Mark_Plesser_at_NYRAPO @
pcmailgw .
ml .
com enscribed thusly:
> PIX is a packet filter and not a particularly good one. They are not a
> competition to Checkpoint or Raptor or TIS or ...
Wrong... Last month at the Atlanta Unix Users Group we had a
talk presented by one of the individuals who developed PIX (Cisco bought
the company). It's most definitely NOT a packet filter. It appears to
lay somewhere between a transparent proxy and a stateful filter with a NAT
thrown in for good measure. There are no application proxies, so you avoid
the worst of the problems with proxies (suck-wind performance, connection
resource limits, end client configuration problems, etc, etc, etc...) Will
handle 16K+ simultanious connections. The connections are not "terminated"
on the PIX as they would be in a proxy firewall, but they are tracked by way
of a stateful "dynamic object" which would appear to serve the same purpose
as the connected states of a proxy firewall (except it's transparent, except
it's fast, except it's small, except there is only one of them per session,
except there's no application layer transitions, except there's half the
number of data copies, except you don't have to traverse the ENTIRE tcp stack
for every packet, except you done have to reassemble every ip datagram for
every packet, etc, etc, etc.........).
The NAT is pretty slick. Rather than rewrite the entire IP header
and adjust for data length changes (ftp requires some data flow rewriting)
and recomputing the checksums each time, they maintain a translation offset
on the checksums and sequence numbers as the headers flow in each direction.
Cuts way down on the data computations.
Filtering is something akin to what a proxy would do. If a packet
comes in, it's matched against the network objects (dynamic and static) which
are complete stateful sessions (UDP is another matter - supprise). No match,
it's dropped. If it's matched, then it's translated according to the state
of the network object it's matched against. Sessions all have dynamic
network objects which correspond to the complete connection. Static
objects are for permitting incoming requests to estabish objects against
offered services.
Configuration is much like a proxy. Dynamic rules are build on
the fly. Ftp data connection is requested and it builds a dynamic object
for the incoming connection as required (sort of like what a proxy does -
only efficiently). Capable of building various combinations of static
translations (for incoming services such as SMTP, FTP, HTTP, etc...) to
your servers while maintaining the other systems behind the dynamic objects.
Since internally the systems themselves are typically not even on routable
addresses, it's hard to call it a filter. The protected systems wouldn't
even reachable by direct routing.
Another neat trick is in some load leveling stuff they've got in
there. Got a heavily loaded web server? It can load level between several
servers for you and the outside network won't even know the difference.
Includes sticky connections so once someone has connected to one server,
they'll go back to the same server for subsequent request (keeps things
like cookies and stateful CGI from breaking). Got three different
algorithms for load level. Will load level based on equal number of requests,
amount of data traffic, and request-to-response time. Some packet filter...
> Their biggest selling pt. is that they use a "cut through" proxy (read
> packet filter rulebase) that processes packet while it is being
> received. Do not ask me what this means :) I rephrase their sales ppl.
> Mark
Yeah, it sound's like you talked to a Cisco sales rep who didn't
know what he was talking about. We were talking with one of the guys
who developed the sucker and was quite open about all the bits and bytes
and tweaks they were pulling in the core of the thing. No question that
he had intimate technical knowledge of the internals.
Down side for me is that it is more than a bit pricey....
I would NOT use it with the CISCO ISO though. That would seem to
bring back all of the evils of the proxy firewalls with no clear advantage.
> ______________________________ Reply Separator _________________________________
> Subject: Re: Cisco's PIX firewall
> Author: Irwin Lazar <lazar @
netevolve .
com> at UNIXGTWY
> Date: 11/25/96 3:48 PM
>
>
> Zak,
> We have used the PIX for several clients with varying size networks.
>
> The biggest advantage to the PIX is that you can use a private
> addressing
> scheme on your network. This allows you to create a meaningful IP
> addressing scheme. For example, you can designate the second octet to
> match the OSPF area the address is used in. (i.e 10.3.0.0 for area 3,
> 10.4.0.0 for area 4 and so on). Another advantage to private addressing
> is
> that you never have to worry about renumbering your network due to
> changing
> ISP's or anything like that.
>
> As far as the security aspects of PIX, it basically hides your entire
> network from the outside world. Unless your PIX is corrupted, hosts
> outside of your network can never directly connect to hosts within your
> network since private addresses are not routed on the Internet. The
> downside to the PIX is that it has limited access-list ability and it's
> not
> very user friendly.
>
> You also might want to check out version 11.2 of the Cisco IOS, which
> has
> PIX functionality built in. It also has support for traditional IP and
> extended IP access lists.
>
> Good luck,
> Irwin Lazar
> Network Evolutions, Inc.
> http://www.netevolve.com
>
> At 11:32 AM 11/25/96 -0500, you wrote:
> >Question:
> >
> >Has anyone used Cisco's PIX firewall? If anyone has, what are the
> >advantages/disadvantages of using it?
> >
> >I would appreciate any input. Thanks a lot.
> >
> >Zak Alameddine
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw @
WittsEnd .
com
(The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Follow-Ups:
References:
|
|
