[Dshield] Cisco Router/Firewall - which is the best for me?

Lang, Michael # ATLANTA Michael.Lang at globalpay.com
Mon Oct 4 11:34:26 GMT 2004


I think the piece of HW that is best suited for your needs is the PIX
501.   you can do everything that you listed with it; NAT, access-lists,
remote admin (VPN), IDS and URL filtering, and it also comes with a
built in 4 port switch.  It is also fully compatible with PPOE.  The
only thing that it does not do that I know of is traffic shaping.  For
this you might want to look at the 1720, it can also do most of the
features of the PIX with something called Context Base Access Control.
It is not as robust as the PIX when it comes to being a FW, but it will
do the job for a SOHO.  You also cant do aggressive mode VPN (remote
user) with the 1720.  The 501 is relatively inexpensive, you can buy a
refurbished one for about 300US.

Thank you,
Mike Lang
Network Security Engineer

-----Original Message-----
From: Benjamin Koch [mailto:BK-D at gmx.de] 
Sent: Sunday, October 03, 2004 9:30 AM
To: General DShield Discussion List
Subject: [Dshield] Cisco Router/Firewall - which is the best for me?

Hello list

i have some general questions about some cisco products.
First of all, i'm a cisco newbie :)

I have an linux iptables router/gateway for my home/SOHO network (5
Hosts) but the wattage of this box is a bit high...
I thought it would be better using a HW Router/Firewall.

The standard customer HW Routers are not that configurable as i want.
I like the total control like iptables does. Packets must match some
criteria like:
-Input Interface
-Source IP
-Source Port
-Output Interface
-Destination IP
-Destination Port
and some other stuff to get accepted - or denied.

Then i remembered Cisco Systems - one of the top Network Companies.
I found some products like
Cisco 1712/1710 Security Router
Cisco 831 4xRJ45 10MBit
and the Cosco PIX 501

All three are having a Firewall but i don`t know which one is matching
my needs.

Here are my wishes:
connect a DSL modem (RJ45)
connect a LAN (RJ45 - 1Port is enough -> Switch) Routing ability
(Internet Connection Sharing and FTP/Remote Admin. NAT) Firewall
(Features shown above) Traffic Shaping (Bandwith limiting for some
explicit given Hosts) IDS (i must configure and maintain it by myself?)
URL/IP blacklist ability

CSA - maybe - i should first know what this Cisco Security Agend is
doing ;) Easy configure would be nice at the beginning... *Cisco newbie*

It should be as cheap as possible. Max 600EUR - ok 800EUR will be ok too
but it must have the most of the requested features.

I don't know which is the right product for me and i don't know who to
Not everybody has a Cisco Router/Firewall at home :) So i ask you and
all the versed admins in this list.

I hope you can help me

Best regards,
 Benjamin                          mailto:BK-D at gmx.de

DShield and the Internet Storm Center are sponsored by the SANS
To learn more about current SANS training, see http://www.sans.org .

send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:

More information about the list mailing list