On Tue, 18 Jun 1996, Wojno, Jim wrote:
> To All:
> Just wanted to get some opinions on Cisco's new product, PIX, Private
> Internet Exchange. We are a Cisco shop, as far as our routers go, however, I
> am somewhat leery about PIX's firewall capabilities. It seems to basically
> be an address translator, which hides the internal network from view, but
> offers no user level authentication, and no in-bound connections of any
> type, unless in response to an internally generated request.
> Has anyone out there actually used this product, and if so, what did you
> think? I am especially interested in PIX's configurability, and logging
> capabilities. Any information at all on this would be greatly appreciated.
Information on this item is very very hard to find.
I have played with it on a limited basis, not long enough to be certain
of my acid tests but here is what I can report.
My focus in this email will be how it handles UDP. This is a tricky task and
it is also one that the PIX box has a fighting chance of really doing well
with because it holds the state of the 4 tuple (ie srcIP,srcPORT,dstIP,dstPORT).
The state of the 4 tuple can act as a pseudo connection state for a stateless
protocol like UDP.
Well, my findings on UDP is not going to be something you all want to hear.
Basically there are 3 services that it will let pass.
Real Audio, Resolver/DNS, and Archie.
1) The first one is Real Audio. Real Audio uses TCP and UDP. The rule the PIX
box uses is if a TCP connection from the cleanNET is opened to a
remote Real Audio server, then the UDP traffic associated with that
TCP connection is "friendly fire" and let it back into the clean net.
I can sorta deal with this one.
2) Resolvers on the cleanNET (>1023/udp) can volley UDP packets
to and from Internet DNS servers (53/udp). This also means that
packets 53/udp are let back into >1023/udp. I don't know about you
but this makes me break out in hives. :-)
3) Archie udp traffic can go and and be let back in. Once again,
the UDP threat is present.
These items noted above are not something you can configure.
They are in the code and the Eng @
Cisco tells me that they are not something
you can configure.
Forget about managing any Multicast traffic because it is not even
an option. No multicast, no multicast threat I guess. :-)
I am not shooting the PIX out of the sky. It is very easy to config
and if all you need is TCP services, (and you can shut off the UDP
incoming traffic?), then you got yourself the right tool.
I too hunted high and low for a review, a loaner, any information
on how this little thing managed Layer 3 and Layer 4 ACL's.
As noted on this list many times before (hello Darren), NAT alone
offers no access control or firewalling tool. NAT is just what
it says it does. Thus the NAT code working its way into 11.2 mean
NAT and DOES NOT mean you are going to get a PIX box in every
11.2 IOS router.
I hope this helps and happy Firewall shopping.
\ Tim Keanini | "The limits of my language, /
/ aka blast | are the limits of my world." \
\ | --Ludwig Wittgenstein /
/ PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \
\ <blast @