[Dshield] Cisco Router/Firewall - which is the best for me?

Maarten dshield.org at plekje.net
Mon Oct 4 04:41:04 GMT 2004


Where it comes to the wishes of your fire wall. Any cisco router can do 
that. They are calles access lists. And they are stateful too.

- connect to dual ethernet is possible if you have one with 2 ethernet ports 
(simple enough). Cisco's also support direct DSL throught their DSL 
interface.
- routering ability with nat, remote admin etc. etc. Also standard for any 
cisco router.
- firewall Is as mentioned above.
- traffic shaping is possible. But possible through queueing. Not shaping. 
For packet shaping you may want to look at packeteers packet shaper. It 
shapes on the different streams going throught the devices. The cisco 
routers shape based on packets and send them to a certain queue. I believe 
that queueing is standard for any cisco router.
- IDS is possible. But you will need a firewall OS (which is costly). Also 
it provides you with a very basic IDS. In some cases it does not work 
correctly (on a cisco 3620 I manage it had a strange phenomenon that it 
would limit packages to 1020bytes instead of normal IP payload and does this 
without mathing the MTU size. So it is probably a bug.
- IP blacklist is not a problem. URL blacklist will be a problem I don't 
think this is possible (but then cisco supprised me on occasion). URL's are 
application layer and a router does not function on that layer.
- Also it is very easy to setup a syslog environment that will send you any 
possible intrusions or other problems. I recommend this option since it will 
help in debugging.

As for simplicity. Forget Cisco. It is not simple nor will it every be. Once 
you get the hang of it you will find your way around and find new features 
when looking for them. But the setup is not easy. It has a webbased 
environment. But it is not very usable. Unlike the switch range where the 
webinterface it very usable the router supports a web interface which more 
or less ressembles the telnet interface.

When seeing your budget I doubt you will find anything in that pricerange. 
Dropping the wish for IDS will help considerably (firewall IOS is 
expensive). 

If you want to know which router type to choose. Search for the PPS value at 
cisco for each indicidual type. Each router has it's own processor and 
therefore it's own speed. The faster the processor the faster it can route 
packets. This is identified using the PPS (packets per second). If you use 
this together with an avarage packet size you can calculate the approximate 
bandwith supported. Also when using special features like firewall/ access 
lists etc. You will slow down the router. Take this into account to.

greetings,
Maarten


-----Original Message-----
From: Benjamin Koch <BK-D at gmx.de>
To: General DShield Discussion List <list at lists.dshield.org>
Date: Sun, 3 Oct 2004 15:29:31 +0200
Subject: [Dshield] Cisco Router/Firewall - which is the best for me?

> Hello list
> 
> i have some general questions about some cisco products.
> First of all, i'm a cisco newbie :)
> 
> I have an linux iptables router/gateway for my home/SOHO network (5 Hosts)
> but the wattage of this box is a bit high...
> I thought it would be better using a HW Router/Firewall.
> 
> The standard customer HW Routers are not that configurable as i want.
> I like the total control like iptables does. Packets must match some
> criteria like:
> -Input Interface
> -Protocol
> -Source IP
> -Source Port
> -Output Interface
> -Destination IP
> -Destination Port
> and some other stuff to get accepted - or denied.
> 
> Then i remembered Cisco Systems - one of the top Network Companies.
> I found some products like
> Cisco 1712/1710 Security Router
> Cisco 831 4xRJ45 10MBit
> and the Cosco PIX 501
> 
> All three are having a Firewall but i don`t know which one is matching
> my needs.
> 
> Here are my wishes:
> connect a DSL modem (RJ45)
> connect a LAN (RJ45 - 1Port is enough -> Switch)
> Routing ability (Internet Connection Sharing and FTP/Remote Admin. NAT)
> Firewall (Features shown above)
> Traffic Shaping (Bandwith limiting for some explicit given Hosts)
> IDS (i must configure and maintain it by myself?)
> URL/IP blacklist ability
> 
> CSA - maybe - i should first know what this Cisco Security Agend is
> doing ;)
> Easy configure would be nice at the beginning... *Cisco newbie*
> 
> It should be as cheap as possible. Max 600EUR - ok 800EUR will be ok
> too but it must have the most of the requested features.
> 
> I don't know which is the right product for me and i don't know who to
> ask...
> Not everybody has a Cisco Router/Firewall at home :)
> So i ask you and all the versed admins in this list.
> 
> I hope you can help me
> 
> -- 
> Best regards,
>  Benjamin                          mailto:BK-D at gmx.de
> 
> _______________________________________________
> DShield and the Internet Storm Center are sponsored by the SANS Institute.
> To learn more about current SANS training, see http://www.sans.org .
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list