Cisco Support Community
Community Member

Personal FW vs. PIX

I've a very provoking question which I've meet when installing a PIX-501 at customer site that I'd like some comments on. What vendors of personal firewall claims is that a PIX is less secure that their firewall since a PIX is not application aware. Now for a customer the price for a personal firewall is nowhere near a PIX-501, so why not use personal firewall on all computers (approx 4-10 users) connected to the internet ?

Community Member

Re: Personal FW vs. PIX

I think this question is one of versatility against manageability. Using the personnal firewall on individual computers may well allow more versatile filtering options but this will require more maintenance than using one PIX-501. Also how much can you rely on individuals not to tamper with their individual settings and thereby creating a security risk.

Community Member

Re: Personal FW vs. PIX

Pix firewall provides stateful filtering, it works on application, transport, and network layer. Why do you think PIX is not application aware?

Community Member

Re: Personal FW vs. PIX

This claim is not one of mine...this is acctually one that is found on the vendors homepage here in denmark as an FAQ answer, I just wanted make others aware of the fact that customers meet this claim when they decide on they firewall product.

Manageability is definitely one that is important, but so is mobility, so do we all carry a hardware FW together with our laptop -I know that this is slightly different from my starting point but anway do we ?

Community Member

Re: Personal FW vs. PIX

The main point in this discussion is the management.

With PIX you'll have the single point of management, with personal firewalls - big headache.

Try to enforce any consistent security policy on more then one desktops and you'll have a lot of fun.

Not to mention that it's very common for end-users to tweak their systems without thinking first.

Speaking about application awareness - your opponent has no idea what he/she is talking about.

Stateful firewalls _have_ to be application aware, otherwise they will be unable to work at all.

That's true for all products from all vendors that clam that capability.

The difference is _how_ that implemented, how many application-specific protocols each vendor' platform can support, etc.

BTW - one of the biggest advantages of PIX is that it can support multimedia applications with very simple configuration.

Try this with CheckPoint (as an example) and you'll see the difference.



CreatePlease to create content