Is a Cisco router good enough to prevent intrusions or do I need aPIX as well?

Discussion in 'Cisco' started by Rick F, Jan 7, 2008.

  1. Rick F

    Rick F Guest

    The above question is not for a business per-se but for home use..
    I've got an 1841 router that I'll have running and was curious about
    whether or not it will suffice to work both as a router and also a
    firewall of sorts.. I see lots of information on the PIX firewall/VPN
    devices and while I have no current need for VPN services now, I'm
    curious if the firewall features on these devices are that much better
    than what a plain router is capable of.. Ultimately, I'd like
    something that will provide for more protection than what I'd normally
    get with a consumer based product (e.g. netgear,linksys,etc).. Thanks!
    Rick F, Jan 7, 2008
    #1
    1. Advertising

  2. Rick F

    Peter Guest

    Re: Is a Cisco router good enough to prevent intrusions or do I need a PIX as well?

    Hi Rick,

    Goodness, I can see a multitude of replies to this, so I will start at
    the basics and let you work up from there....;-)

    > The above question is not for a business per-se but for home use..


    It all comes down to what you are doing with your internet access.

    If its just for regular home browsing use with perhaps some PRIVATE
    (see below) Server operations, etc... then a decent Router that is
    doing NAT and has the IOS Firewall S/W should provide most of what you
    need, and this is exactly what I use at home. Of course past the
    Network environment, you will also need application protection, such
    as Email Anti-spam S/W (perhaps ISP implemented).

    If you are doing more SERVING from your home site, then you may be
    better off with something like a PIX.

    My home Cisco has the F/W and full VPN IOS, however one thing to
    remember is that VPN S/W in a Network device can often be configured
    to serve ALL devices on one interface, or just a single device. The
    best (IE most secure) VPN tunnel terminates at the actual VPN
    end-points, and nowhere else, but it really all comes down to what you
    wish to use the VPN for. I bought my Cisco 7 years ago, and while I
    used the F/W from day one, I have never yet needed to use the SITE VPN
    in the Router at all, as all my VPN's terminate on the actual HOST,
    and the Router transparently passes them on.

    In the context of this reply, PRIVATE Servers are Servers that you
    operate from Home behind your Routers NAT environment, and the target
    PORT for that Server is not one of the "Well Known addresses". IE a
    standard WEB Server (IE HTTP) normally uses port 80. You can relocate
    your server to a higher "unused" port number that is not normally used
    (IE ports 1 - 512 are Well Known ports, 513 - 65535 are not Well Known
    ports), however other people can still REACH your server as long as
    they know which PORT to use. To do this YOU have to tell them which it
    is first.....;-) Your security needs for IOS are to block all incoming
    requests EXCEPT those that -
    1. Are replies to requests that ORIGINATE from you private LAN,
    2. YOU specifically tell it to allow all EXTERNALLY initiated
    requests through.
    in this case IOS with the F/W feature set is usually enough (IMHO).

    So there is no real one answer to the question without a lot of other
    considerations being entered into the calculation, however for general
    Home use I would not bother with a specific Firewall Appliance unless
    I was offering Services on Well Known ports, but doing that is often
    frowned on by ISP's.

    I hope this helps..................pk.

    --
    Peter from Auckland.
    Peter, Jan 9, 2008
    #2
    1. Advertising

  3. Rick F

    Rick F Guest

    Re: Is a Cisco router good enough to prevent intrusions or do I needa PIX as well?

    On Jan 8, 4:57 pm, "Peter" <> wrote:
    > Hi Rick,
    >
    > Goodness, I can see a multitude of replies to this, so I will start at
    > the basics and let you work up from there....;-)
    >
    > > The above question is not for a business per-se but for home use..

    >
    > It all comes down to what you are doing with your internet access.


    [ ... ]

    > So there is no real one answer to the question without a lot of other
    > considerations being entered into the calculation, however for general
    > Home use I would not bother with a specific Firewall Appliance unless
    > I was offering Services on Well Known ports, but doing that is often
    > frowned on by ISP's.


    Thanks much Peter.. After I posted this question I ended up doing
    more
    research on PIX, ASA's and whatnot and I think I've decided that my
    1841
    is more than capable of dealing with what I need to do today -- it's
    got the
    advanced IP services IOS version which I gather has the F/W portions
    among other things.. Supposedly I believe I'm supposed to have the IPS
    stuff as well, but in reading up on that, there's supposed to be some
    sort
    of SDF file sitting somewhere on the router but I can't find it so I'm
    not sure
    I can use that feature at this point until I get it under a new
    support contract
    and sort that out with Cisco TAC.. In the meantime, I do have a single
    application server in use that I'm planning on expanding and running
    from
    home due to it being very expensive to host-off site. Anyway, I'll
    keep all
    of what you've said in mind..

    Personally if I had the $$, I'd buy one of the ASA devices that has
    all of
    the anti-spam, anti-virus, content filtering, etc.. It sounds real
    nice but the
    annual costs to keep those database updated is prohibitive for the
    average
    home (cisco) user.. Anyway, thanks again..
    Rick F, Jan 9, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rodney Kelp

    Spy intrusions

    Rodney Kelp, Apr 18, 2004, in forum: Computer Support
    Replies:
    6
    Views:
    601
    Richard
    Apr 18, 2004
  2. Az

    Intrusions

    Az, Sep 28, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    705
    Plato
    Sep 29, 2005
  3. Hmmmmmmm
    Replies:
    8
    Views:
    681
    Vincent Formosa
    Sep 28, 2004
  4. Ramon A

    Sony Apix Vxd error

    Ramon A, Nov 24, 2004, in forum: Digital Photography
    Replies:
    3
    Views:
    325
    ShutterNut
    Nov 25, 2004
  5. Tilly

    Attempted intrusions.

    Tilly, Aug 12, 2003, in forum: NZ Computing
    Replies:
    10
    Views:
    482
    James West
    Aug 14, 2003
Loading...

Share This Page