Link to home
Start Free TrialLog in
Avatar of markv114
markv114

asked on

Cisco 2821 IOS Security versus Cisco 515e PIX

I have a general, product specific question in that I was going to replace a Cisco 1700 router and Cisco 515E Firewall with a Cisco 2821 router/firewall.  The consultants who are still at the CIO's call are telling me that the security on the 2821 is not sufficient.  Yet when I talk to most other technicians, they tell me that the security and the replacement for one device is more than enough.  I understand the concept of let a router just route and get a firewall, but that is getting a little old - I need the expandability of the 2821 but I don't want the bottleneck of the Cisco 515e.

Can the 2821 provide the same level of security at the PIX firewall?
Do I still need a firewall applicance to be totally secure?
Why would cisco or any vendor promote the router/firewall approach if it did not work?
Is the IOS security software a scalled down verison of a PIX firewall?

Thanks for the insight - I am looking for an increase in performance and expandability (binding T1) and want to replace the 1700 router.  If I left the PIX firewall in place, I effectively negate the 2821 gigbit link; yes I know about the T1 speed and that I won't reach gig speed given the outbound link, but that is in a perfect world and the request are not buffered.

I would like to have one applicance, 2821 acting as both and it makes things very easy - I could just keep buying 1700 & PIX firewalls if that were the case.

Avatar of Scotty_cisco
Scotty_cisco

The simple answer is no a 2800 can not do the same things as a PIX look at the fixup protocol commands and such they are security devices.  A PIX is not a router.  A packet revieved on a pix eth0 will not go back out eth0 it will get tossed.

There are a lot of other features that a pix offers you that a router can proabably do with proper configs and software but they are not capable of the same things.

Yes you need a firewall to be totally secure.
Vendors promote all of their products independent from one another depends on the experaince of the sales engineer.
The IOS FW is not a scaled down version of a PIX it is IOS code the PIX was an aquired product that cisco has morphed.  The new ASA devices are cisco created security devices.

Thanks
Scott
Avatar of markv114

ASKER

Then the next question is why would cisco post this on their site in regards to the same question (the reason I ask is that the Cisco techs say one thing and Cisco corporate says another):

Q. How does the router- and switch-based Cisco IOS® Firewall differ from the appliance-based Cisco® PIX® and Cisco ASA security appliances?
A. The Cisco IOS Firewall differs very little from Cisco PIX and ASA security appliances in terms of functional capability. The two product lines are somewhat similar in their configuration interfaces, both on the command-line interface (CLI) and graphical user interface (GUI). The major differentiators between Cisco IOS Firewall and Cisco PIX/ASA security appliances are additional non-firewall features versus performance, given a comparison between similarly priced platforms. The Cisco PIX and ASA products offer substantially higher performance for a given cost, reflecting the common appliance advantage, while Cisco IOS Firewall offers a broader feature set, reflecting the common routing-platform advantage.
Q. Why should I select a Cisco IOS Firewall over a Cisco PIX or ASA firewall, or vice versa?
A. Which would you prefer to have more of for a given cost: features or performance? In addition to the firewall itself, Cisco IOS Firewall offers the routing-platform advantages of broad quality of service (QoS), dynamic routing, virtual private networks (VPNs), and WAN flexibility. The appliance-based Cisco PIX and ASA firewalls offer higher levels of performance for a given price, but usually offer a less expansive breadth of features.

One of our hardware consultants said basically the same thing, I would argue that on a functional overview, I would agree.  But looking deeper you have to consider the OS and application layer of the device.  The 515E runs on PIX operating system, hence the name.  The application is Cisco and yes it is very hard to break a PIX operating system - similar to same security aspects as pure Unix.  Hardware security is extremely hard to break - software, however is easier.  That being said, Cisco is saying that the IOS and ASA devices compare in functional equivelant to PIX for security.  The concept was could a combination device be used and still provide the same level of security.  And if no, why would Cisco promote such an obvious flaw in their product lines?
ASKER CERTIFIED SOLUTION
Avatar of Scotty_cisco
Scotty_cisco

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks Scott - the last bit helped especially with EAL certification.  If both had it, then it would be degrees of functionality and speed.  The price is certainly a consideration - the 2821 is not cheap.  Do not know if HIPAA requires any degree of certification and the issue is really a degree of can it work and securely.

This is being born out of a need to combine two networks and the 2821 was one of the few routers that would allow that - bundling all the T1 together.  

Thanks again.

Mark
Revision of the network but the same problem exists - if you know I can get into a 2500, please let me know - that is the router, not the 1700.

Thanks.
2500 - 1700 same thing basically thats why Cisco is so nice to deal with the cross platform funtionality is very similar ... is that what your asking?

Thanks
Scott