IOS firewall or router?

mulhollandm · ‎08-07-2008

folks

i have a perimeter router cluster with an asa cluster and another firewall cluster protecting my corporate network

i'm hardening my perimeter at the moment but i was toying with the idea of using the perimeter routers in Classic IOS firewall mode rather than as routers with ACLS

has anyone any views/experience of this

i know i should be well enough protected but i think the classic ios would provide better manageability of the routers as config would be replicated across an IOs cluster rather than having to configre 2 hsrp routers

thanks to anyone taking the time to read or reply to this

all views greatly appreciated

Farrukh Haroon · ‎08-07-2008

I would highly recommend as long as there are no performance delays. Go for a testing phase before the final implementation. Stateless ACLs can be a pain to maintain.

Regards

Farrukh

mulhollandm · ‎08-07-2008

farrukh

are you recommending the classic firewall?

thanks for your reply

Farrukh Haroon · ‎08-07-2008

Classical Firewall (CBAC) is still better than ACLs. However most new features/inspections will be released for the Zone-based Firewall only. As per Cisco: "Cisco IOS Software Classic Firewall will continue to be

maintained for the foreseeable future, but will not be significantly enhanced with new features."

Have a look at this document for a comparison and hardware support:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd806f31f9.pdf

Specially Table 1 and 2

Regards

Farrukh