Solved: Re: Security IOS vs. PIX/ASA firewall

smckenna · ‎02-11-2006

Could someone point me to some docs on cisco.com in comparing the use of a Secure IOS on a router & using a cisco firewall? I want to use an ISR w/secure ios if possible but not sure if I can lock down the outside of the network as well as I could with a pix or asa so I want to make sure I do everything I can and do it right. Any help is greatly appreciated.

haithamnofal · ‎02-11-2006

Hi,

There was a discussion in this forum about this topic; check "Firewalling: PIX vs IOS Firewall" last conversation was posted on Jan 10, 2006. Let me know then if this helps.

Rgrds,

Haitham

View solution in original post

BRIAN SEKLECKI · ‎02-11-2006

I'm not quite sure what "Secure IOS" is, Google and Cisco.com don't yeild any promising results on that. However, there's no shortage of mention of "Cisco Secure IOS Firewalls", so perhaps it's a marketing wank-word?

Whether Cisco IOS itself is secure or not is a topic of discussion for another forum >:}.

However, to answer your question, when you talk about the IOS-varient that runs on the PIX, you're essentially describing an IP Forwarding engine with a different default set of security policies with a default "deny/block any/any" as defined by the "ASA" system (not to be confusecd with the ASA hardware line).

You're also talking about strong cryptography/ authentication/security features that may be optional addons on traditional IOS.

I was at a "Lunch&Learn" hosted by Cisco on Friday and the Cisco sales rep (Chris Oggerino) ? essentially portraited the ISR router as ideal for complementing entry-level switching gear in "Branch" offices where concepts like "Perimeter" router, "Inside Firewall" might not apply, and features like IDS, IPS, Redundancy, Voice might traditionall be independant hardware units, are features on the ISR. Of course, you still need two of everything for HSRP/BGP >:}

It's a question of budget and design. Do you want your firewall to be an autonomous device.

TIA,

~lava

haithamnofal · ‎02-11-2006

Hi,

There was a discussion in this forum about this topic; check "Firewalling: PIX vs IOS Firewall" last conversation was posted on Jan 10, 2006. Let me know then if this helps.

Rgrds,

Haitham

smckenna · ‎02-12-2006

Haitham, thank you. I appreciate it. This helped me out in regards to links from that discussion and the content within the discussion.

sm

rob.wright · ‎03-30-2006

And I am in a debate with a co-worker that indicates a normal Cisco router (72xx) without the Firewall feature can do just as much as a PIX can with the use of properly configured ACL's.

Can anyone put this debate to rest for good? I am so tired of comparing non-security devices with security devices.

I have no issue with comparing IOS-Firewall to PIX.

haithamnofal · ‎04-04-2006

Hi,

Well, you can't just say that a router with no FW capability can just do what a real FW can do. For example, PIX is a stateful device that keeps state of sessions. On the contrary, in a normal router with no FW features turned on, the router is not stateful device and it does not keep track of sessions. However, with FW features enabled, and by implementing CBAC, the router will become stateful in this regard. This is just a simple, straight forward answer that should take this debate to a rest.

Hope this helps.

Regards,

Haitham

stephen · ‎07-20-2006

What about comparing PIX to ASA? Which one is better to purchase?

sebastan_bach · ‎07-21-2006

hi stephen if u want a integtrated security appliance with firewall and ips then asa is good if u are just looking for a firewall then i guess pix will be enough. see ya

regards

sebastan

nefkensp · ‎07-21-2006

For new investments I would go for the asa, as with the introduction of the ASA5505 the pix might be going away and the asa can become one of the essential elements for the Cisco Self Defending Network..