|
Posted by News Reader on May 1, 2008, 7:08 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
>> I've searched and I just have not found a simple answer to this
>> question:
>
>> Is the PIX safe to use as a router?
>
> No.
>
>
>> Let me explain the small network I have before I'm told "The PIX is
>> not a router"
>
>> I have 20 users behind the PIX. Everything is working great. I just
>> need the PIX to block all incoming from the WAN and only allow the
>> outgoing ports I have defined. That's it, nothing else. So is it safe
>> to use it as a simple router?
>
>
> No.
Walter:
I'm not challenging your facts, just the literal interpretation of his post.
>
> You cannot configure the PIX as described, except by physically
> cutting some wires. Configuring it as described would be of little
> value anyhow, as you *need* the responses coming from the WAN unless
> all you have is some unicast (e.g., UDP) traffic that never needs
> even a single packet of response.
Given that such a scenario "would be of little value", isn't it most
likely that he meant that he wanted to block "connection initiation"
from the WAN, and that his choice of wording didn't meet with your
exacting expectations?
>
> What most people find of value is to configure the PIX to allow
> incoming packets that are responses to outgoing packets (a
> different situation than blocking all incoming from the WAN.)
> PIX 506E do -fairly- well in such configurations, but since PIX 7
> is not officially supported on PIX 506E models, you are limited
> to the facilities in PIX 6.5, which is a little weak (from a
> human point of view) in determining which ICMP packets are really
> responses to something that was outgoing, vs unsolicitate ICMP packets
> that you would want to discard. A substantial difficulty in this
> matter is that several types of ICMP packets are inherently
> "unsolicited" but of major importance, such as ICMP "network
> unreachable" packets, which can come from -any- machine along the line.
> PIX 7 does a bit better in making these determinations (which are not
> easy to mechanically make.)
>
>
> However, configuring a PIX to use as a router would mean that you
> want to turn off all intelligence about whether any particular packet
> was solicited or unsolicited and instead just pass packets through
> (possibly translating addresses along the way.) That's what a router *does*,
> passes packets from source to destination without context of whether
> it is the "right" packet for the situation. A router does not,
He's not mentioned any other device between the users and the WAN. Some
would use a router with an integrated firewall.
Is it not likely that he is trying to reconcile having been told that a
router is what he's supposed to use, and other's telling him a PIX is
not a router?
Perhaps his real question is, if I'm implementing a single device
between my users and the WAN, is a PIX suitable?
Clearly, he's indicated the desire to control traffic at the edge, which
is beyond the core functionality of a router, as you have so eloquently
described.
> for example, care what the PORT number was on the outgoing FTP GET
> request: it just sees that a connection request is coming in for
> a particular TCP port and IP, and it passes the connection request
> to the destination, not caring whether the IP addresses of the
> incoming request is the "expected" IP address (and there are some
> legitimate cases where they would differ, which a router handles
> fine but a PIX needs dangerous pre-configuration to handle.)
>
> A PIX is a firewall. A firewall -is- a layer 3 device,
> in that it joins multiple layer 2 domains, but a PIX does too much
> filtering that cannot be turned off for it to be considered a "router".
>
> For example, if you *want* 1500 byte ICMP Echo packets to get through,
> then you cannot do it in PIX 6.2 or 6.3: they are hard-coded to block
> large ICMP packets. A *router* wouldn't care and would just pass
> the packets through.
>
>
> So, No, a PIX 506E cannot safely be used as a router. It -can-
> (relatively) safely be used as a layer 3 firewall. It isn't
> perfect as a firewall, but it is quite good.
>
Best Regards,
News Reader
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map