[Dshield] Cisco Router/Firewall - which is the best for me?
mjost at cox.net
Tue Oct 5 14:13:51 GMT 2004
First I would like to say that this I my first post. I usually read this
email blog first thing each morning. I have found that it provides me more
insight. But I am a 'Newbie' compared to a lot of you here, so I appreciate
the comments. Having experience in the Windows side of the house, and having
to deal with Unix running LOB applications at a few of my accounts, I read
a lot of the comments posted here.
I agree with Mike. The PIX 501 v6.3 is a great small business firewall
appliance. I just configured my first one a few weeks ago and it was a snap
with the browser interface. PAT inside with DHCP on the outside is great
using a NON-static IP addresses. I later used the Fixit command to add a MS
XP Pro PPTP (1723) VPN connection for an Inside to outside connection since
PAT has the new standard. (Fixit does what several older commands
accomplished in just one command). It also has In to out IPsec passthrough.
The unit is licensed for 10 DHCP connections with licenses for additional if
needed. The browser interface can even print out the complete SHOW RUN dump
for you to see how it's actually configured. Having used other SOHO/Small
Firewall-routers ie Linksys, ect that have very limited features, this
appears to be worth the extra money to deploy. It will be my main go-to
device on the under 50-75 machine networks. Most of the older security
issues (ddos, frag, mail, ect) that have been thorns in older router OS's
are preconfigured to block and are enabled in the 501. I thought it might be
good to use as a site to site IPEC VPN connection but I would think it would
be awful slow. Maybe on a very small branch situation.
The larger Cisco 1721 or larger series are great if you need have a larger
network, or need more flexibility in the future or special connection needs
such as FR or T1, VLAN and VOIP QoS. And. as I understand it the 1721 VPN
encryption module allows up to 100 remote tunnels.
From: Lang, Michael # ATLANTA [mailto:Michael.Lang at globalpay.com]
Sent: Monday, October 04, 2004 6:34 AM
To: General DShield Discussion List
Subject: RE: [Dshield] Cisco Router/Firewall - which is the best for me?
I think the piece of HW that is best suited for your needs is the PIX
501. you can do everything that you listed with it; NAT, access-lists,
remote admin (VPN), IDS and URL filtering, and it also comes with a
built in 4 port switch. It is also fully compatible with PPOE. The
only thing that it does not do that I know of is traffic shaping. For
this you might want to look at the 1720, it can also do most of the
features of the PIX with something called Context Base Access Control.
It is not as robust as the PIX when it comes to being a FW, but it will
do the job for a SOHO. You also cant do aggressive mode VPN (remote
user) with the 1720. The 501 is relatively inexpensive, you can buy a
refurbished one for about 300US.
Network Security Engineer
From: Benjamin Koch [mailto:BK-D at gmx.de]
Sent: Sunday, October 03, 2004 9:30 AM
To: General DShield Discussion List
Subject: [Dshield] Cisco Router/Firewall - which is the best for me?
i have some general questions about some cisco products.
First of all, i'm a cisco newbie :)
I have an linux iptables router/gateway for my home/SOHO network (5
Hosts) but the wattage of this box is a bit high...
I thought it would be better using a HW Router/Firewall.
The standard customer HW Routers are not that configurable as i want.
I like the total control like iptables does. Packets must match some
and some other stuff to get accepted - or denied.
Then i remembered Cisco Systems - one of the top Network Companies.
I found some products like
Cisco 1712/1710 Security Router
Cisco 831 4xRJ45 10MBit
and the Cosco PIX 501
All three are having a Firewall but i don`t know which one is matching
Here are my wishes:
connect a DSL modem (RJ45)
connect a LAN (RJ45 - 1Port is enough -> Switch) Routing ability
(Internet Connection Sharing and FTP/Remote Admin. NAT) Firewall
(Features shown above) Traffic Shaping (Bandwith limiting for some
explicit given Hosts) IDS (i must configure and maintain it by myself?)
URL/IP blacklist ability
CSA - maybe - i should first know what this Cisco Security Agend is
doing ;) Easy configure would be nice at the beginnin g...Cisconewbie
It should be as cheap as possible. Max 600EUR - ok 800EUR will be ok too
but it must have the most of the requested features.
I don't know which is the right product for me and i don't know who to
Not everybody has a Cisco Router/Firewall at home :) So i ask you and
all the versed admins in this list.
I hope you can help me
Benjamin mailto:BK-D at gmx.de
DShield and the Internet Storm Center are sponsored by the SANS
To learn more about current SANS training, see http://www.sans.org .
send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.772 / Virus Database: 519 - Release Date: 10/1/2004
More information about the list