Affordable Hardware Firewalls

**d0ppelg@nger** · March 31st, 2003, 08:25 PM

You can't really say they are doorsteps...The PIX firewalls do more than a good job at what they are built to do.
The 535 is not End of Sale yet, now my 2-520's were EOL in 2001 and I'm still using them fine. They are workhorses and I haven't had to reboot them in years. A PIX is basically a PII motheboard/CPU with a proprietary Cisco flash card.

**iNViCTuS** · March 31st, 2003, 09:15 PM

The reason I said they are doorstops is not because of functionality, but the fact that they are not easily manageable in large number across an enterprise. My company quickly came to that conclusion with very little convincing.

We are replacing them with Checkpoint Firewalls

**brandon64_99** · March 31st, 2003, 10:08 PM

"Wrong!!!

Cisco ACL's will not provide you with Stateful Inspection firewalling. It will give you the ability to filter traffic, which is better than nothing, but I would not consider a Cisco router to be a replacement for a firewall.

I would agree with some of the previous posts that a PIX 501 is probably the way to go for the $$, but I think there is a much more user-friendly choice in a Checkpoint solution on an S-Box platform. (As the previous post states)

http://www.sofaware.com/"

If the guy sets up extended ACLs properly, than he would be able to properly filter, untrusted addresses, and specific protocols from getting to the server. That would be great protection at great cost, plus, with the investment in the router, it would provide for future growth of the network if future growth was implied later on. The guy could use some type of 3rd party software for stateful inspection firewalling ( unless running a linux box with kernel 2.4, comes built in with the standard Linux firewalling features).

***avdven*** · March 31st, 2003, 10:33 PM

The PIX 501 is a SOHO firewall that can be found in most places in the ~$500 range.
here ya go:
http://www.cdw.com/shop/products/default.asp?EDC=329744

That's actually the exact link I found too (I got it from Cisco's web site). Right now, if he invests in a firewall, this is the one we're going with. I say if simply because the T-line provider he was going with decided to double the monthly rate and he is debating taking that path at all. If he decides to accept the new terms, he will purchase the PIX 501 (which I will install and teach him to maintain, since I have had quite a bit of experience with Cisco routers and firewalls). Otherwise, he will most likely hold off on getting an Internet connection until he can find a less expensive provider.

Edit: By the way, I thank everyone for their suggestions and input. I've looked into all of the solutions provided and feel that the Cisco firewall is the way to go with what I have to work with.

AJ

**brandon64_99** · March 31st, 2003, 10:38 PM

The guy might also want to go as far as to make sure that his authentication type is a good one also, CHAP over PAP anyday.

**iNViCTuS** · April 1st, 2003, 02:09 PM

Originally posted here by brandon64_99
The guy might also want to go as far as to make sure that his authentication type is a good one also, CHAP over PAP anyday.

What are you talking about!?!?

What does a firewall in this scenario have to do with authentication?

Originally posted here by brandon64_99
If the guy sets up extended ACLs properly, than he would be able to properly filter, untrusted addresses, and specific protocols from getting to the server. That would be great protection at great cost, plus, with the investment in the router, it would provide for future growth of the network if future growth was implied later on. The guy could use some type of 3rd party software for stateful inspection firewalling (unless running a linux box with kernel 2.4, comes built in with the standard Linux firewalling features).

If you can get a PIX for around $400-$500, why would you waste your money on a used, outdated router (for the same price) that will require another purchase to upgrade the IOS to the firewall feature set.

Buying a 2500 is not a good investment at all. They are not modular and cannot be easily upgraded, so it would most likely be useless anyway unless you are planning to use it in a lab.

**brandon64_99** · April 1st, 2003, 02:27 PM

The guy that is insisting on this firewall seems alittle paranoid. Comforting him with authentication types or any other crap to settle the over worked guy down is implied in this situation. (lots of sarcasam)

And yes, but isn't every router thats currently implemented out of date? YES!!! Cisco creates new routers all the time. Upgrading a router is easy, and once the router is upgraded, it would at least be a a few months before another IOS is released.

"that will require another purchase to upgrade the IOS to the firewall feature set." - iNViCTuS

You would not have to purchase a IOS upgrade to gain the features like extended ACLs. For stateful inspection firewalling it would prob. require some extra money, but he could purchase cheap software to run on the system for that.

"with the investment in the router, it would provide for future growth of the network if future growth was implied later on." - brandon64_99

^This still stands as a factor also with the purchase of the router for security also.

**iNViCTuS** · April 1st, 2003, 03:05 PM

Don't take this the wrong way, but I am convinced you really have no idea what you are talking about...

**brandon64_99** · April 1st, 2003, 03:25 PM

Well, I dont care. I just dont think that your understanding me.

Thread: Affordable Hardware Firewalls

Thread Tools

Display

Posting Permissions