Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Security IOS vs. PIX/ASA firewall

Could someone point me to some docs on cisco.com in comparing the use of a Secure IOS on a router & using a cisco firewall? I want to use an ISR w/secure ios if possible but not sure if I can lock down the outside of the network as well as I could with a pix or asa so I want to make sure I do everything I can and do it right. Any help is greatly appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Security IOS vs. PIX/ASA firewall

Hi,

There was a discussion in this forum about this topic; check "Firewalling: PIX vs IOS Firewall" last conversation was posted on Jan 10, 2006. Let me know then if this helps.

Rgrds,

Haitham

8 REPLIES
New Member

Re: Security IOS vs. PIX/ASA firewall

I'm not quite sure what "Secure IOS" is, Google and Cisco.com don't yeild any promising results on that. However, there's no shortage of mention of "Cisco Secure IOS Firewalls", so perhaps it's a marketing wank-word?

Whether Cisco IOS itself is secure or not is a topic of discussion for another forum >:}.

However, to answer your question, when you talk about the IOS-varient that runs on the PIX, you're essentially describing an IP Forwarding engine with a different default set of security policies with a default "deny/block any/any" as defined by the "ASA" system (not to be confusecd with the ASA hardware line).

You're also talking about strong cryptography/ authentication/security features that may be optional addons on traditional IOS.

I was at a "Lunch&Learn" hosted by Cisco on Friday and the Cisco sales rep (Chris Oggerino) ? essentially portraited the ISR router as ideal for complementing entry-level switching gear in "Branch" offices where concepts like "Perimeter" router, "Inside Firewall" might not apply, and features like IDS, IPS, Redundancy, Voice might traditionall be independant hardware units, are features on the ISR. Of course, you still need two of everything for HSRP/BGP >:}

It's a question of budget and design. Do you want your firewall to be an autonomous device.

TIA,

~lava

~lava

New Member

Re: Security IOS vs. PIX/ASA firewall

Hi,

There was a discussion in this forum about this topic; check "Firewalling: PIX vs IOS Firewall" last conversation was posted on Jan 10, 2006. Let me know then if this helps.

Rgrds,

Haitham

New Member

Re: Security IOS vs. PIX/ASA firewall

Haitham, thank you. I appreciate it. This helped me out in regards to links from that discussion and the content within the discussion.

sm

New Member

Re: Security IOS vs. PIX/ASA firewall

And I am in a debate with a co-worker that indicates a normal Cisco router (72xx) without the Firewall feature can do just as much as a PIX can with the use of properly configured ACL's.

Can anyone put this debate to rest for good? I am so tired of comparing non-security devices with security devices.

I have no issue with comparing IOS-Firewall to PIX.

New Member

Re: Security IOS vs. PIX/ASA firewall

Hi,

Well, you can't just say that a router with no FW capability can just do what a real FW can do. For example, PIX is a stateful device that keeps state of sessions. On the contrary, in a normal router with no FW features turned on, the router is not stateful device and it does not keep track of sessions. However, with FW features enabled, and by implementing CBAC, the router will become stateful in this regard. This is just a simple, straight forward answer that should take this debate to a rest.

Hope this helps.

Regards,

Haitham

New Member

Re: Security IOS vs. PIX/ASA firewall

What about comparing PIX to ASA? Which one is better to purchase?

New Member

Re: Security IOS vs. PIX/ASA firewall

hi stephen if u want a integtrated security appliance with firewall and ips then asa is good if u are just looking for a firewall then i guess pix will be enough. see ya

regards

sebastan

New Member

Re: Security IOS vs. PIX/ASA firewall

For new investments I would go for the asa, as with the introduction of the ASA5505 the pix might be going away and the asa can become one of the essential elements for the Cisco Self Defending Network..

357
Views
7
Helpful
8
Replies