02-11-2006 05:48 AM - edited 02-21-2020 12:42 AM
Could someone point me to some docs on cisco.com in comparing the use of a Secure IOS on a router & using a cisco firewall? I want to use an ISR w/secure ios if possible but not sure if I can lock down the outside of the network as well as I could with a pix or asa so I want to make sure I do everything I can and do it right. Any help is greatly appreciated.
Solved! Go to Solution.
02-11-2006 11:02 PM
Hi,
There was a discussion in this forum about this topic; check "Firewalling: PIX vs IOS Firewall" last conversation was posted on Jan 10, 2006. Let me know then if this helps.
Rgrds,
Haitham
02-11-2006 07:55 PM
I'm not quite sure what "Secure IOS" is, Google and Cisco.com don't yeild any promising results on that. However, there's no shortage of mention of "Cisco Secure IOS Firewalls", so perhaps it's a marketing wank-word?
Whether Cisco IOS itself is secure or not is a topic of discussion for another forum >:}.
However, to answer your question, when you talk about the IOS-varient that runs on the PIX, you're essentially describing an IP Forwarding engine with a different default set of security policies with a default "deny/block any/any" as defined by the "ASA" system (not to be confusecd with the ASA hardware line).
You're also talking about strong cryptography/ authentication/security features that may be optional addons on traditional IOS.
I was at a "Lunch&Learn" hosted by Cisco on Friday and the Cisco sales rep (Chris Oggerino) ? essentially portraited the ISR router as ideal for complementing entry-level switching gear in "Branch" offices where concepts like "Perimeter" router, "Inside Firewall" might not apply, and features like IDS, IPS, Redundancy, Voice might traditionall be independant hardware units, are features on the ISR. Of course, you still need two of everything for HSRP/BGP >:}
It's a question of budget and design. Do you want your firewall to be an autonomous device.
TIA,
~lava
~lava
02-11-2006 11:02 PM
Hi,
There was a discussion in this forum about this topic; check "Firewalling: PIX vs IOS Firewall" last conversation was posted on Jan 10, 2006. Let me know then if this helps.
Rgrds,
Haitham
02-12-2006 06:12 AM
Haitham, thank you. I appreciate it. This helped me out in regards to links from that discussion and the content within the discussion.
sm
03-30-2006 09:18 AM
And I am in a debate with a co-worker that indicates a normal Cisco router (72xx) without the Firewall feature can do just as much as a PIX can with the use of properly configured ACL's.
Can anyone put this debate to rest for good? I am so tired of comparing non-security devices with security devices.
I have no issue with comparing IOS-Firewall to PIX.
04-04-2006 03:26 PM
Hi,
Well, you can't just say that a router with no FW capability can just do what a real FW can do. For example, PIX is a stateful device that keeps state of sessions. On the contrary, in a normal router with no FW features turned on, the router is not stateful device and it does not keep track of sessions. However, with FW features enabled, and by implementing CBAC, the router will become stateful in this regard. This is just a simple, straight forward answer that should take this debate to a rest.
Hope this helps.
Regards,
Haitham
07-20-2006 07:54 PM
What about comparing PIX to ASA? Which one is better to purchase?
07-21-2006 04:57 AM
hi stephen if u want a integtrated security appliance with firewall and ips then asa is good if u are just looking for a firewall then i guess pix will be enough. see ya
regards
sebastan
07-21-2006 07:20 AM
For new investments I would go for the asa, as with the introduction of the ASA5505 the pix might be going away and the asa can become one of the essential elements for the Cisco Self Defending Network..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide