Just to throw in a little bit more info..
Theres little comparrison between the two.
PIX is more of an address translation unit with firewalling
Firewall-1 is a fully functional Firewall with limited address
i.e. PIX has a pool of IP addresses.. true address translation.
Firewall-1 does address 'hiding' making it look to the external world
like all connects come from a single IP.
Actually, hide mode is only one of the options in FW-1. You can do
a static one-to-one allocation (but not dynamically).
I tend to prefer to keep routers as routers and firewalls as firewalls,
it reduces the CPU overhead, Problem Determination is easier, and
configurations are kept in a distinct logical box.
Of course this is at the expense of cost, and space.
Agreed...but in certain situations, ie a widely diverse network,
to follow this purist paradigm, you really need a separate firewall/
uniquely routed subnet. If someone has a 75XX with a T1 Internet
connection, why not let the extra CPU go towards firewall functions.
Granted, you are very limited in logging, authentication, and
proxies or content monitoring, but such capabilities could be made
with proprietary communication to a central firewall/management
server...but then you are really straying away from IOS/whatever OS
each router uses. In short, if it's built, someone will buy it.
Is it enough people to pay for the development/political maneuvering?
What about Gauntlet? Or Juniper? Or the TIS FWTK? Or Borderware?
Or the Livingston IRX 112? Or KarlBrouter? Or the Norman Firewall?
And these are only a few of the dozens of commercial firewalls with
features out the wazoo. Read LAN magazine and Network Computing for
product tests and reviews. Hire a security consultant.
I know what you're asking... What does all this stuff have to do with
running a continent-spanning public network? Nothing at all, of course.
So send one of the following two messages to firstname.lastname@example.org
Hey, if you're *REALLY* interested you could send both of them!
Michael Dillon - Internet & ISP Consulting
Memra Software Inc. - Fax: +1-250-546-3049
http://www.memra.com - E-mail: email@example.com
Anyone who has a 75XX and a single T1 needs to be taken out back and shot
by their overly generous accounts payable division
At a recent Cisco seminar aimed at corporate customers, Cisco was
specifying the 7500 be used in all the following situations:
1. connecting a single mainframe computer to the campus backbone
2. connecting a large office to the campus backbone
3. connecting a remote office over frame relay at 512 kbs to the campus
backbone. But do not despair, if you are running at 256kb, you can drop
back to a 7200.
#3 implies we are over driving our 7500s. If the 7500 is intended to
handle a single serial line at 512kb, no wonder it seems to get overloaded
on the backbone.
Why use them as routers? They make *great* ethernet hubs! If only an
arcnet card was available for them...