[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 525
  • Last Modified:

Cisco 2821 IOS Security versus Cisco 515e PIX

I have a general, product specific question in that I was going to replace a Cisco 1700 router and Cisco 515E Firewall with a Cisco 2821 router/firewall.  The consultants who are still at the CIO's call are telling me that the security on the 2821 is not sufficient.  Yet when I talk to most other technicians, they tell me that the security and the replacement for one device is more than enough.  I understand the concept of let a router just route and get a firewall, but that is getting a little old - I need the expandability of the 2821 but I don't want the bottleneck of the Cisco 515e.

Can the 2821 provide the same level of security at the PIX firewall?
Do I still need a firewall applicance to be totally secure?
Why would cisco or any vendor promote the router/firewall approach if it did not work?
Is the IOS security software a scalled down verison of a PIX firewall?

Thanks for the insight - I am looking for an increase in performance and expandability (binding T1) and want to replace the 1700 router.  If I left the PIX firewall in place, I effectively negate the 2821 gigbit link; yes I know about the T1 speed and that I won't reach gig speed given the outbound link, but that is in a perfect world and the request are not buffered.

I would like to have one applicance, 2821 acting as both and it makes things very easy - I could just keep buying 1700 & PIX firewalls if that were the case.

0
markv114
Asked:
markv114
  • 3
  • 3
1 Solution
 
Scotty_ciscoCommented:
The simple answer is no a 2800 can not do the same things as a PIX look at the fixup protocol commands and such they are security devices.  A PIX is not a router.  A packet revieved on a pix eth0 will not go back out eth0 it will get tossed.

There are a lot of other features that a pix offers you that a router can proabably do with proper configs and software but they are not capable of the same things.

Yes you need a firewall to be totally secure.
Vendors promote all of their products independent from one another depends on the experaince of the sales engineer.
The IOS FW is not a scaled down version of a PIX it is IOS code the PIX was an aquired product that cisco has morphed.  The new ASA devices are cisco created security devices.

Thanks
Scott
0
 
markv114Author Commented:
Then the next question is why would cisco post this on their site in regards to the same question (the reason I ask is that the Cisco techs say one thing and Cisco corporate says another):

Q. How does the router- and switch-based Cisco IOS® Firewall differ from the appliance-based Cisco® PIX® and Cisco ASA security appliances?
A. The Cisco IOS Firewall differs very little from Cisco PIX and ASA security appliances in terms of functional capability. The two product lines are somewhat similar in their configuration interfaces, both on the command-line interface (CLI) and graphical user interface (GUI). The major differentiators between Cisco IOS Firewall and Cisco PIX/ASA security appliances are additional non-firewall features versus performance, given a comparison between similarly priced platforms. The Cisco PIX and ASA products offer substantially higher performance for a given cost, reflecting the common appliance advantage, while Cisco IOS Firewall offers a broader feature set, reflecting the common routing-platform advantage.
Q. Why should I select a Cisco IOS Firewall over a Cisco PIX or ASA firewall, or vice versa?
A. Which would you prefer to have more of for a given cost: features or performance? In addition to the firewall itself, Cisco IOS Firewall offers the routing-platform advantages of broad quality of service (QoS), dynamic routing, virtual private networks (VPNs), and WAN flexibility. The appliance-based Cisco PIX and ASA firewalls offer higher levels of performance for a given price, but usually offer a less expansive breadth of features.

One of our hardware consultants said basically the same thing, I would argue that on a functional overview, I would agree.  But looking deeper you have to consider the OS and application layer of the device.  The 515E runs on PIX operating system, hence the name.  The application is Cisco and yes it is very hard to break a PIX operating system - similar to same security aspects as pure Unix.  Hardware security is extremely hard to break - software, however is easier.  That being said, Cisco is saying that the IOS and ASA devices compare in functional equivelant to PIX for security.  The concept was could a combination device be used and still provide the same level of security.  And if no, why would Cisco promote such an obvious flaw in their product lines?
0
 
Scotty_ciscoCommented:
The real questions you are asking are pro and con and can be argued till the cows come home.... There is EAL certifications for firewalls the pix complies with EAL4 the router does not.

The bigger question here is what is most important to you security or performance..... The 2821 has more than enough power to run complex ACL's which will prevent all but the most serious hackers.

In my enviroment and the work we do our network has to use EAL certified devices so we are using PIX firewalls.  It also simplifies the design to some extent and configuration.

So sounds like you bigger decision is what you want / need most performance or security.  if you want performance with security then you have to go with both.  If price is the issue and security is mearly a concern go with the 2821 and lock it down.  \

Thanks
Scott
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
markv114Author Commented:
Thanks Scott - the last bit helped especially with EAL certification.  If both had it, then it would be degrees of functionality and speed.  The price is certainly a consideration - the 2821 is not cheap.  Do not know if HIPAA requires any degree of certification and the issue is really a degree of can it work and securely.

This is being born out of a need to combine two networks and the 2821 was one of the few routers that would allow that - bundling all the T1 together.  

Thanks again.

Mark
0
 
markv114Author Commented:
Revision of the network but the same problem exists - if you know I can get into a 2500, please let me know - that is the router, not the 1700.

Thanks.
0
 
Scotty_ciscoCommented:
2500 - 1700 same thing basically thats why Cisco is so nice to deal with the cross platform funtionality is very similar ... is that what your asking?

Thanks
Scott
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now