Could someone point me to some docs on cisco.com in comparing the use of a Secure IOS on a router & using a cisco firewall? I want to use an ISR w/secure ios if possible but not sure if I can lock down the outside of the network as well as I could with a pix or asa so I want to make sure I do everything I can and do it right. Any help is greatly appreciated.
Solved! Go to Solution.
I'm not quite sure what "Secure IOS" is, Google and Cisco.com don't yeild any promising results on that. However, there's no shortage of mention of "Cisco Secure IOS Firewalls", so perhaps it's a marketing wank-word?
Whether Cisco IOS itself is secure or not is a topic of discussion for another forum >:}.
However, to answer your question, when you talk about the IOS-varient that runs on the PIX, you're essentially describing an IP Forwarding engine with a different default set of security policies with a default "deny/block any/any" as defined by the "ASA" system (not to be confusecd with the ASA hardware line).
You're also talking about strong cryptography/ authentication/security features that may be optional addons on traditional IOS.
I was at a "Lunch&Learn" hosted by Cisco on Friday and the Cisco sales rep (Chris Oggerino) ? essentially portraited the ISR router as ideal for complementing entry-level switching gear in "Branch" offices where concepts like "Perimeter" router, "Inside Firewall" might not apply, and features like IDS, IPS, Redundancy, Voice might traditionall be independant hardware units, are features on the ISR. Of course, you still need two of everything for HSRP/BGP >:}
It's a question of budget and design. Do you want your firewall to be an autonomous device.
Haitham, thank you. I appreciate it. This helped me out in regards to links from that discussion and the content within the discussion.
And I am in a debate with a co-worker that indicates a normal Cisco router (72xx) without the Firewall feature can do just as much as a PIX can with the use of properly configured ACL's.
Can anyone put this debate to rest for good? I am so tired of comparing non-security devices with security devices.
I have no issue with comparing IOS-Firewall to PIX.
Well, you can't just say that a router with no FW capability can just do what a real FW can do. For example, PIX is a stateful device that keeps state of sessions. On the contrary, in a normal router with no FW features turned on, the router is not stateful device and it does not keep track of sessions. However, with FW features enabled, and by implementing CBAC, the router will become stateful in this regard. This is just a simple, straight forward answer that should take this debate to a rest.
Hope this helps.
hi stephen if u want a integtrated security appliance with firewall and ips then asa is good if u are just looking for a firewall then i guess pix will be enough. see ya
For new investments I would go for the asa, as with the introduction of the ASA5505 the pix might be going away and the asa can become one of the essential elements for the Cisco Self Defending Network..