSU. There are also excellent
methods for hardening Cisco IOS device configurations against known
vulnerabilities.

Beef up the memory, too, and there's a few things that you can do for
security:

Cisco FW-IOS - FW attributes, may seem difficult to configure, but
cost effective for your (small) situation. (also supports a very
limited IDS, which searches for 59(?) digital signatures)
NAT (if realisitic - does provide some additional security)

Are you using this router to segment this portion of your network?
What are the other routers on your net, and will you particpate in
routing protocol updates? Other things to think about...while I love
the Cisco solution (and I work for a large Cisco competitor), if
you're using 3 Com routers, you may want to consider standardization
(not saying use 3Com, they're end of life anyways, just saying pay
attention to standardization).

At 11:48 AM 10/2/2001 -0500, Brumariu, Radu wrote:
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>hi all,
>
>I would like to buy a router that will also act as a firewall. The
>servers behind the firewall are in number of 5-6 running Solaris 8.
>This small net will have to be deployed in a T1 LAN. My question is
>: which router will be the most conveninent as features/price . (
>The
>Lan is using Nortel switches , just in case there is a homogenity
>issue ).
>
>Thank you,
>Radu
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 7.0.3 for non-commercial use
><http://www.pgp.com>
>
>iQA/AwUBO7nvusfDYhT5cLHhEQJDZgCguD4ewRQ8BCssaYCsTgsoKHsBSdkAoM2q
>tqqOQSpJuv6+Ik96YWXpUq27
>=0Gfz
>-----END PGP SIGNATURE-----
>

- --------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO8SZNcfDYhT5cLHhEQIBbgCeMmLBoUlw6aQ4BlacKZR1H3L9c+YAnR6k
IZmSeJwMw/08tjOtMhLNgJPG
=Gj9t
-----END PGP SIGNATURE-----

Relevant Pages

  • RE: Router with security features
    ... Subject: Router with security features ... Unlike other companies Cisco tells their customers about bugs and security ... Using this information you can proactively secure your network. ... turn on a router configure it and then never look at it again. ...
    (Security-Basics)
  • RE: Router with security features
    ... Subject: Router with security features ... Well when looking at firewalls you have to understand that a PIX is a PC ... If you want the firewall to work well, ...
    (Security-Basics)
  • RE: Auditing Router and Firewall - Checklist and Utils
    ... seems like I missed it and will try out PLA/FWANALOG for PIX log gathering. ... Treat input configuration as a PIX/ASA/FWSM-based Cisco firewall. ... Auditing Router and Firewall - Checklist and Utils ...
    (Security-Basics)
  • RE: Router with security features
    ... Subject: Router with security features ... Cisco is "architecture" first and foremost... ... If you set up a speedy router with a security IOS ... I would like to buy a router that will also act as a firewall. ...
    (Security-Basics)
  • RE: Router with security features
    ... Subject: Router with security features ... Most of you seem to opt for the Cisco solution. ... If you want the firewall to work well, ...
    (Security-Basics)