Jmcburnett Jul 19, 2005   7:15 AM GMT

hi, If you really want a firewall IDS from Cisco look at the ASA 5500 series.. It is the newest piece out there... If you need a router with performance that does IDS/FW/routing.. look at the 2800 series.. the 1811/12 is limited. now as for the PC running IOS.... Cisco routers/switches/firewalls are all basically a PC.. BUT there are purpose built, no PCI bus, no VGA etc, just RAM, FLASH(IE mini harddrive), and ports..... As far as hardware firewall, the previous person was right... they just put ASICs etc in to optimize them.... check out miercom, they do indepedent reviews of alot of gear..... Later, J

0 pointsBadges:

DrillO Jul 19, 2005   8:01 AM GMT

The previous posters are absolutly right. All I can add is my experiences. EVERY installation I have been involved with over the years has ended up with CISCO no matter what they started out with. I do mean EVERY. I think there is a very good reason that they are number 1 out there. Yes, there are costs, but what does it cost to do it right? My advicce to you, as with anyone else, get the best you can afford that will do the job you want. Don't get pushed into settling if you can avoid it. CISCO IOS can be tricky if you are new to it, but it pays off. Best, Paul

15 pointsBadges:

Bobkberg Jul 19, 2005   1:23 PM GMT

I beg to differ with some of my esteemed colleagues, while granting that they make a valid point. When the terms "hardware firewall" and "software firewall" are used, what is really meant is "Standalone Firewall Appliance" vs. "Host-Based Firewall Application" Both have their strengths and weakness. The major benefit of the "software" (Host-Based) type is its ability to identify the application that's trying to get out (legit or not) and allow the user or administrator to make application based decisions. The major benefit of the "hardware" (Appliance) is relative simplicity and centralization of administration and reporting. They ALL require software - regardless of the chipsets used to accelerate performance. But I still maintain that the terms "hardware" and "software" provide a useful distinction in terms of ease of conversation and description. My $.02, Bob

1,070 pointsBadges:

DrillO Jul 19, 2005   3:13 PM GMT

you are right Bob....ooops....shame on me for missing that one too....especially since I have worked with both. Humbly, Paul

15 pointsBadges:

PeterBMartin Jul 20, 2005   3:48 AM GMT

mmm.. for some contrian advice: Cisco are No1 because they have assumed a 1960's IBM like mantle "no-one ever got sacked for buying Cisco". They are not the best in all situations. If you are considering the Netgear I am assuming you have a small network to protect /route, is this correct? If so you are also probably the only person supporting it. In which case I wouldn't go near Cisco unless 1. you have used and understand Cisco IOS 2. You've plenty of spare time to learn it, the VPN client and are prepared to work with disparate suppliers. If you have these then do buy Cisco, the experience is much more marketable. However if you have neither of these go for an idiot proof, well supported 'hardware' platform. SonicWall and Watchguard are possibly the best of these. Both provide everything you want, firewall, Intrusion protection, secure VPN, routing,Anti-Virus & Anti Spyware, DMZ - different network zones, content filtering etc, all with simple to use configuration and 1st class support (its the market both are after). Peter

0 pointsBadges:

SecGeek Jul 20, 2005   11:09 AM GMT

CISCO is OK but it is hardly the best. If you are really interested in a firewall system that is user friendly works on all platforms why aren't you looking at Firewall-1. I've currently have bothe CISCO and Firewall-1 systems. Firewall-1 is the best and both GARTNER and GIGA have also said that.I've also had Firewall-1 work on Sun, Microsoft and Nokia boxes over the last 7 years and it has never gone down.

0 pointsBadges:

Douger Jul 20, 2005   11:16 AM GMT

Maciek, I thought you might want to hear from a Netscreen user. I took a job where a netscreen 5XT had recently been put in place, and spent a certain amount of time reading up and configuring it. I noticed you said 5GT, I believe that is the same applicance but limits you to 10 users. The 5XT is one that allows you unlimited users. I am using the firewall to protect a small network of about 50 users. By using mapped IPs I can route traffic from a public IP to an internal IP address, thus putting as many servers in the DMZ as I like while filtering what traffic will be allowed to flow to them. There is the normal permit/deny policy structure that allows you to quite finely tune what traffic you will allow in or out. Netscreen also has VPN support, and I have 3 users working remotely, on both Windows and Macintosh platforms. The Netscreen also has a "deep inspection" feature that looks beyond the protocol into the payload of the packets. This is updated via a subscription service similar to what you would do for anti-virus. So far I have had very good results. You configure the appliance with a web based interface, so it is pretty user friendly. You do still need to understand the firewalling concepts, but I found that very straight forward to learn from the documentation. I have never had any throughput issues that led me to the Netscreen as the culprit, so for our network it seems to be fine. I should tell you that we are not doing any web hosting behind the firewall, so there is not a lot of incoming traffic, just email primarily. I would also caution you to price the applicance carefully. There is an extra charge for the deep inspection service, for telephone support, for OS upgrades, etc. I have been content with the OS upgrades and the deep inspection subscription, and have been able to use their knowledgebase to solve any problem so far with one exception. I recently purchased their netscreen remote client to run on a wintel PC, and needed tech support to get that configured correctly. Just one of those times when what I thought the doc meant was not it at all. Finally, this company was bought out by Juniper Networks a year or so ago. So far no problem with that, and they continue to support well. They added the deep inspection stuff after the buy out, and have continued to upgrade the OS. If you are trying to protect a small network, and are connecting a few VPN users this is a good solution. I am not sure how it would scale up, but the company does have larger appliances as well. Regards, Doug

0 pointsBadges:

Maciek Jul 21, 2005   3:04 AM GMT

Hello all once again First, thank you for all answers and opinions. I am aware, there are no pure hardware firewalls, I understand hardware and software firewalls as you all said. I just wanted to know if Cisco IOS is a low level software (like firmware) running on some specialized hardware, or is it some higher level app running over some OS. Sorry for unclear question. You are right, PeterBMartin, this is a small network, about 20 PCs, 5 servers (2 in DMZ, web, ftp and email), a few branch offices with 2-3 PCs each. My budget is around $2000 (Netcreen 5GTE is $2200 with support packs and VPN, Cisco 1812W is $1600). I don't have any experience with Cisco IOS, but they now have SDM and I assume it is much easier to setup that clear IOS. I do have some experience with software firewalls (ipchains, iptables, some fw for Windows). I have searched the web for comparisons, but found none. On Miercom I found Cisco 1812W performance test, but I'm still looking for some comparison/opinions from Cisco 1811/1812 and Netscreen 5GT(E) (not Netgear) users. What one has and the other doesn't, what works better in one and worse in the other? secGeek: Firewall-1 is too expensive for me and doesn't have IPS AFAIK. Douger: thanks for your message. 5GTE is more advanced version than 5XT, is allows unlimited users, 25 VPN connections, can have Deep Inspection and AntiVirus from MicroTrend. I know the pricing for this model. I'm looking forward for more input from Cisco 1811/1812 and Netscreen 5 series (mainly 5GT/XT) users. What do you like/don't like in them? Regards Maciek

0 pointsBadges:

Bobkberg Jul 21, 2005   10:48 AM GMT

The Cisco Pix software is essentially an OS running on a PC platform - in fact, the earliers Pix's WERE a PC platform. Bob

1,070 pointsBadges:

Wickedstick Jul 26, 2005   8:49 AM GMT

Contrary to previous statements, Cisco is not the leader in the firewall arena, and therefore I have little experience with the PIX. However, to assist you I do have plenty of Netscreen experience. We use 5XT, 5GT, 25, 204, and 208 models throughout our environment and have not had any problems with them. You need to get the right model to scale for your environment and traffic flow. The 5GT's should be sufficient from what I've heard in your environment, just make sure you don't bog it down too much with the VPN's. We haven't done a lot of VPN's directly into the 5GT's (usually just a single tunnel back to Corporate) so I don't know how well they perform with a full load of VPN connections. Might be worth trying out one day... ;-)

0 pointsBadges:

Lyndsey Shone Feb 4, 2010   4:24 PM GMT

VRy interesting to read it :P :D

0 pointsBadges: