I agree with Woody. A firewall should NEVER house "user services". It's
sole function should be that of a firewall. A DMZ is an excellent location
for servers that will house user services such as FTP, DNS, WWW, SQL, SMTP,
etc. Actually a "public access" WWW server that will be access by those
outside the "trusted" network, would probably fair best outside your
firewall on your internet segment (you can establish a tunnel from a
workstation/workgroup inside your trusted network for updates & maintenance).
As for the PIX, speed and NAT are it's major selling points. Since this is
done via stateful inspection at the hardware/network layer, it outperforms
proxy based firewalls and because it is a hardware based firewall it is
able to accomplish it's task without the added overhead required by other
stateful inspection firewalls.
One interesting point is that the PIX and most if not all CISCO routers can
be managed by Checkpoint's Firewall 1 which makes Woody's alternative
solution of making the PIX part of a complete security system a very
feasable solution. One management location for all of your firewalls &
router ACL's. Simplicity is a good thing when it allows you to maintain
At 11:54 AM 11/25/97 -0800, Woody Weaver wrote:
>At 05:37 PM 11/25/97 +0000, Finnbogi Ragnar Ragnarsson wrote:
>>About the Cisco PIX:
>>Most people need email, right?
>>and FTP server,
>>and WWW server
>>PIX doesn't by itself fulfill their needs.
>>Pix is probably a very good device, but it isn't a firewall by itself,
>>except for very few. But it can be a usefull part of Firewall.
>>If any of you are considering buing PIX, buy it as a part of well thougt out
>>total solution, not as a standalone device.
>I think this is a matter of semantics, but I want to be clear. The PIX is
>a stateful multilevel inspection firewall. Its task is to decide whether
>or not a packet should be passed to the internal network, with some minor
>rewriting of the packet headers. It is essentially an intelligent bridge.
>It does have a transparent filter for SMTP connections, in that it can
>convert non-RFC compliant commands into NOOP's. I find the feature
>interesting, but not especially significant.
>It does not provide user services (other than a trivial web page for local
>diagnostics). It is a firewall, not an application device.
>I think that what ragnar @
is is thinking of is an application gateway
>that can provide services on a firewall. Speaking only from personal
>experience, I do not like to put any services on the firewall device: not
>only do I not want to have an ftp server on the firewall, I don't even want
>content filtering or mail relays there. I want the firewall to do nothing
>but be a firewall: i.e. as RFC1244 states, a single system that restricts
>all access between a WAN (or by extension any other untrusted network) and
>my local system. I subscribe to the strategy that devices should be as
>small (simple) as possible, hook into other devices, and do exactly one
>thing well. The PIX fits that strategy pretty well, and I find it a useful
>Robert Wooddell Weaver email: woody .
>Senior Systems Engineer voice: 510.358.3972
>Wiltel NSI pager: 510.702.4334
Andre' L. Mintz
Director of Internet Security Product Operations
DIGEX Business Internet Connectivity Group
301-847-5953 | Office
888-688-7995 | Pager
www.skytel.com | Text Message