https://community.cisco.com/t5/network-security/pix-vs-ios/m-p/175005#M698480 <HTML><HEAD></HEAD><BODY><P>Oleg,</P><P></P><P>Very insightful comments but I do have to disagree with one point.</P><P></P><P>1. I would not say that because up to 1% of internet traffic is fragmented that IP fragmentation is common. Especially when you say that 22% of all fragmentation is caused by tunneling. Fragmentation in tunneling can easily be overcome by adjusting the workstation maximum MTU sizes. So that just leaves a maximum of 0.78% of internet traffic.</P><P></P><P>If you are saying that by blocking ICMP path MTU discovery packets, you must allow IP fragments then that is interesting. I really never thought of it that way.</P><P></P><P>I subscribe to the theory that it is better to block fragments and protect yourself against rather simplisitc IP fragmentation DoS attacks than it is to allow them. </P><P></P><P>I 100% agree about the IOS being fail-open and the PIX being fail-closed and from a security point of view the hardware firewall is always the best option.</P><P></P><P>Kevin</P></BODY></HTML> Thu, 28 Aug 2003 06:47:10 GMT kevin-reynolds 2003-08-28T06:47:10Z https://community.cisco.com/t5/network-security/pix-vs-ios/m-p/175000#M698467 <P>I am attempting to find some type of chart that compares the features and limitations of installing a IOS based firewall compared to an actual PIX.</P><P></P><P>I have searched the Cisco web site, and have come up empty.</P><P></P><P>Thanks in advance.</P> Fri, 21 Feb 2020 06:56:45 GMT https://community.cisco.com/t5/network-security/pix-vs-ios/m-p/175000#M698467 bw3481 2020-02-21T06:56:45Z https://community.cisco.com/t5/network-security/pix-vs-ios/m-p/175001#M698470 <HTML><HEAD></HEAD><BODY><P>If the primary purpose of the device is security, use a firewall. If the primary purpose is routing, use a router. Not to be a smartass, that's just the best way to make that decision.</P><P></P><P>Maybe the reason they don't post a side-by-side comparision is because each router is different and some PIXen also have different features. It's sort of apples and oranges. Since this is a broad subject, you will problably be best served making up your own product matrix and then checking off the features you want.</P><P></P><P>IOS Firewall will suck up CPU cycles on a router. PIX is much faster and easier to work and play with. It's also usually cheaper than using a router as a firewall.</P><P></P><P>If you post an idea of how your network is set up and what you want to achieve with the device, I'll bet people will post some more specific info. </P><P></P><P></P></BODY></HTML> Fri, 22 Aug 2003 03:19:43 GMT https://community.cisco.com/t5/network-security/pix-vs-ios/m-p/175001#M698470 r-lemaster 2003-08-22T03:19:43Z https://community.cisco.com/t5/network-security/pix-vs-ios/m-p/175002#M698472 <HTML><HEAD></HEAD><BODY><P>Strictly speaking IOS firewall is not a firewall at all. All you need to do to evade application-layer inspection is just fragment your traffic. This will probably never be changed as 1) routers should pass all traffic, even fragmented, 2) Routers' CPUs are usually very slow -- they cannot do virtual reassembly. So, in a long term PIX is a better solution, but it has lots of its own problems.</P><P></P><P>So, use both <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P></P><P>Oleg Tipisov,</P><P>REDCENTER,</P><P>Moscow</P><P></P></BODY></HTML> Wed, 27 Aug 2003 12:36:49 GMT https://community.cisco.com/t5/network-security/pix-vs-ios/m-p/175002#M698472 ovt 2003-08-27T12:36:49Z https://community.cisco.com/t5/network-security/pix-vs-ios/m-p/175003#M698474 <HTML><HEAD></HEAD><BODY><P>Oleg,</P><P></P><P>I agree with your comments that both should be used, but I wonder why you would not block IP fragments via the use of an ACL?</P><P></P><P>Kevin</P></BODY></HTML> Wed, 27 Aug 2003 13:06:25 GMT https://community.cisco.com/t5/network-security/pix-vs-ios/m-p/175003#M698474 kevin-reynolds 2003-08-27T13:06:25Z https://community.cisco.com/t5/network-security/pix-vs-ios/m-p/175004#M698478 <HTML><HEAD></HEAD><BODY><P>Kevin,</P><P></P><P>1. Up to 1% of Internet packets are fragmented:</P><P>8% - reverse order; 0.1% with duplicates or overlapping. Of this 1%: 52% - MS Media Player, 22% -tunneling (source - CAIDA, or like that).</P><P></P><P>2. PMTUD sometimes doesn't work as ICMP is blocked somewhere.</P><P></P><P>3. PMTUD is not implemented for UDP by M$ (so far as I know).</P><P></P><P>So, fragmentation is common and normal thing.</P><P></P><P>Routers SHOULD pass fragments, firewalls MAY not and usually you cannot block *all* fragments with "a-l 100 deny ip any any fragments". You *probably* can block fragments for *specific* protocols that are application-layer-inspected by the IOS firewall (say, SMTP, for SMTP Mail Guard to work), but this is not an easy thing. For example:</P><P></P><P>permit tcp any host myserver eq 25</P><P>deny ip any host myserver fragments</P><P></P><P>will probably work, but I'm not sure. At least it should be carefully tested.</P><P></P><P>Most PIX firewall fixups block all fragments of the respective application protocol by default (there are exceptions though - ftp without "strict" keyword, SIP until recently, etc. - they are open for various vulnerabilities).</P><P></P><P>So, in general, PIX (arguably) do the right thing with fragments. And it is much easyer to configure. I would say that the IOS firewall is "fail-open" and the PIX is "fail-closed" by default regarding the fragments and application-layer inspection, where "fail-open" means "pass the packet if unable to analyze it" and "fail-closed" means "drop it".</P><P>This basically means that the IOS firewall is not a firewall at all.</P><P></P><P>This is just my opinion.</P><P></P><P>Oleg Tipisov,</P><P>CCSI,</P><P>REDCENTER,</P><P>Moscow</P><P></P></BODY></HTML> Wed, 27 Aug 2003 15:57:31 GMT https://community.cisco.com/t5/network-security/pix-vs-ios/m-p/175004#M698478 ovt 2003-08-27T15:57:31Z https://community.cisco.com/t5/network-security/pix-vs-ios/m-p/175005#M698480 <HTML><HEAD></HEAD><BODY><P>Oleg,</P><P></P><P>Very insightful comments but I do have to disagree with one point.</P><P></P><P>1. I would not say that because up to 1% of internet traffic is fragmented that IP fragmentation is common. Especially when you say that 22% of all fragmentation is caused by tunneling. Fragmentation in tunneling can easily be overcome by adjusting the workstation maximum MTU sizes. So that just leaves a maximum of 0.78% of internet traffic.</P><P></P><P>If you are saying that by blocking ICMP path MTU discovery packets, you must allow IP fragments then that is interesting. I really never thought of it that way.</P><P></P><P>I subscribe to the theory that it is better to block fragments and protect yourself against rather simplisitc IP fragmentation DoS attacks than it is to allow them. </P><P></P><P>I 100% agree about the IOS being fail-open and the PIX being fail-closed and from a security point of view the hardware firewall is always the best option.</P><P></P><P>Kevin</P></BODY></HTML> Thu, 28 Aug 2003 06:47:10 GMT https://community.cisco.com/t5/network-security/pix-vs-ios/m-p/175005#M698480 kevin-reynolds 2003-08-28T06:47:10Z