What is special in PIX?

imran_mcse · ‎11-22-2004

If somebody asks a question that what is special in PIX firewall which is not in router's ACL control lists.

I mean the benefits of using PIX firewall over router's ACL. Pls help me to differentiate this.

sachinraja · ‎11-22-2004

Hi Imran,

the PIX is designed only for the security purpose, unlike a router which can do both security and high level routing.. you should use components, which are designed for the specific purpose..

Anyway, a router can do basic/high level access control mechanisms, by using static and dynamic access-lists. routers can be configured with lock & key ACLs, reflexive ACLs etc, which are really useful in the point of security. If there is a cost constraint, then a router can obviously used to block unnecessary traffic. Nothing wrong in it. You just need to buy additional flash/DRAM and load the security IOS.

PIX has its own mechanism of working, unlike router. the best thing about PIX is Adaptive security algorith (ASA). by default any traffic from higher sec to lower sec is allowed, and blocked the other way. so you need not worry about the traffic coming from out to in , as they are blocked by default. Its not like this in routers.

So, depending on your scenario, you can use either a PIX or a router to block your traffic. My advice will be to use a PIX and design DMZ's to effectively block traffic

Hope this helps..

All the best !!

davecs · ‎11-28-2004

also:

PIX's are stateful by default,

PIX's have dedicated (ASIC) hardware todo acl checking.

PIX's also check to make sure ip/udp/tcp headers are sane

PIX's will be faster at doing VPN's than a router (depending on the model of course)

PIX's are a dedicated device.

PIX's can be setup in a failover pair (i suppose you can do the same thing with HSRP across routers)

+ lots more!

cheers

dave